From 7ef4b84f10ea003ecec06d679d1ffb89c39350da Mon Sep 17 00:00:00 2001
From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com>
Date: Thu, 27 Jan 2022 07:01:17 +0900
Subject: [PATCH 1/4] Create CVE-2020-18268.yaml

---
 CVE-2020-18268.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 CVE-2020-18268.yaml

diff --git a/CVE-2020-18268.yaml b/CVE-2020-18268.yaml
new file mode 100644
index 0000000000..09939a54b0
--- /dev/null
+++ b/CVE-2020-18268.yaml
@@ -0,0 +1,28 @@
+id: CVE-2020-18268
+
+info:
+  name: Z-BlogPHP 1.5.2 Open redirect
+  author: 0x_Akoko
+  severity: medium
+  description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
+  reference:
+    - https://github.com/zblogcn/zblogphp/issues/216
+    - https://www.cvedetails.com/cve/CVE-2020-18268
+  tags: cve,cve2020,redirect,zblog
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2020-18268
+    cwe-id: CWE-601
+
+requests:
+  - method: GET
+
+    path:
+      - '{{BaseURL}}/zblog/zb_system/cmd.php?atc=login&redirect=http://www.example.com'
+
+    matchers:
+      - type: regex
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
+        part: header

From fd777fd0b6e68daa794ca679f6e6dcd3e17ab7b3 Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Thu, 27 Jan 2022 14:18:01 +0530
Subject: [PATCH 2/4] Update and rename CVE-2020-18268.yaml to
 cves/2020/CVE-2020-18268.yaml

---
 CVE-2020-18268.yaml => cves/2020/CVE-2020-18268.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
 rename CVE-2020-18268.yaml => cves/2020/CVE-2020-18268.yaml (74%)

diff --git a/CVE-2020-18268.yaml b/cves/2020/CVE-2020-18268.yaml
similarity index 74%
rename from CVE-2020-18268.yaml
rename to cves/2020/CVE-2020-18268.yaml
index 09939a54b0..da37df443e 100644
--- a/CVE-2020-18268.yaml
+++ b/cves/2020/CVE-2020-18268.yaml
@@ -8,21 +8,22 @@ info:
   reference:
     - https://github.com/zblogcn/zblogphp/issues/216
     - https://www.cvedetails.com/cve/CVE-2020-18268
-  tags: cve,cve2020,redirect,zblog
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 6.10
     cve-id: CVE-2020-18268
     cwe-id: CWE-601
+  tags: cve,cve2020,redirect,zblog
 
 requests:
   - method: GET
-
     path:
       - '{{BaseURL}}/zblog/zb_system/cmd.php?atc=login&redirect=http://www.example.com'
+      - '{{BaseURL}}/zb_system/cmd.php?atc=login&redirect=http://www.example.com'
 
+    stop-at-first-match: true
     matchers:
       - type: regex
-        regex:
-          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
         part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

From 992687329c5002fd6c2fb882f0dc4feb97fd54ff Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Tue, 1 Feb 2022 00:41:58 +0530
Subject: [PATCH 3/4] Update CVE-2020-18268.yaml

---
 cves/2020/CVE-2020-18268.yaml | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/cves/2020/CVE-2020-18268.yaml b/cves/2020/CVE-2020-18268.yaml
index da37df443e..56152705ae 100644
--- a/cves/2020/CVE-2020-18268.yaml
+++ b/cves/2020/CVE-2020-18268.yaml
@@ -13,15 +13,24 @@ info:
     cvss-score: 6.10
     cve-id: CVE-2020-18268
     cwe-id: CWE-601
-  tags: cve,cve2020,redirect,zblog
+  tags: cve,cve2020,redirect,zblogphp
 
 requests:
-  - method: GET
-    path:
-      - '{{BaseURL}}/zblog/zb_system/cmd.php?atc=login&redirect=http://www.example.com'
-      - '{{BaseURL}}/zb_system/cmd.php?atc=login&redirect=http://www.example.com'
+  - raw:
+      - |
+        POST /zb_system/cmd.php?act=verify HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 81
+        Content-Type: application/x-www-form-urlencoded
+        Connection: close
 
-    stop-at-first-match: true
+        btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
+
+      - |
+        GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
+        Host: {{Hostname}}
+
+    cookie-reuse: true
     matchers:
       - type: regex
         part: header

From fdddc48c2f222554b3f2fdf4339304709625e1bc Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Tue, 1 Feb 2022 00:42:58 +0530
Subject: [PATCH 4/4] Update CVE-2020-18268.yaml

---
 cves/2020/CVE-2020-18268.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cves/2020/CVE-2020-18268.yaml b/cves/2020/CVE-2020-18268.yaml
index 56152705ae..033c62e51b 100644
--- a/cves/2020/CVE-2020-18268.yaml
+++ b/cves/2020/CVE-2020-18268.yaml
@@ -13,7 +13,7 @@ info:
     cvss-score: 6.10
     cve-id: CVE-2020-18268
     cwe-id: CWE-601
-  tags: cve,cve2020,redirect,zblogphp
+  tags: cve,cve2020,redirect,zblogphp,authenticated
 
 requests:
   - raw: