From ba8ae02d243ff9f6a00f22489b052f49b8655d18 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 28 Jun 2022 04:45:56 +0530 Subject: [PATCH 01/11] SSRF FP Fix (#4670) * Update CVE-2021-27748.yaml * Update CVE-2021-22873.yaml * Update interactsh-server.yaml * misc fixes * Update CVE-2021-27748.yaml Co-authored-by: sandeep --- cves/2021/CVE-2021-22054.yaml | 2 +- cves/2021/CVE-2021-22873.yaml | 17 ++++++++--------- cves/2021/CVE-2021-27748.yaml | 13 ++++++++----- technologies/interactsh-server.yaml | 12 ++++++++++-- 4 files changed, 27 insertions(+), 17 deletions(-) diff --git a/cves/2021/CVE-2021-22054.yaml b/cves/2021/CVE-2021-22054.yaml index 03ec978fa0..7b7f826551 100644 --- a/cves/2021/CVE-2021-22054.yaml +++ b/cves/2021/CVE-2021-22054.yaml @@ -31,4 +31,4 @@ requests: - type: word words: - - "

Interactsh Server

" + - "Interactsh Server" diff --git a/cves/2021/CVE-2021-22873.yaml b/cves/2021/CVE-2021-22873.yaml index afd1efd5cb..49d5b3c9ee 100644 --- a/cves/2021/CVE-2021-22873.yaml +++ b/cves/2021/CVE-2021-22873.yaml @@ -15,7 +15,10 @@ info: cvss-score: 6.1 cve-id: CVE-2021-22873 cwe-id: CWE-601 - tags: cve,cve2021,redirect + metadata: + verified: true + shodan-query: http.favicon.hash:106844876 + tags: cve,cve2021,redirect,revive requests: - method: GET @@ -30,12 +33,8 @@ requests: stop-at-first-match: true redirects: true max-redirects: 2 - matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word - words: - - "

Interactsh Server

" - part: body + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/cves/2021/CVE-2021-27748.yaml b/cves/2021/CVE-2021-27748.yaml index 51ee443d01..bb19c1e0b5 100644 --- a/cves/2021/CVE-2021-27748.yaml +++ b/cves/2021/CVE-2021-27748.yaml @@ -11,6 +11,9 @@ info: - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665 classification: cve-id: CVE-2021-27748 + metadata: + verified: true + shodan-query: http.html:"IBM WebSphere Portal" tags: cve,cve2021,hcl,ibm,ssrf,websphere requests: @@ -24,10 +27,10 @@ requests: stop-at-first-match: true matchers-condition: and matchers: - - type: status - status: - - 200 - - type: word words: - - "

Interactsh Server

" \ No newline at end of file + - "Interactsh Server" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/technologies/interactsh-server.yaml b/technologies/interactsh-server.yaml index 85ecba7080..b1211c9822 100644 --- a/technologies/interactsh-server.yaml +++ b/technologies/interactsh-server.yaml @@ -4,6 +4,9 @@ info: name: Interactsh Server author: pdteam severity: info + metadata: + verified: true + shodan-query: http.html:"Interactsh Server" tags: tech,interactsh requests: @@ -11,14 +14,19 @@ requests: path: - "{{BaseURL}}" + matchers-condition: and matchers: - type: word words: - - "

