From b841bdeb0c01e66656a8ad695d2bf6ff5f7ee1db Mon Sep 17 00:00:00 2001 From: me_dheeraj <9442273+Dheerajmadhukar@users.noreply.github.com> Date: Sun, 27 Dec 2020 00:50:25 +0530 Subject: [PATCH 1/3] Create aem-groovyconsole.yaml --- .../aem-groovyconsole.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 security-misconfiguration/aem-groovyconsole.yaml diff --git a/security-misconfiguration/aem-groovyconsole.yaml b/security-misconfiguration/aem-groovyconsole.yaml new file mode 100644 index 0000000000..057d02b4a2 --- /dev/null +++ b/security-misconfiguration/aem-groovyconsole.yaml @@ -0,0 +1,29 @@ +id: aem-groovyconsole + +info: + name: AEM Groovy console enabled + author: twitter.com/Dheerajmadhukar + severity: critical + description: Groovy console is exposed, RCE is possible. + reference: https://hackerone.com/reports/672243 +requests: + - method: GET + path: + - "{{BaseURL}}/groovyconsole" + headers: + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Encoding: gzip, deflate + Accept-Language: en-US,en;q=0.9,hi;q=0.8 + User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36 + matchers-condition: and + matchers: + - type: word + words: + - "Groovy Console" + - "Run Script" + - "Groovy Web Console" + part: body + - type: status + status: + - 200 + part: header From f0277f8626cdb56c8e8ebbf9b334d8c4366f6b1d Mon Sep 17 00:00:00 2001 From: team-projectdiscovery <8293321+bauthard@users.noreply.github.com> Date: Mon, 28 Dec 2020 16:04:12 +0530 Subject: [PATCH 2/3] Update aem-groovyconsole.yaml --- security-misconfiguration/aem-groovyconsole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-misconfiguration/aem-groovyconsole.yaml b/security-misconfiguration/aem-groovyconsole.yaml index 057d02b4a2..8c54f39329 100644 --- a/security-misconfiguration/aem-groovyconsole.yaml +++ b/security-misconfiguration/aem-groovyconsole.yaml @@ -1,7 +1,7 @@ id: aem-groovyconsole info: - name: AEM Groovy console enabled + name: AEM Groovy console enabled author: twitter.com/Dheerajmadhukar severity: critical description: Groovy console is exposed, RCE is possible. From 8308dd6980fbe983e4abb7637f1dcc0e1efa1d42 Mon Sep 17 00:00:00 2001 From: team-projectdiscovery <8293321+bauthard@users.noreply.github.com> Date: Mon, 28 Dec 2020 20:09:15 +0530 Subject: [PATCH 3/3] Update aem-groovyconsole.yaml --- security-misconfiguration/aem-groovyconsole.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security-misconfiguration/aem-groovyconsole.yaml b/security-misconfiguration/aem-groovyconsole.yaml index 8c54f39329..dfcbf4c4a6 100644 --- a/security-misconfiguration/aem-groovyconsole.yaml +++ b/security-misconfiguration/aem-groovyconsole.yaml @@ -6,6 +6,7 @@ info: severity: critical description: Groovy console is exposed, RCE is possible. reference: https://hackerone.com/reports/672243 + requests: - method: GET path: @@ -15,6 +16,7 @@ requests: Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,hi;q=0.8 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36 + matchers-condition: and matchers: - type: word @@ -23,7 +25,7 @@ requests: - "Run Script" - "Groovy Web Console" part: body + condition: and - type: status status: - - 200 - part: header + - 200 \ No newline at end of file