🔥 Update methods & matchers for CVE-2020-16952

cves/CVE-2020-16952.yaml

@@ -1,7 +1,7 @@
 id: cve-2020-16952
 
 info:
-  name: Microsoft SharePoint Server DataFormWebPart CreateChildControls Server-Side Include RCE
+  name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE
   author: dwisiswant0
   severity: critical
 
@@ -10,18 +10,27 @@ info:
   # - [1] Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16952
   # - [2] https://srcincite.io/pocs/cve-2020-16952.py.txt
   # - [3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
+  # - [4] https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
 
 requests:
-  - method: PUT
+  - method: GET
     path:
-      - "{{BaseURL}}/poc.aspx"
+      - "{{BaseURL}}/"
-    body: "<asp:Literal runat=\"server\" Text=\"<%$SPTokens:{ProductNumber}%>\" />"
     matchers-condition: and
     matchers:
+      - type: regex
+        regex:
+          - "15.0.0.(4571|5275|4351|5056)"
+          - "16.0.0.(10337|10364|10366)"
+          # - "16.0.10364.20001"
+        condition: or
+        part: body
       - type: word
         words:
-          - "16.0.10364.20001"
+          - "MicrosoftSharePointTeamServices"
-        part: body
+        part: header
       - type: status
         status:
           - 200
+          - 201
+        condition: or