Interactsh Server

" + - "Interactsh Server" + + - type: status + status: + - 200 extractors: - type: regex group: 1 regex: - '(.*)<\/b> server' - - 'from (.*)<\/b>' \ No newline at end of file + - 'from (.*)<\/b>' From d75e3e075093e9b31efc6b511818cc48815e30ad Mon Sep 17 00:00:00 2001 From: Kevin Cooper Date: Mon, 27 Jun 2022 16:20:04 -0700 Subject: [PATCH 03/11] remove escaped quotes in expression (#4683) --- file/keys/private-key.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/file/keys/private-key.yaml b/file/keys/private-key.yaml index 3e779effd4..d1f6cd83f5 100644 --- a/file/keys/private-key.yaml +++ b/file/keys/private-key.yaml @@ -13,12 +13,12 @@ file: extractors: - type: regex regex: - - "\"BEGIN OPENSSH PRIVATE KEY\"" - - "\"BEGIN PRIVATE KEY\"" - - "\"BEGIN RSA PRIVATE KEY\"" - - "\"BEGIN DSA PRIVATE KEY\"" - - "\"BEGIN EC PRIVATE KEY\"" - - "\"BEGIN PGP PRIVATE KEY BLOCK\"" - - "\"ssh-rsa\"" - - "\"ssh-dsa\"" - - "\"ssh-ed25519\"" + - "BEGIN OPENSSH PRIVATE KEY" + - "BEGIN PRIVATE KEY" + - "BEGIN RSA PRIVATE KEY" + - "BEGIN DSA PRIVATE KEY" + - "BEGIN EC PRIVATE KEY" + - "BEGIN PGP PRIVATE KEY BLOCK" + - "ssh-rsa" + - "ssh-dsa" + - "ssh-ed25519" From dbed480a18a49c546230772df883f2debbc86843 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 27 Jun 2022 23:27:37 +0000 Subject: [PATCH 05/11] Auto Generated CVE annotations [Mon Jun 27 23:27:37 UTC 2022] :robot: --- cves/2021/CVE-2021-22873.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-22873.yaml b/cves/2021/CVE-2021-22873.yaml index 49d5b3c9ee..9d125a94f8 100644 --- a/cves/2021/CVE-2021-22873.yaml +++ b/cves/2021/CVE-2021-22873.yaml @@ -16,8 +16,8 @@ info: cve-id: CVE-2021-22873 cwe-id: CWE-601 metadata: - verified: true shodan-query: http.favicon.hash:106844876 + verified: "true" tags: cve,cve2021,redirect,revive requests: From 6d44b2ee90ea74afb63bb7f980d55aedfdb2a431 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 28 Jun 2022 07:57:59 +0530 Subject: [PATCH 06/11] Create wpify-woo-czech-xss.yaml --- .../wordpress/wpify-woo-czech-xss.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 vulnerabilities/wordpress/wpify-woo-czech-xss.yaml diff --git a/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml b/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml new file mode 100644 index 0000000000..404a977143 --- /dev/null +++ b/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml @@ -0,0 +1,35 @@ +id: wpify-woo-czech-xss + +info: + name: WPify Woo Czech < 3.5.7 - Reflected Cross-Site Scripting (XSS) + author: Akincibor + severity: medium + description: The plugin uses the Vies library v2.2.0, which has a sample file outputting $_SERVER['PHP_SELF'] in an attribute without being escaped first, leading to a Reflected Cross-Site Scripting. The issue is only exploitable when the web server has the PDO driver installed, and write access to the example directory (otherwise an exception will be raised before the payload is output).. + reference: + - https://wpscan.com/vulnerability/5c66c32b-22f2-4b59-a6b2-b8da944cdc3c + metadata: + verified: true + tags: wp,wordpress,xss,wp-plugin,wpify + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/wpify-woo/deps/dragonbe/vies/examples/async_processing/queue.php/">' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + - 'Add a new VAT ID to the queue' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 From 907fca8a754a1a97f64ae5bfeb8086cb6abe18c1 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 28 Jun 2022 02:28:14 +0000 Subject: [PATCH 07/11] Auto Generated New Template Addition List [Tue Jun 28 02:28:14 UTC 2022] :robot: --- .new-additions | 1 + 1 file changed, 1 insertion(+) diff --git a/.new-additions b/.new-additions index 52198e50d3..4949982198 100644 --- a/.new-additions +++ b/.new-additions @@ -22,3 +22,4 @@ vulnerabilities/other/royalevent/royalevent-management-xss.yaml vulnerabilities/other/royalevent/royalevent-stored-xss.yaml vulnerabilities/wordpress/new-user-approve-xss.yaml vulnerabilities/wordpress/sym404.yaml +vulnerabilities/wordpress/wpify-woo-czech-xss.yaml From 17e1643c64087c94fdb9dc79f64db35819af33a1 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 28 Jun 2022 07:59:11 +0530 Subject: [PATCH 08/11] Revert "Create wpify-woo-czech-xss.yaml" This reverts commit 