id: CVE-2020-16846

info:
  name: SaltStack Shell Injection
  author: dwisiswant0
  severity: critical
  description: |
    SaltStack Salt through 3002. Sending crafted web requests to the Salt API,
    with the SSH client enabled, can result in shell injection.

    This template supports the detection part only. See references.
  reference:
    - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
    - https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
  tags: cve,cve2020,saltstack

requests:
  - method: POST
    path:
      - "{{BaseURL}}/run"
    body: "token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei"
    headers:
      Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500
      - type: word
        words:
          - "application/json"
        part: header
      - type: word
        words:
          - "An unexpected error occurred"
        part: body