Phoenix Contact CHARX exposed panel and vulnerabilities (#13112)

* Phoenix Contact CHARX exposed panel, api & vuln * Phoenix Contact workflow * Update phoenix-contact-charx-panel.yaml * Update phoenix-contact-charx-panel.yaml * Update phoenix-contact-charx-api.yaml * Update phoenix-contact-workflow.yaml * Delete http/vulnerabilities/phoenix-contact/phoenix-contact-charx-multiple-vulns-2025.yaml * Update phoenix-contact-charx-panel.yaml * Update phoenix-contact-charx-api.yaml * Update phoenix-contact-charx-api.yaml * Update phoenix-contact-charx-api.yaml * Update extractors in phoenix-contact-charx-api.yaml Removed os_name extractor and added multiple new extractors for detailed system and device information. * Create phoenix-contact-charx-multiple-vulnerabilities.yaml --------- Co-authored-by: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com>
2026-01-31 15:53:33 +08:00 · 2025-09-11 07:45:34 -04:00
parent b816deab78
commit ca380a3636
4 changed files with 118 additions and 0 deletions
--- a/http/exposed-panels/phoenix-contact-charx-panel.yaml
+++ b/http/exposed-panels/phoenix-contact-charx-panel.yaml
@@ -0,0 +1,31 @@
+id: phoenix-contact-charx-panel
+
+info:
+  name: Phoenix Contact CHARX SEC-3XXX AC Charging Controller Panel - Detect
+  author: inokii
+  severity: info
+  description: |
+    Phoenix Contact CHARX SEC-3XXX AC Charging Controller panel was detected.
+  reference:
+    - https://www.phoenixcontact.com/en-us/products/ac-charging-controllers
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Phoenix Contact - CHARX"
+  tags: panel,phoenix-contact,charx,ics
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Phoenix Contact - CHARX</title>"
+
+      - type: status
+        status:
+          - 200
--- a/http/exposures/apis/phoenix-contact-charx-api.yaml
+++ b/http/exposures/apis/phoenix-contact-charx-api.yaml
@@ -0,0 +1,44 @@
+id: phoenix-contact-charx-api
+
+info:
+  name: Phoenix Contact CHARX SEC-3XXX AC Charging Controller REST API - Detect
+  author: inokii
+  severity: info
+  description: |
+    Phoenix Contact CHARX SEC-3XXX AC Charging Controller REST API was detected.
+  reference:
+    - https://www.phoenixcontact.com/en-us/products/ac-charging-controllers
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Phoenix Contact - CHARX"
+  tags: phoenix-contact,charx,ics,api
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/v1.0/web/retained-data"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains_all(body, "charging_controllers", "system")'
+        condition: and
+
+    extractors:
+      - type: json
+        json:
+          - '"OS Release: "+ .system.info._v_.os_release'
+          - '"OS Build: "+ .system.info._v_.os_build'
+          - '"OS INFO: "+ .system.info._v_.os_name'
+          - '"Firmware Version: "+ .charging_controllers | .[].info._v_.firmware_version | capture("V(?<version>\\d+(?:\\.\\d+)*)"; "i") | .version '
+          - '"Hardware Version: "+ .charging_controllers | .[].info._v_.hardware_version | capture("V(?<version>\\d+(?:\\.\\d+)*)"; "i") | .version'
+          - '"Device Name: "+ .charging_controllers | .[].info._v_.device_name'
+          - '"Machine Arch: "+ .system.info._v_.machine_arch'
+          - '"Machine ID: "+ .system.info._v_.machine_id'
+          - '"Kernel Release: "+ .system.info._v_.kernel_release'
+          - '"Kernel Version: "+ .system.info._v_.kernel_version'
+          - '"Hardware Name: "+ .system.info._v_.hardware_name'
+          - '"Device Type: "+ .charging_controllers | .[].info._v_.device_type'
+          - '"Device UID: "+ .charging_controllers | .[].info._v_.device_uid'
--- a/http/vulnerabilities/phoenix-contact/phoenix-contact-charx-multiple-vulnerabilities.yaml
+++ b/http/vulnerabilities/phoenix-contact/phoenix-contact-charx-multiple-vulnerabilities.yaml
@@ -0,0 +1,32 @@
+id: phoenix-contact-charx-multiple-vulnerabilities
+
+info:
+  name: Phoenix Contact CHARX SEC-3XXX AC Controller < 1.7.3 - Multiple Vulnerabilities
+  author: inokii
+  severity: critical
+  description: |
+    Multiple vulnerabilities exist in Phoenix Contact CHARX SEC-3XXX AC Controller versions prior to 1.7.3. Successful exploitation may allow attackers to bypass authentication, disclose sensitive information, or execute arbitrary code.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Phoenix Contact - CHARX"
+  tags: phoenix-contact,charx,vuln
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/v1.0/web/retained-data"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains_all(body, "charging_controllers", "system")'
+        condition: and
+
+    extractors:
+      - type: json
+        part: body
+        name: is_vulnerable_version
+        json:
+          - '.charging_controllers | .[].info._v_.firmware_version | capture("V(?<version>\\d+(?:\\.\\d+)*)"; "i") | .version | split(".") | map(tonumber) | if . < ("1.7.3" | split(".") | map(tonumber)) then true else false end'
--- a/workflows/phoenix-contact-workflow.yaml
+++ b/workflows/phoenix-contact-workflow.yaml
@@ -0,0 +1,11 @@
+id: phoenix-contact-workflow
+
+info:
+  name: Phoenix Contact Security Checks
+  author: inokii
+  description: A simple workflow that runs all Phoenix Contact related nuclei templates on a given target.
+
+workflows:
+  - template: http/exposed-panels/phoenix-contact-charx-panel.yaml
+    subtemplates:
+      - tags: phoenix-contact