nuclei-templates/cves/CVE-2020-16846.yaml

37 lines
1.0 KiB
YAML

id: cve-2020-16846
info:
name: SaltStack Shell Injection
author: dwisiswant0
severity: critical
description: |
SaltStack Salt through 3002. Sending crafted web requests to the Salt API,
with the SSH client enabled, can result in shell injection.
This template supports the detection part only. See references.
References:
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
requests:
- method: POST
path:
- "{{BaseURL}}/run"
- "{{BaseURL}}:8000/run"
body: "token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei"
headers:
Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
words:
- "application/json"
part: header
- type: word
words:
- "An unexpected error occurred"
part: body