Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
nse/http-vuln-cve2020-13968.nse
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
109 lines (97 sloc)
3.65 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local http = require "http" | |
| local shortport = require "shortport" | |
| local string = require "string" | |
| local stdnse = require "stdnse" | |
| local vulns = require "vulns" | |
| local table = require "table" | |
| description = [[ | |
| CRK Business Platform - CVE-2020-13968 - SQL Injection on versions <= 2019.1 | |
| ]] | |
| --- | |
| -- @usage nmap --script http-vuln-cve2020-13968 -p 443 <target> | |
| -- @output | |
| -- PORT STATE SERVICE VERSION | |
| -- 443/tcp open http | |
| -- | http-vuln-cve2020-13968: | |
| -- | VULNERABLE: | |
| -- | CRK Business Platform - SQL Injection on versions <= 2019.1 | |
| -- | State: VULNERABLE | |
| -- | IDs: CVE:CVE-2020-13968 | |
| -- | Risk factor: High | |
| -- | Unauthenticated users can inject SQL statements against the DB | |
| -- | on any path using the 'strSessao' parameter. | |
| -- | | |
| -- | Disclosure date: 2020-06-08 | |
| -- | References: | |
| -- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13968 | |
| -- | |
| -- | |
| -- @xmloutput | |
| -- <table key="CVE-2020-13968"> | |
| -- <elem key="title">CRK Business Platform - SQL Injection on versions <= 2019.1</elem> | |
| -- <elem key="state">VULNERABLE</elem> | |
| -- <table key="ids"> | |
| -- <elem>CVE:CVE-2020-13968</elem> | |
| -- </table> | |
| -- <table key="description"> | |
| -- <elem>Unauthenticated user can inject SQL statements against the DB on any path using the 'strSessao' parameter.</elem> | |
| -- </table> | |
| -- <table key="dates"> | |
| -- <table key="disclosure"> | |
| -- <elem key="day">08</elem> | |
| -- <elem key="month">06</elem> | |
| -- <elem key="year">2020</elem> | |
| -- </table> | |
| -- </table> | |
| -- <elem key="disclosure">2020-06-08</elem> | |
| -- <table key="check_results"> | |
| -- </table> | |
| -- <table key="extra_info"> | |
| -- </table> | |
| -- <table key="refs"> | |
| -- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13968</elem> | |
| -- </table> | |
| -- </table> | |
| -- | |
| --- | |
| author = "Chapman (R3naissance) Schleiss" | |
| license = "Same as Nmap--See https://nmap.org/book/man-legal.html" | |
| categories = {"vuln", "intrusive"} | |
| -- aquatone xlarge ports | |
| portrule = shortport.port_or_service( {80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2087, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 12443, 16080, 18091, 18092, 20720, 28017}, {"http", "https"}, "tcp", "open") | |
| action = function(host, port) | |
| local function inject(payload) | |
| options = {} | |
| options['timeout'] = 1000 | |
| local uri = vuln_uri .. payload | |
| local response = http.get(host, port, uri, options) | |
| stdnse.debug1("Response %s", response.status) | |
| if string.match(response.body, "Invalid object name") then | |
| message = "Single quote SQL statement breakout found" | |
| stdnse.debug1(response.body) | |
| end | |
| end | |
| local vuln_table = { | |
| title = "CRK Business Platform - SQL Injection", | |
| IDS = {CVE = 'CVE-2020-13968'}, | |
| risk_factor = "High", | |
| references = { | |
| 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13968' | |
| }, | |
| dates = { | |
| disclosure = {year = '2020', month = '06', day = '08'}, | |
| }, | |
| check_results = {}, | |
| extra_info = {} | |
| } | |
| local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) | |
| vuln_table.state = vulns.STATE.NOT_VULN | |
| vuln_uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/sistemas/administrativo/CRK.GerenciadorAcesso/operacoes/alterar_senha/alterar_senha.aspx?Mod=P&Idioma=pt-br&IDFuncao=24&strSessao=' | |
| if pcall(inject, "'") then | |
| vuln_table.state = vulns.STATE.VULN | |
| table.insert(vuln_table.extra_info, message) | |
| else | |
| stdnse.debug1("Could not find error in response") | |
| end | |
| return vuln_report:make_output(vuln_table) | |
| end |