🔥 Update methods & matchers for CVE-2020-16952

2020-10-15 17:27:52 +07:00 · 2020-10-15 17:27:52 +07:00 · 31c8d723c1
parent a154e9ea7d
commit 31c8d723c1
1 changed files with 16 additions and 7 deletions
--- a/cves/CVE-2020-16952.yaml
+++ b/cves/CVE-2020-16952.yaml
@ -1,7 +1,7 @@
 id: cve-2020-16952

 info:
-  name: Microsoft SharePoint Server DataFormWebPart CreateChildControls Server-Side Include RCE
+  name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE
  author: dwisiswant0
  severity: critical

@ -10,18 +10,27 @@ info:
  # - [1] Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16952
  # - [2] https://srcincite.io/pocs/cve-2020-16952.py.txt
  # - [3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
+  # - [4] https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md

 requests:
-  - method: PUT
+  - method: GET
    path:
-      - "{{BaseURL}}/poc.aspx"
-    body: "<asp:Literal runat=\"server\" Text=\"<%$SPTokens:{ProductNumber}%>\" />"
+      - "{{BaseURL}}/"
    matchers-condition: and
    matchers:
+      - type: regex
+        regex:
+          - "15.0.0.(4571|5275|4351|5056)"
+          - "16.0.0.(10337|10364|10366)"
+          # - "16.0.10364.20001"
+        condition: or
+        part: body
      - type: word
        words:
-          - "16.0.10364.20001"
-        part: body
+          - "MicrosoftSharePointTeamServices"
+        part: header
      - type: status
        status:
-          - 200
+          - 200
+          - 201
+        condition: or