From 63cfa344bdcca1b3caf5ab5e5df61febca245cc3 Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <dwi.siswanto98@gmail.com>
Date: Thu, 19 Nov 2020 00:21:07 +0700
Subject: [PATCH] :fire: Add CVE-2020-16846

---
 cves/CVE-2020-16846.yaml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 cves/CVE-2020-16846.yaml

diff --git a/cves/CVE-2020-16846.yaml b/cves/CVE-2020-16846.yaml
new file mode 100644
index 0000000000..ad4d777912
--- /dev/null
+++ b/cves/CVE-2020-16846.yaml
@@ -0,0 +1,37 @@
+id: cve-2020-16846
+
+info:
+  name: SaltStack Shell Injection
+  author: dwisiswant0
+  severity: critical
+  description: |
+    SaltStack Salt through 3002. Sending crafted web requests to the Salt API,
+    with the SSH client enabled, can result in shell injection.
+
+    This template supports the detection part only. See references.
+
+    References:
+    - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
+    - https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/run"
+      - "{{BaseURL}}:8000/run"
+    body: "token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei"
+    headers:
+      Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+      - type: word
+        words:
+          - "application/json"
+        part: header
+      - type: word
+        words:
+          - "An unexpected error occurred"
+        part: body
\ No newline at end of file