search

CsEnox / CVE-2021-22911

Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1
54 stars 8 forks source link

For RocketChat v3.2.2: Class "Script" not in Trigger rce #3

Open MisterVermont13 opened 2 years ago

MisterVermont13 commented 2 years ago

Here is the response I get from the terminal after running the exploit:

{"success":false}

The integration appears in the integrations list in my admin panel.

This appears in the admin log:

server.js:204 Integrations ➔ Incoming WebHook.error [Class "Script" not in Trigger rce ]

Is there a way to get this working for earlier versions of RocketChat? (I tried connecting over Discord as well.)

CsEnox commented 2 years ago

Haven't tried the exploit for earlier versions so not sure. Also have no clue about the error in admin log