Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transfer encoding #3947

Merged
merged 5 commits into from
Aug 5, 2023
Merged

Transfer encoding #3947

merged 5 commits into from
Aug 5, 2023

Conversation

cn-kali-team
Copy link
Contributor

Proposed changes

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

vulhub

Bug

  • Since version v2.8.8, non raw requests have changed to chunked mode because there is no Content-length during dump
  • In version: v2.8.8

https://github.com/projectdiscovery/nuclei/pull/3211/files#diff-406acec0d9ef75a55d3082aa029364dc3ac32d2378d505af65de456fb85e098e

Yaml file

id: CVE-2020-16846

info:
  name: SaltStack <=3002 - Shell Injection
  author: dwisiswant0
  severity: critical
  description: SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client.
  reference:
    - https://saltproject.io/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
    - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
    - https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
    - https://nvd.nist.gov/vuln/detail/CVE-2020-16846
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-16846
    cwe-id: CWE-78
  tags: vulhub,cve,cve2020,saltstack,kev

requests:
  - method: POST
    path:
      - "{{BaseURL}}/run"
    body: "token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei"
    headers:
      Content-Type: application/x-www-form-urlencoded # CherryPy will abort w/o define this header
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500
      - type: word
        words:
          - "application/json"
        part: header
      - type: word
        words:
          - "An unexpected error occurred"
        part: body

# Enhanced by mp on 2022/04/27
  • Latest version testing
~ nuclei -duc -t nuclei-templates/http/cves/2020/CVE-2020-16846.yaml -u https://127.0.0.1:8000/ -debug-req -debug                     
                                                                                                                                         
                     __     _                                                                                                            
   ____  __  _______/ /__  (_)                                                                                                           
  / __ \/ / / / ___/ / _ \/ /                                                                                                            
 / / / / /_/ / /__/ /  __/ /                                                                                                             
/_/ /_/\__,_/\___/_/\___/_/   v2.9.9                                                                                                     
                                                                                                                                         
                projectdiscovery.io                                                                                                      
                                                                                                                                         
[INF] Current nuclei version: v2.9.9 (outdated)                                                                                          
[INF] Current nuclei-templates version: v9.5.2 (outdated)                                                                                
[INF] New templates added in latest release: 50                                                                                          
[INF] Templates loaded for current scan: 1                                                                                               
[INF] Targets loaded for current scan: 1                                                                                                 
[INF] [CVE-2020-16846] Dumped HTTP request for https://127.0.0.1:8000/run                                                                
                                                                                                                                         
POST /run HTTP/1.1                                                                                                                       
Host: 127.0.0.1:8000                                                                                                                     
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36                  
Connection: close                                                                                                                        
Transfer-Encoding: chunked
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
                                                                                                                                         
49                                                                                                                                       
token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei                                                                
0

[DBG] [CVE-2020-16846] Dumped HTTP response https://127.0.0.1:8000/run

HTTP/1.1 400 Bad Request
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: GET, POST
Allow: GET, HEAD, POST
Content-Type: text/html;charset=utf-8
Date: Tue, 18 Jul 2023 13:01:12 GMT
Server: CherryPy/18.6.0
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>400 Bad Request</title> 
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>400 Bad Request</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>400 Bad Request</h2>
        <p>Lowstates must be a list</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 18.6.0</a>
      </span>
    </div>
    </body>
</html>
[INF] No results found. Better luck next time!
  • You can see that there are new additions
POST /run HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36
Connection: close
+ Transfer-Encoding: chunked
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
- Content-Length: 73

+ 49
token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei
+ 0

v2.8.7

~ ./nuclei -duc -t v.yaml -u https://127.0.0.1:8000/ -debug-req -debug                                                                
                                                                                                                                         
                     __     _                                                                                                            
   ____  __  _______/ /__  (_)                                                                                                           
  / __ \/ / / / ___/ / _ \/ /                                                                                                            
 / / / / /_/ / /__/ /  __/ /                                                                                                             
/_/ /_/\__,_/\___/_/\___/_/   v2.8.7                                                                                                     
                                                                                                                                         
                projectdiscovery.io                                                                                                      
                                                                                                                                         
[INF] Using Nuclei Engine 2.8.7 (outdated)                                                                                               
[INF] Using Nuclei Templates v9.5.2 (outdated)                                                                                           
[INF] Templates added in last update: 50                                                                                                 
[INF] Templates loaded for scan: 1                                                                                                       
[INF] Targets loaded for scan: 1                                                                                                         
[INF] [CVE-2020-16846] Dumped HTTP request for https://127.0.0.1:8000/run                                                                
                                                                                                                                         
POST /run HTTP/1.1                                                                                                                       
Host: 127.0.0.1:8000                                                                                                                     
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36               
Connection: close
Content-Length: 73
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei
[DBG] [CVE-2020-16846] Dumped HTTP response https://127.0.0.1:8000/run

HTTP/1.1 500 Internal Server Error
Connection: close
Content-Length: 57
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: GET, POST
Allow: GET, HEAD, POST
Content-Type: application/json
Date: Tue, 18 Jul 2023 13:41:45 GMT
Server: CherryPy/18.6.0
Vary: Accept-Encoding

{"status": 500, "return": "An unexpected error occurred"}
[CVE-2020-16846:status-1] [http] [critical] https://127.0.0.1:8000/run
[CVE-2020-16846:word-2] [http] [critical] https://127.0.0.1:8000/run
[CVE-2020-16846:word-3] [http] [critical] https://127.0.0.1:8000/run

@ehsandeep ehsandeep requested a review from Mzack9999 July 28, 2023 15:52
@Mzack9999 Mzack9999 mentioned this pull request Jul 31, 2023
Merged
@Mzack9999
Copy link
Member

Mzack9999 commented Jul 31, 2023
edited
Loading

The aesthetic change has been implemented in retryablehttp via projectdiscovery/retryablehttp-go#106 and will be indirectly fixed on next retryablehttp-go release.
Output for testing with projectdiscovery/retryablehttp-go@e7bced1

$ go run . -duc -t test.yaml -u http://127.0.0.1:8000/ -debug-req -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.9

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v2.9.9 (outdated)
[INF] Current nuclei-templates version: v9.6.0 (latest)
[INF] New templates added in latest release: 33
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[INF] [CVE-2020-16846] Dumped HTTP request for http://127.0.0.1:8000/run

POST /run HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 73
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

token=1337&client=ssh&tgt=*&fun=a&roster=projectdiscovery&ssh_priv=nuclei

@Mzack9999 Mzack9999 requested review from ehsandeep and removed request for Mzack9999 July 31, 2023 10:13
@tarunKoyalwar tarunKoyalwar deleted the branch projectdiscovery:dev August 4, 2023 14:51
@tarunKoyalwar tarunKoyalwar reopened this Aug 4, 2023
@ehsandeep ehsandeep reopened this Aug 5, 2023
@ehsandeep ehsandeep merged commit edd96f9 into projectdiscovery:dev Aug 5, 2023
7 checks passed
@ehsandeep
Copy link
Member

Thank you @cn-kali-team for pointing this out.

@ehsandeep ehsandeep linked an issue Aug 8, 2023 that may be closed by this pull request
All 'method: POST' templates using 'Transfer-Encoding: chunked' header #4032
Closed
@ehsandeep ehsandeep mentioned this pull request Aug 8, 2023
Closed
@ehsandeep ehsandeep added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

Assignees
No one assigned
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

All 'method: POST' templates using 'Transfer-Encoding: chunked' header
4 participants
@cn-kali-team @Mzack9999 @ehsandeep @tarunKoyalwar