Closed c-sh0 closed 2 years ago
thanks again @c-sh0 for sharing this, I've updated CVE template a bit using request condition to avoid cases where server returns back everything included in the request, using req-condition
we can map the matcher to specific response.
Hmm, Yeah. So the fix for that CVE was that they changed the response header to text/plain, so even though the payload will still be there, it won;t render. vs the txt/html response header, when requesting data on a vulnerable server (that has an tag in the data) when using the "?raw" param. Also, I didn't go for the alert() script tags because, my line of thinking was to avoid triggering any WAFs :)
As an example: This version 1.9.15 is not vulnerable: (Note the Content Type: Header)
curl -v 'http://192.168.1.229:8500/v1/kv/25Fb8mswQp1N2fEf9TO3mvRFGUm?raw'
About to connect() to 192.168.1.229 port 8500 (#0) Trying 192.168.1.229... Connected to 192.168.1.229 (192.168.1.229) port 8500 (#0) GET /v1/kv/25Fb8mswQp1N2fEf9TO3mvRFGUm?raw HTTP/1.1 User-Agent: curl/7.29.0 Host: 192.168.1.229:8500 Accept: /
HTTP/1.1 200 OK Content-Length: 54 Content-Security-Policy: sandbox Content-Type: text/plain Vary: Accept-Encoding X-Consul-Default-Acl-Policy: allow X-Consul-Index: 15 X-Consul-Knownleader: true X-Consul-Lastcontact: 0 X-Content-Type-Options: nosniff Date: Thu, 17 Feb 2022 19:31:09 GMT
Connection #0 to host 192.168.1.229 left intact \<!DOCTYPE html>
right on. :)
Template Information:
These were tested against Consul Versions: 0.8.4, 1.4.0, 1.4.3, 1.8.3, 1.9.15
Nuclei Templates:
https://github.com/c-sh0/nuclei_templates/tree/main/consul
Sample run (no acl, v1.8.3)
Sample run (deny all acl, v1.8.3)