alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JEPaaS Development Platform File Upload Authentication Bypass"; flow:established,to_server; urilen:32; http.method; content:"POST"; http.uri; content:"|2f|je|2f|document|2f|file|3f|bucket|3d|webroot"; fast_pattern; http.header; content:"|0d 0a|internalRequestKey|3a 20|schedule|5f|"; http.request_body; content:"name=|22|"; content:"filename="; reference:url,github.com/wy876/POC/blob/main/%E7%94%B5%E4%BF%A1%E7%BD%91%E5%85%B3%E9%85%8D%E7%BD%AE%E7%AE%A1%E7%90%86%E5%90%8E%E5%8F%B0rewrite.php%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053447; rev:1; metadata:created_at 2024_06_11, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)