daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4787 from daffainfo/master 

Using compare_versions func in some templates
patch-1
Prince Chaddha 2022-07-13 23:18:44 +05:30 committed by GitHub
parent 86fd2b9983 cc3bbc13f6
commit 457fb9e511
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 86 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
cves/2019/CVE-2019-12616.yaml
View File

@ -1,8 +1,8 @@
id: CVE-2019-12616
info:
name: phpMyAdmin CSRF
author: Mohammedsaneem,philippedelteil
name: phpMyAdmin < 4.9.0 - CSRF
author: Mohammedsaneem,philippedelteil,daffainfo
severity: medium
description: A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim.
reference:
@ -23,17 +23,30 @@ requests:
matchers-condition: and
matchers:
- type: status
status:
- 200
- 401 # password protected
- type: word
words:
- "phpmyadmin.net"
- "phpMyAdmin"
condition: or
- type: regex
regex:
- 'v=[1-4]\.[0-8]\.' # Fix in 4.9.0
- type: dsl
dsl:
- compare_versions(version, '< 4.9.0')
- type: status
status:
- 200
- 401 # password protected
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- '\?v=([0-9.]+)'
- type: regex
group: 1
regex:
- '\?v=([0-9.]+)'

2
cves/2020/CVE-2020-13158.yaml
View File

@ -1,7 +1,7 @@
id: CVE-2020-13158
info:
name: Artica Proxy before 4.30.000000 Community Edition - Directory Traversal
name: Artica Proxy < 4.30.000000 Community Edition - Directory Traversal
author: 0x_Akoko
severity: high
description: Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.

35
cves/2020/CVE-2020-26214.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2020-26214
info:
name: Alerta < 8.1.0 - Authentication Bypass
author: CasperGN
author: CasperGN,daffainfo
severity: critical
description: Alerta prior to version 8.1.0 is prone to authentication bypass when using LDAP as an authorization provider and the LDAP server accepts Unauthenticated Bind requests.
reference:
@ -24,23 +24,34 @@ requests:
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"alarm_model"'
- '"actions"'
- '"severity"'
condition: and
- type: dsl
dsl:
- compare_versions(version, '< 8.1.0')
- type: status
status:
- 200
- type: regex
regex:
- 'name":\s*"Alerta ([0-7]\.[0-9]\.[0-9]|8\.0.[0-9])"'
condition: or
- type: regex
regex:
- 'provider":\s*"ldap"'
condition: or
extractors:
- type: regex
part: body
name: alerta-version
name: version
internal: true
group: 1
regex:
- 'name":\s*"Alerta ([0-7]\.[0-9]\.[0-9]|8\.0.[0-9])"'
- '"name": "Alerta ([0-9.]+)"'
- type: regex
group: 1
regex:
- '"name": "Alerta ([0-9.]+)"'
# Enhanced by mp on 2022/04/22

32
cves/2021/CVE-2021-27651.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2021-27651
info:
name: Pega Infinity - Authentication Bypass
author: idealphase
author: idealphase,daffainfo
severity: critical
description: Pega Infinity versions 8.2.1 through 8.5.2 contain an authentication bypass vulnerability because the password reset functionality for local accounts can be used to bypass local authentication checks.
reference:
@ -24,6 +24,19 @@ requests:
cookie-reuse: true
redirects: true
max-redirects: 2
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- '(?m)<span>Pega ([0-9.]+)</span>'
- type: regex
group: 1
regex:
- '(?m)<span>Pega ([0-9.]+)</span>'
matchers-condition: and
matchers:
- type: status
@ -31,19 +44,12 @@ requests:
- 200
- type: word
part: body
words:
- "Pega Infinity"
part: body
- 'Pega Infinity'
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body
extractors:
- type: regex
regex:
- 'Pega 8\.(?:2\.[1-9]|3\.[0-9]|4\.[0-9]|5\.[0-2])'
part: body
- type: dsl
dsl:
- compare_versions(version, '< 8.5.2', '>= 8.2.1')
# Enhanced by mp on 2022/05/17

39
cves/2022/CVE-2022-29455.yaml
View File

@ -2,7 +2,7 @@ id: CVE-2022-29455
info:
name: Wordpress Elementor <= 3.5.5 - DOM-based Reflected Cross-Site Scripting
author: rotembar
author: rotembar,daffainfo
severity: medium
description: |
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.
@ -23,29 +23,32 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js"
- "{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwOi8vIiwidmlkZW9UeXBlIjoiaG9zdGVkIiwidmlkZW9QYXJhbXMiOnsib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbikifX0="
- '{{BaseURL}}/wp-content/plugins/elementor/readme.txt'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Elementor Website Builder'
- type: dsl
dsl:
- compare_versions(version, '<= 3.5.5')
- type: status
status:
- 200
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
internal: true
- "(?m)Stable tag: ([0-9.]+)"
- type: kval
kval:
- version
req-condition: true
matchers-condition: and
matchers:
- type: regex
part: body_1
group: 1
regex:
- "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
- type: dsl
dsl:
- compare_versions(version, '<= 3.5.5') && status_code_1 == 200 && status_code_2 == 200
- "(?m)Stable tag: ([0-9.]+)"