6d44b2ee90ea74afb63bb7f980d55aedfdb2a431. --- .../wordpress/wpify-woo-czech-xss.yaml | 35 ------------------- 1 file changed, 35 deletions(-) delete mode 100644 vulnerabilities/wordpress/wpify-woo-czech-xss.yaml diff --git a/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml b/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml deleted file mode 100644 index 404a977143..0000000000 --- a/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: wpify-woo-czech-xss - -info: - name: WPify Woo Czech < 3.5.7 - Reflected Cross-Site Scripting (XSS) - author: Akincibor - severity: medium - description: The plugin uses the Vies library v2.2.0, which has a sample file outputting $_SERVER['PHP_SELF'] in an attribute without being escaped first, leading to a Reflected Cross-Site Scripting. The issue is only exploitable when the web server has the PDO driver installed, and write access to the example directory (otherwise an exception will be raised before the payload is output).. - reference: - - https://wpscan.com/vulnerability/5c66c32b-22f2-4b59-a6b2-b8da944cdc3c - metadata: - verified: true - tags: wp,wordpress,xss,wp-plugin,wpify - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/wpify-woo/deps/dragonbe/vies/examples/async_processing/queue.php/">' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - 'Add a new VAT ID to the queue' - condition: and - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 From 6dd146c2b76dc0b5176cd2a542b648162bd01ffb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 28 Jun 2022 02:29:30 +0000 Subject: [PATCH 09/11] Auto Generated New Template Addition List [Tue Jun 28 02:29:30 UTC 2022] :robot: --- .new-additions | 1 - 1 file changed, 1 deletion(-) diff --git a/.new-additions b/.new-additions index 4949982198..52198e50d3 100644 --- a/.new-additions +++ b/.new-additions @@ -22,4 +22,3 @@ vulnerabilities/other/royalevent/royalevent-management-xss.yaml vulnerabilities/other/royalevent/royalevent-stored-xss.yaml vulnerabilities/wordpress/new-user-approve-xss.yaml vulnerabilities/wordpress/sym404.yaml -vulnerabilities/wordpress/wpify-woo-czech-xss.yaml From a55edcdca48d717609c7c9a1d9004a7db06976dc Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 28 Jun 2022 08:00:31 +0530 Subject: [PATCH 10/11] Create wpify-woo-czech-xss.yaml --- .../wordpress/wpify-woo-czech-xss.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 vulnerabilities/wordpress/wpify-woo-czech-xss.yaml diff --git a/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml b/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml new file mode 100644 index 0000000000..404a977143 --- /dev/null +++ b/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml @@ -0,0 +1,35 @@ +id: wpify-woo-czech-xss + +info: + name: WPify Woo Czech < 3.5.7 - Reflected Cross-Site Scripting (XSS) + author: Akincibor + severity: medium + description: The plugin uses the Vies library v2.2.0, which has a sample file outputting $_SERVER['PHP_SELF'] in an attribute without being escaped first, leading to a Reflected Cross-Site Scripting. The issue is only exploitable when the web server has the PDO driver installed, and write access to the example directory (otherwise an exception will be raised before the payload is output).. + reference: + - https://wpscan.com/vulnerability/5c66c32b-22f2-4b59-a6b2-b8da944cdc3c + metadata: + verified: true + tags: wp,wordpress,xss,wp-plugin,wpify + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/wpify-woo/deps/dragonbe/vies/examples/async_processing/queue.php/">' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + - 'Add a new VAT ID to the queue' + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 From 1c89fb1b6871b5798899a6a92837f31041628a78 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 28 Jun 2022 02:37:30 +0000 Subject: [PATCH 11/11] Auto Generated New Template Addition List [Tue Jun 28 02:37:30 UTC 2022] :robot: --- .new-additions | 1 + 1 file changed, 1 insertion(+) diff --git a/.new-additions b/.new-additions index 52198e50d3..4949982198 100644 --- a/.new-additions +++ b/.new-additions @@ -22,3 +22,4 @@ vulnerabilities/other/royalevent/royalevent-management-xss.yaml vulnerabilities/other/royalevent/royalevent-stored-xss.yaml vulnerabilities/wordpress/new-user-approve-xss.yaml vulnerabilities/wordpress/sym404.yaml +vulnerabilities/wordpress/wpify-woo-czech-xss.yaml