Merge pull request #623 from dwisiswant0/add/CVE-2020-16846

Add CVE-2020-16846
2020-11-19 00:39:33 +05:30 · 2020-11-19 00:39:33 +05:30 · 7d41f99f4e
parent 5bd7f829ab 63cfa344bd
commit 7d41f99f4e
1 changed files with 37 additions and 0 deletions
--- a/cves/CVE-2020-16846.yaml
+++ b/cves/CVE-2020-16846.yaml
@ -0,0 +1,37 @@
+id: cve-2020-16846
+
+info:
+  name: SaltStack Shell Injection
+  author: dwisiswant0
+  severity: critical
+  description: |
+    SaltStack Salt through 3002. Sending crafted web requests to the Salt API,
+    with the SSH client enabled, can result in shell injection.
+
+    This template supports the detection part only. See references.
+
+    References:
+    - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
+    - https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/run"
+      - "{{BaseURL}}:8000/run"
+    body: "token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei"
+    headers:
+      Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+      - type: word
+        words:
+          - "application/json"
+        part: header
+      - type: word
+        words:
+          - "An unexpected error occurred"
+        part: body