id: CVE-2020-16846 info: name: SaltStack Shell Injection author: dwisiswant0 severity: critical description: | SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. This template supports the detection part only. See references. reference: | - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag - https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846 tags: cve,cve2020,saltstack requests: - method: POST path: - "{{BaseURL}}/run" body: "token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei" headers: Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header matchers-condition: and matchers: - type: status status: - 500 - type: word words: - "application/json" part: header - type: word words: - "An unexpected error occurred" part: body