Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add JSP payload for Reflective RCE #127

Closed
wants to merge 2 commits into from

Conversation

LeonardoE95
Copy link
Contributor

Hi there,

while developing the detector for CVE-2017-12617, an RCE vulnerability in Apache Tomcat that works by uploading a JSP file, I saw there was no JSP payload supported.

This PR adds to the payloads definition a simple JSP payload for reflective RCE. Specifically, the new payload prints a string following the structure of similar payloads already existing in the code.

validation_type: VALIDATION_REGEX
validation_regex: (?s).*TSUNAMI_PAYLOAD_START$TSUNAMI_PAYLOAD_TOKEN_RANDOMTSUNAMI_PAYLOAD_END.*
vulnerability_type:
- REFLECTIVE_RCE
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add a Terminating Newline at the end of the file.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once this PR is merged, could you rebase google/tsunami-security-scanner-plugins#566?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add a Terminating Newline at the end of the file.

Thanks, Newline added.

Copy link
Contributor Author

@LeonardoE95 LeonardoE95 Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once this PR is merged, could you rebase google/tsunami-security-scanner-plugins#566?

Is this related to the fact that the detector uses the newly added JSP payload config in the scanner?

Currently the build file of the detector picks up the latest published version of the scanner. This leads to fail builds, since the last published version does not have the JSP payload config.

To sync up the detector with the newly added JSP config in the scanner I believe is necessary either to create a new release in the official repo (this one), or to create a local build of the scanner and change the build file to point to the local version.

copybara-service bot pushed a commit that referenced this pull request Dec 11, 2024
--
ce33b31 by LeonardoE95 <leonardo.tamiano@mindedsecurity.com>:

Add JSP payload for Reflective RCE

--
4b6b849 by LeonardoE95 <leonardotamiano95@gmail.com>:

Fix: Add newline
COPYBARA_INTEGRATE_REVIEW=#127 from mindedsecurity:master 4b6b849
PiperOrigin-RevId: 705246572
Change-Id: I1661382d3a82855365bc8d253598dd2757a078e0
@maoning
Copy link
Collaborator

maoning commented Dec 12, 2024

This has been merged as commit: 6f0a8dc

@maoning maoning closed this Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants