google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
Apache License 2.0
880 stars 179 forks source link

Additional RCE payloads for Tsunami scanner payload generator #379

Open dawidg-doyen opened 10 months ago

dawidg-doyen commented 10 months ago

Hi Tsunami Team,

I submitted the following PR: Additional RCE payloads for Tsunami scanner payload generator

It adds 4 additional RCE payloads to the Tsunami scanner payload generator:

linux_root_crontab - Triggers RCE via crontab. It's for Arbitrary File Write with root privilege vulnerabilities. The generated payload must be written in /etc/cron.d directory, e.g. /etc/cron.d/tsunami_rce_cron

linux_curl_trace_read - A curl --trace payload for blind RCE detection for cases when attacker is able to read files (Arbitrary File Read) after a blind RCE. See Selenium Grid RCE detector, for an example of such vulnerability. This payload saves an RCE detection string in /tmp/tsunami-rce file that can then be read via the additional Arbitrary File Read vuln in order to confirm that the curl command executed successfully via payload.checkIfExecuted(traceFileContents).

windows_callback - Confirms RCE by opening the callback URL with powershell and Invoke-WebRequest command on Windows systems. It's an equivalent of the linux_callback payload for Linux.

windows_echo - Confirms reflected RCE by printing a RCE detection string with a random value with powershell and echo and Windows systems. It's an equivalent of the linux_printf payload for Linux.

More details, including docker testbeds and code examples can be found within the PR linked above.

Best Regards, Dawid Golunski

tooryx commented 9 months ago

Hi @dawidg-doyen,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!