Rule History

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Telecommunications Gateway Configuration Management System Unauthenticated File Upload"; flow:established,to_server; urilen:38; http.method; content:"POST"; http.uri; content:"|2f|manager|2f|teletext|2f|material|2f|rewrite|2e|php"; fast_pattern; http.content_type; content:"multipart/form-data"; startswith; http.request_body; content:"name=|22|"; content:"filename=|22|"; content:"Content|2d|Type|3a 20|image|2f|png|0d 0a 0d 0a 3c 3f|php|20|system|28 22|"; reference:url,github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E5%9F%8E%E5%B8%82%E5%AE%89%E9%98%B2%E7%9B%91%E6%8E%A7%E7%B3%BB%E7%BB%9F%E5%B9%B3%E5%8F%B0%E7%AE%A1%E7%90%86%E5%AD%98%E5%9C%A8user_edit.action%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053478; rev:1; metadata:attack_target Server, created_at 2024_06_12, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)