Update web_cve_2021_26084_confluence_rce_exploit.yml

2021-09-01 15:51:35 +07:00
parent 6bb6c8037f
commit c30a458535
1 changed files with 9 additions and 2 deletions
@@ -2,7 +2,7 @@ title: Atlassian Confluence RCE Exploit CVE-2021-26084
 id: 38825179-3c78-4fed-b222-2e2166b926b1
 description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
 status: experimental
-reference:
+references:
    - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083
    - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
@@ -21,7 +21,14 @@ detection:
           - '/doenterpagevariables.action'
           - 'queryString='
           - 'u0027'
-    condition: selection_exploit and keywords
+    selection_req:
+        cs-method: 'POST'
+        sc-status: '200'
+        c-uri|contains|all:
+        - '/doenterpagevariables.action'
+    keywords:
+        - 'u0027'
+    condition: selection_exploit or (selection_req and keywords)
 fields:
    - c-ip
    - c-uri